dcrat | 5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b

Analysis

max time kernel
141s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b.exe
Size

1.3MB
MD5

e09e5ed218d422495447ea4769ea219f
SHA1

9b4f67ac07f54669bfe2072094013cad7783e1ae
SHA256

5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b
SHA512

fff49f033a7974f8326cb462fc114a74f05c1c9fe0287b0cbcba4509e77ebd4913f84b8c537004c15f02da545c1d3aaf6111263f2a4f576dbd6e943f5ae2ef1e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	1484	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1484	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019465-10.dat	dcrat
behavioral1/memory/2124-13-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/1072-147-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/2840-206-0x0000000000850000-0x0000000000960000-memory.dmp	dcrat
behavioral1/memory/2716-266-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/memory/2148-326-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/1688-386-0x0000000000830000-0x0000000000940000-memory.dmp	dcrat
behavioral1/memory/2444-446-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/1868-508-0x0000000000D80000-0x0000000000E90000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2596	powershell.exe
2860	powershell.exe
2088	powershell.exe
1936	powershell.exe
2748	powershell.exe
2780	powershell.exe
3040	powershell.exe
2500	powershell.exe
1648	powershell.exe
2592	powershell.exe
1716	powershell.exe
2512	powershell.exe
1372	powershell.exe
860	powershell.exe
2548	powershell.exe
2116	powershell.exe
2232	powershell.exe
1784	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2124	DllCommonsvc.exe
1072	lsm.exe
2840	lsm.exe
2716	lsm.exe
2148	lsm.exe
1688	lsm.exe
2444	lsm.exe
1920	lsm.exe
1868	lsm.exe
2700	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2216	cmd.exe
2216	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\it-IT\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\fr-FR\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\fr-FR\cc11b995f2a76d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2304	schtasks.exe
2916	schtasks.exe
2812	schtasks.exe
352	schtasks.exe
3052	schtasks.exe
2172	schtasks.exe
2400	schtasks.exe
2540	schtasks.exe
2136	schtasks.exe
2120	schtasks.exe
1208	schtasks.exe
2956	schtasks.exe
2816	schtasks.exe
1656	schtasks.exe
576	schtasks.exe
2460	schtasks.exe
2628	schtasks.exe
2588	schtasks.exe
1988	schtasks.exe
2980	schtasks.exe
2332	schtasks.exe
2568	schtasks.exe
1288	schtasks.exe
1684	schtasks.exe
336	schtasks.exe
1592	schtasks.exe
2608	schtasks.exe
2704	schtasks.exe
2268	schtasks.exe
2028	schtasks.exe
740	schtasks.exe
1792	schtasks.exe
1008	schtasks.exe
2752	schtasks.exe
2976	schtasks.exe
1972	schtasks.exe
3016	schtasks.exe
2680	schtasks.exe
1480	schtasks.exe
2644	schtasks.exe
1528	schtasks.exe
1624	schtasks.exe
328	schtasks.exe
1796	schtasks.exe
2804	schtasks.exe
872	schtasks.exe
2784	schtasks.exe
2936	schtasks.exe
1152	schtasks.exe
904	schtasks.exe
2564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2124	DllCommonsvc.exe
2124	DllCommonsvc.exe
2124	DllCommonsvc.exe
2124	DllCommonsvc.exe
2124	DllCommonsvc.exe
2124	DllCommonsvc.exe
2124	DllCommonsvc.exe
2124	DllCommonsvc.exe
2124	DllCommonsvc.exe
1784	powershell.exe
1716	powershell.exe
2512	powershell.exe
1648	powershell.exe
2780	powershell.exe
1372	powershell.exe
860	powershell.exe
2548	powershell.exe
2116	powershell.exe
2088	powershell.exe
2596	powershell.exe
2592	powershell.exe
2860	powershell.exe
2500	powershell.exe
3040	powershell.exe
1936	powershell.exe
2232	powershell.exe
2748	powershell.exe
1072	lsm.exe
2840	lsm.exe
2716	lsm.exe
2148	lsm.exe
1688	lsm.exe
2444	lsm.exe
1868	lsm.exe
2700	lsm.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	DllCommonsvc.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	1072	lsm.exe
Token: SeDebugPrivilege	2840	lsm.exe
Token: SeDebugPrivilege	2716	lsm.exe
Token: SeDebugPrivilege	2148	lsm.exe
Token: SeDebugPrivilege	1688	lsm.exe
Token: SeDebugPrivilege	2444	lsm.exe
Token: SeDebugPrivilege	1868	lsm.exe
Token: SeDebugPrivilege	2700	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2060	2088	JaffaCakes118_5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b.exe	30
PID 2088 wrote to memory of 2060	2088	JaffaCakes118_5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b.exe	30
PID 2088 wrote to memory of 2060	2088	JaffaCakes118_5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b.exe	30
PID 2088 wrote to memory of 2060	2088	JaffaCakes118_5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b.exe	30
PID 2060 wrote to memory of 2216	2060	WScript.exe	32
PID 2060 wrote to memory of 2216	2060	WScript.exe	32
PID 2060 wrote to memory of 2216	2060	WScript.exe	32
PID 2060 wrote to memory of 2216	2060	WScript.exe	32
PID 2216 wrote to memory of 2124	2216	cmd.exe	34
PID 2216 wrote to memory of 2124	2216	cmd.exe	34
PID 2216 wrote to memory of 2124	2216	cmd.exe	34
PID 2216 wrote to memory of 2124	2216	cmd.exe	34
PID 2124 wrote to memory of 1372	2124	DllCommonsvc.exe	87
PID 2124 wrote to memory of 1372	2124	DllCommonsvc.exe	87
PID 2124 wrote to memory of 1372	2124	DllCommonsvc.exe	87
PID 2124 wrote to memory of 1784	2124	DllCommonsvc.exe	88
PID 2124 wrote to memory of 1784	2124	DllCommonsvc.exe	88
PID 2124 wrote to memory of 1784	2124	DllCommonsvc.exe	88
PID 2124 wrote to memory of 2512	2124	DllCommonsvc.exe	89
PID 2124 wrote to memory of 2512	2124	DllCommonsvc.exe	89
PID 2124 wrote to memory of 2512	2124	DllCommonsvc.exe	89
PID 2124 wrote to memory of 1936	2124	DllCommonsvc.exe	91
PID 2124 wrote to memory of 1936	2124	DllCommonsvc.exe	91
PID 2124 wrote to memory of 1936	2124	DllCommonsvc.exe	91
PID 2124 wrote to memory of 2500	2124	DllCommonsvc.exe	92
PID 2124 wrote to memory of 2500	2124	DllCommonsvc.exe	92
PID 2124 wrote to memory of 2500	2124	DllCommonsvc.exe	92
PID 2124 wrote to memory of 1716	2124	DllCommonsvc.exe	94
PID 2124 wrote to memory of 1716	2124	DllCommonsvc.exe	94
PID 2124 wrote to memory of 1716	2124	DllCommonsvc.exe	94
PID 2124 wrote to memory of 2088	2124	DllCommonsvc.exe	95
PID 2124 wrote to memory of 2088	2124	DllCommonsvc.exe	95
PID 2124 wrote to memory of 2088	2124	DllCommonsvc.exe	95
PID 2124 wrote to memory of 860	2124	DllCommonsvc.exe	97
PID 2124 wrote to memory of 860	2124	DllCommonsvc.exe	97
PID 2124 wrote to memory of 860	2124	DllCommonsvc.exe	97
PID 2124 wrote to memory of 3040	2124	DllCommonsvc.exe	98
PID 2124 wrote to memory of 3040	2124	DllCommonsvc.exe	98
PID 2124 wrote to memory of 3040	2124	DllCommonsvc.exe	98
PID 2124 wrote to memory of 2548	2124	DllCommonsvc.exe	99
PID 2124 wrote to memory of 2548	2124	DllCommonsvc.exe	99
PID 2124 wrote to memory of 2548	2124	DllCommonsvc.exe	99
PID 2124 wrote to memory of 2116	2124	DllCommonsvc.exe	100
PID 2124 wrote to memory of 2116	2124	DllCommonsvc.exe	100
PID 2124 wrote to memory of 2116	2124	DllCommonsvc.exe	100
PID 2124 wrote to memory of 1648	2124	DllCommonsvc.exe	101
PID 2124 wrote to memory of 1648	2124	DllCommonsvc.exe	101
PID 2124 wrote to memory of 1648	2124	DllCommonsvc.exe	101
PID 2124 wrote to memory of 2232	2124	DllCommonsvc.exe	102
PID 2124 wrote to memory of 2232	2124	DllCommonsvc.exe	102
PID 2124 wrote to memory of 2232	2124	DllCommonsvc.exe	102
PID 2124 wrote to memory of 2860	2124	DllCommonsvc.exe	107
PID 2124 wrote to memory of 2860	2124	DllCommonsvc.exe	107
PID 2124 wrote to memory of 2860	2124	DllCommonsvc.exe	107
PID 2124 wrote to memory of 2592	2124	DllCommonsvc.exe	108
PID 2124 wrote to memory of 2592	2124	DllCommonsvc.exe	108
PID 2124 wrote to memory of 2592	2124	DllCommonsvc.exe	108
PID 2124 wrote to memory of 2780	2124	DllCommonsvc.exe	109
PID 2124 wrote to memory of 2780	2124	DllCommonsvc.exe	109
PID 2124 wrote to memory of 2780	2124	DllCommonsvc.exe	109
PID 2124 wrote to memory of 2748	2124	DllCommonsvc.exe	110
PID 2124 wrote to memory of 2748	2124	DllCommonsvc.exe	110
PID 2124 wrote to memory of 2748	2124	DllCommonsvc.exe	110
PID 2124 wrote to memory of 2596	2124	DllCommonsvc.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e9c1e0388f48ddd3cfb5ad2186b0a8cce076bcf5fc5c161607c67339daa8a6b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Updater6\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqUG6LKL2X.bat"
        5⤵
        
        PID:2348
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:328
      - C:\Users\Admin\Music\lsm.exe
        
        "C:\Users\Admin\Music\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat"
        7⤵
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:640
        
        C:\Users\Admin\Music\lsm.exe
        
        "C:\Users\Admin\Music\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"
        9⤵
        
        PID:2088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2316
        
        C:\Users\Admin\Music\lsm.exe
        
        "C:\Users\Admin\Music\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat"
        11⤵
        
        PID:3028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2208
        
        C:\Users\Admin\Music\lsm.exe
        
        "C:\Users\Admin\Music\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"
        13⤵
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3024
        
        C:\Users\Admin\Music\lsm.exe
        
        "C:\Users\Admin\Music\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"
        15⤵
        
        PID:1444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2668
        
        C:\Users\Admin\Music\lsm.exe
        
        "C:\Users\Admin\Music\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
        17⤵
        
        PID:3008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2452
        
        C:\Users\Admin\Music\lsm.exe
        
        "C:\Users\Admin\Music\lsm.exe"
        18⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
        19⤵
        
        PID:916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1732
        
        C:\Users\Admin\Music\lsm.exe
        
        "C:\Users\Admin\Music\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat"
        21⤵
        
        PID:2336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2720
        
        C:\Users\Admin\Music\lsm.exe
        
        "C:\Users\Admin\Music\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Links\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Links\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Music\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Updater6\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Updater6\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10fd0d97e6efc3f453e3ebfddd51edfe

SHA1
eb970c9d5182d21a7e47ce42e84d8f27589e4b78

SHA256
ebf43ecab29eee87e208a6ebe554c0b8e03e3827aa872aae0935d99f3841dd84

SHA512
fca6a0993568729ce3b9c9e955c0ec449df5ed0eb3aa722700384547881a64492400c07f1fefb2b848c88c1f04bacfd0f3018c977a207840f410bc22975eae0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94f0e04995b4ad7ccdce7818d9fad757

SHA1
095f87113ebea03e4dcbc95631e439d6f4de8746

SHA256
2c4fdff092e1a234e9791758c4a15ecb1349d9a780be45b3db98b15d84d0ad78

SHA512
bdfb05005fd7a8c9ada359b20076a31f564b8127abae74260ba1f433efae38d7e7e9bebe90b2d46c06e2703140c7cc4d22d243a5da843790248ef6016bfb4588

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15d940e0853b54a5e4895459c0f047da

SHA1
a22095b3ed827e4cf0b3cc9cde7edd941c2da46b

SHA256
843f9217d37929177f8d529355fdebc5aa7d7bba0f749834f59432f82ad83248

SHA512
a143ad1c2b20dd0178c61de37d545a78a2ce65fc24b7099a1012095d948f7e137d2cefe78c3a4cd7dbb0c558be80e597bef7df20d29ca5597916c7a7365e6e1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ef31ea2858438b02c814e453ea0b1c7

SHA1
4693336d8faba8ac4ab5307dfb453bda62b0b0f1

SHA256
0e91a509d42ea362c3e422e6e9e4941800659462812217135e77ace316a4deb5

SHA512
b0e4878aa845f202d556aea001df4cd21663c71d18449b9ab63c5f40cf971413a43dbfc0113b6f4299ec7c7744ce92b5883603c8741b58f1268934539bbd6a5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddd16bc45032ab31db3c5148d7b0b7ca

SHA1
8440522179a8031513451e9152421af22a2aa288

SHA256
2736a4bf975b2a74314bf8f244f8e7799c359779f76f101e25747dd4023c6a09

SHA512
def71a60d64b412098ed52d16448c5051d5570ed6e674d4dc8e1dc553e3b662c5d162cf9eb8502d82c70ea29153ff572e6b2ebf52ec49c4ce31df3b67059410d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65f74786abf1400b988fe1d84dbaf192

SHA1
5982ecf57c4cd27a9c5b2de9a73602d1567abd7c

SHA256
fa110c844ccadd0c4fc899d6cc82f9426e215f5a61947af90d9931d561627ca5

SHA512
464b8da96dccbb352e6140343ea3aaa6cb4f6d26d47180f53e42bd91e5705481feee2673083ceff1a074f1f2ebb3b25c0f8f1dc306dc8bb0fbc903ffc56580ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat

Filesize
193B

MD5
361f648bfe3ef8daaba24ea7b61106f1

SHA1
3afc6ded9cafe9e13e3c2fcc9870f9800bb4a566

SHA256
e5e7091fbe6fff2f2e33cf94a61a7bddcf524ea320d9cddcca89467b5d0d5ffe

SHA512
80decb8526024a77294242d1388738ee5a8e632c09c3657d17db7a325fc773b4858f5289834aad61d24c17e2ab795bf9c2bb332de720902e4cba7e2c421b6fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2B37.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat

Filesize
193B

MD5
b404bd4ad6c149e3c13ebb33b9dfca49

SHA1
6b3c5a3c7b39d389a84a0a3545dab40f201452a4

SHA256
715adf530687547d1b78be8ff2a938d5105eb8308b65cfa8a6c0fd145975ee03

SHA512
1fef64deeb2912a0abe4732c6cae14d61fc1715221250255ff97bd9ee0edd90cc43fd03f5a90830e78998ab0cdb7747dc3ab0310bdb68d7b1e879fcc78c6ad85

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat

Filesize
193B

MD5
55e1877eccde3237bcdb8dc282a2239a

SHA1
8c84dd9c39d3c9f80a5ad5d79650ff017355a38b

SHA256
dbaccd7ef2776cf3ed572e7f92bfa026b61479e11aa20d934a67219a5a25f0c9

SHA512
22d5c164e09635e4430b92ece79808fa9465020603cb4a71225be57f3a59bdfd2a250dcde98818e22877afa88309ccc32a1a5add6d836f8c513701b6290f3297

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat

Filesize
193B

MD5
55304e315541ab06c5bf0051df2781cb

SHA1
7dafe323abc6c4f21cafe081f8dd134cad6f10b9

SHA256
71b2a6ab004afc63c3cff34797a6ab210e0cc2ae18c2ba2b08c85d8b6b0557c6

SHA512
a9d07238e9197f513f5b5926e85bb76821bf25ea65450ebf59176adc9269643a56c7236be8ba23bf2b8275a0e7efc1ce14d5c8f5d49d1681930f4142bdb1a421

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2B59.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat

Filesize
193B

MD5
e5957fdf789d7587e35f0d063a602683

SHA1
c2596833aaa03d88f67be273922876d302da6632

SHA256
54d25d0f93738a9a607d8558bc2f1768bfcb1195bf7ac035f6768f96503f61c7

SHA512
cb5ec50c6aa1ab4905632e95b9e2c82da04b5b6901593e1133598544d5e6abe8b5681e2a0d80b31bfb9e88ec322dbaba583ed6c1314d2ac5065430ca0da85794

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat

Filesize
193B

MD5
2796dc19c0cda1b8ae4619c17a301064

SHA1
97ea771a5e67bf58a3e765a9ce0ba0b1cfd4544d

SHA256
f0633fefc6800927a44093872d734e94ccb7af4dec9d672ea197bd4f4a57a8d7

SHA512
a41fef7354e8b8f6d63994d52de668853b17f287437dada287453e8848ccb125f505eea7a6f5ec96e826abf1b7b13175b352530a11b923974a47a15533fe5137

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat

Filesize
193B

MD5
739f876994a6e6af270c7740bdddbced

SHA1
455cb41508c07f878ae7442a32d4b80c8cbd884b

SHA256
e8e6315eefe0a42ce701ee682bc5a8467f8078853287878bde953fa78f6f9dd0

SHA512
ab6e6962fe7085ad7c528ed64bc63effbb3a8a4337a7cc3aee8f1755e9d0fec667c19b3efb8c891d907064166f63e28b99e61fad827d373e0a0b780931307985

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqUG6LKL2X.bat

Filesize
193B

MD5
5545a8ed12eeee34bc9d16b00388231b

SHA1
76e958a28fd87dd4b2cf1b657fa6c8269da4018c

SHA256
a02c99e4c2ab7363067d445b9be5ecd4f3a12135954217ad506b18d8bec1b332

SHA512
783a2f06518e7da008fe9617c54d4869f59dd78c2603cbcc471877b18ea94751d4610ee9be1aeea27e2f162d8f8269266b07cc240099a417e5f0024df628d8b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5757a202cb7bd399882327400b134191

SHA1
23b5361c38e95b9ec13a7cd81f00e775cfc5ea33

SHA256
da4a2bd0d4b3832e6272571f2484223ba8a28220469a52dbd22e9616fd0b0138

SHA512
b17d1e56f3caf3d7bae704d906ba4ec0d97f4d99cd84f573cb948ec45e77e76401faede30bf6fafcdc571c822bcbbb0e678e1daf7c1ced9be345a1c866864917

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1072-147-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/1688-386-0x0000000000830000-0x0000000000940000-memory.dmp

Filesize
1.1MB

Download
memory/1716-95-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/1868-509-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/1868-508-0x0000000000D80000-0x0000000000E90000-memory.dmp

Filesize
1.1MB

Download
memory/2124-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2124-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2124-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2124-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2124-13-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/2148-326-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/2444-446-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/2444-447-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2512-101-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/2716-266-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/2840-206-0x0000000000850000-0x0000000000960000-memory.dmp

Filesize
1.1MB

Download