dcrat | 7328c5daf3f4f56d623ae43cf3c2653b01772bea64d8a743eab238abf44339aa

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7328c5daf3f4f56d623ae43cf3c2653b01772bea64d8a743eab238abf44339aa.exe
Size

1.3MB
MD5

e3def443a0e2166af135a5979ea11156
SHA1

07ac98f30133bcf118fa9f85be89acf9ca86b413
SHA256

7328c5daf3f4f56d623ae43cf3c2653b01772bea64d8a743eab238abf44339aa
SHA512

57d96736ed8fa4841fc9406ccda544a173239977b55a9f5a2daab93dfb5dcd980906954e49ebf83fb2c80ad180fa866af575a9d1bcfb2ea58cb22575d09e9e2d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2816	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2816	schtasks.exe	32

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015ef6-11.dat	dcrat
behavioral1/memory/2464-13-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/2760-136-0x00000000010A0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/1168-255-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/1728-315-0x00000000011F0000-0x0000000001300000-memory.dmp	dcrat
behavioral1/memory/772-376-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/2456-436-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat
behavioral1/memory/3028-496-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat
behavioral1/memory/2780-674-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2892	powershell.exe
3000	powershell.exe
2188	powershell.exe
2272	powershell.exe
1524	powershell.exe
2368	powershell.exe
1856	powershell.exe
1440	powershell.exe
1988	powershell.exe
292	powershell.exe
2392	powershell.exe
2364	powershell.exe
1520	powershell.exe
1548	powershell.exe
1464	powershell.exe
2376	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2464	DllCommonsvc.exe
2760	spoolsv.exe
2356	spoolsv.exe
1168	spoolsv.exe
1728	spoolsv.exe
772	spoolsv.exe
2456	spoolsv.exe
3028	spoolsv.exe
836	spoolsv.exe
1796	spoolsv.exe
2780	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2232	cmd.exe
2232	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
31	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
17	raw.githubusercontent.com
20	raw.githubusercontent.com
13	raw.githubusercontent.com
27	raw.githubusercontent.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\en-US\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Services\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\SpeechEngines\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\fr-FR\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\en-US\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Services\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\SpeechEngines\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\fr-FR\smss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7328c5daf3f4f56d623ae43cf3c2653b01772bea64d8a743eab238abf44339aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2976	schtasks.exe
536	schtasks.exe
844	schtasks.exe
1252	schtasks.exe
2060	schtasks.exe
1956	schtasks.exe
1536	schtasks.exe
2524	schtasks.exe
2044	schtasks.exe
2728	schtasks.exe
2180	schtasks.exe
2756	schtasks.exe
1140	schtasks.exe
540	schtasks.exe
832	schtasks.exe
2592	schtasks.exe
1952	schtasks.exe
2972	schtasks.exe
2068	schtasks.exe
2572	schtasks.exe
3044	schtasks.exe
1480	schtasks.exe
1108	schtasks.exe
2400	schtasks.exe
2576	schtasks.exe
2420	schtasks.exe
2904	schtasks.exe
2072	schtasks.exe
1468	schtasks.exe
896	schtasks.exe
1244	schtasks.exe
2340	schtasks.exe
2864	schtasks.exe
1896	schtasks.exe
1112	schtasks.exe
1616	schtasks.exe
2540	schtasks.exe
1380	schtasks.exe
324	schtasks.exe
2724	schtasks.exe
2908	schtasks.exe
328	schtasks.exe
2276	schtasks.exe
2556	schtasks.exe
2700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2464	DllCommonsvc.exe
2464	DllCommonsvc.exe
2464	DllCommonsvc.exe
2464	DllCommonsvc.exe
2464	DllCommonsvc.exe
2464	DllCommonsvc.exe
2464	DllCommonsvc.exe
2464	DllCommonsvc.exe
2464	DllCommonsvc.exe
1440	powershell.exe
2368	powershell.exe
1548	powershell.exe
292	powershell.exe
2272	powershell.exe
1520	powershell.exe
1856	powershell.exe
1464	powershell.exe
3000	powershell.exe
1988	powershell.exe
2376	powershell.exe
2364	powershell.exe
2392	powershell.exe
1524	powershell.exe
2892	powershell.exe
2188	powershell.exe
2760	spoolsv.exe
2356	spoolsv.exe
1168	spoolsv.exe
1728	spoolsv.exe
772	spoolsv.exe
2456	spoolsv.exe
3028	spoolsv.exe
836	spoolsv.exe
1796	spoolsv.exe
2780	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	DllCommonsvc.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	292	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2760	spoolsv.exe
Token: SeDebugPrivilege	2356	spoolsv.exe
Token: SeDebugPrivilege	1168	spoolsv.exe
Token: SeDebugPrivilege	1728	spoolsv.exe
Token: SeDebugPrivilege	772	spoolsv.exe
Token: SeDebugPrivilege	2456	spoolsv.exe
Token: SeDebugPrivilege	3028	spoolsv.exe
Token: SeDebugPrivilege	836	spoolsv.exe
Token: SeDebugPrivilege	1796	spoolsv.exe
Token: SeDebugPrivilege	2780	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2428	1656	JaffaCakes118_7328c5daf3f4f56d623ae43cf3c2653b01772bea64d8a743eab238abf44339aa.exe	28
PID 1656 wrote to memory of 2428	1656	JaffaCakes118_7328c5daf3f4f56d623ae43cf3c2653b01772bea64d8a743eab238abf44339aa.exe	28
PID 1656 wrote to memory of 2428	1656	JaffaCakes118_7328c5daf3f4f56d623ae43cf3c2653b01772bea64d8a743eab238abf44339aa.exe	28
PID 1656 wrote to memory of 2428	1656	JaffaCakes118_7328c5daf3f4f56d623ae43cf3c2653b01772bea64d8a743eab238abf44339aa.exe	28
PID 2428 wrote to memory of 2232	2428	WScript.exe	29
PID 2428 wrote to memory of 2232	2428	WScript.exe	29
PID 2428 wrote to memory of 2232	2428	WScript.exe	29
PID 2428 wrote to memory of 2232	2428	WScript.exe	29
PID 2232 wrote to memory of 2464	2232	cmd.exe	31
PID 2232 wrote to memory of 2464	2232	cmd.exe	31
PID 2232 wrote to memory of 2464	2232	cmd.exe	31
PID 2232 wrote to memory of 2464	2232	cmd.exe	31
PID 2464 wrote to memory of 2892	2464	DllCommonsvc.exe	78
PID 2464 wrote to memory of 2892	2464	DllCommonsvc.exe	78
PID 2464 wrote to memory of 2892	2464	DllCommonsvc.exe	78
PID 2464 wrote to memory of 1856	2464	DllCommonsvc.exe	79
PID 2464 wrote to memory of 1856	2464	DllCommonsvc.exe	79
PID 2464 wrote to memory of 1856	2464	DllCommonsvc.exe	79
PID 2464 wrote to memory of 292	2464	DllCommonsvc.exe	80
PID 2464 wrote to memory of 292	2464	DllCommonsvc.exe	80
PID 2464 wrote to memory of 292	2464	DllCommonsvc.exe	80
PID 2464 wrote to memory of 1548	2464	DllCommonsvc.exe	81
PID 2464 wrote to memory of 1548	2464	DllCommonsvc.exe	81
PID 2464 wrote to memory of 1548	2464	DllCommonsvc.exe	81
PID 2464 wrote to memory of 2368	2464	DllCommonsvc.exe	83
PID 2464 wrote to memory of 2368	2464	DllCommonsvc.exe	83
PID 2464 wrote to memory of 2368	2464	DllCommonsvc.exe	83
PID 2464 wrote to memory of 3000	2464	DllCommonsvc.exe	84
PID 2464 wrote to memory of 3000	2464	DllCommonsvc.exe	84
PID 2464 wrote to memory of 3000	2464	DllCommonsvc.exe	84
PID 2464 wrote to memory of 1464	2464	DllCommonsvc.exe	85
PID 2464 wrote to memory of 1464	2464	DllCommonsvc.exe	85
PID 2464 wrote to memory of 1464	2464	DllCommonsvc.exe	85
PID 2464 wrote to memory of 2392	2464	DllCommonsvc.exe	86
PID 2464 wrote to memory of 2392	2464	DllCommonsvc.exe	86
PID 2464 wrote to memory of 2392	2464	DllCommonsvc.exe	86
PID 2464 wrote to memory of 1440	2464	DllCommonsvc.exe	87
PID 2464 wrote to memory of 1440	2464	DllCommonsvc.exe	87
PID 2464 wrote to memory of 1440	2464	DllCommonsvc.exe	87
PID 2464 wrote to memory of 2188	2464	DllCommonsvc.exe	88
PID 2464 wrote to memory of 2188	2464	DllCommonsvc.exe	88
PID 2464 wrote to memory of 2188	2464	DllCommonsvc.exe	88
PID 2464 wrote to memory of 1988	2464	DllCommonsvc.exe	89
PID 2464 wrote to memory of 1988	2464	DllCommonsvc.exe	89
PID 2464 wrote to memory of 1988	2464	DllCommonsvc.exe	89
PID 2464 wrote to memory of 2376	2464	DllCommonsvc.exe	90
PID 2464 wrote to memory of 2376	2464	DllCommonsvc.exe	90
PID 2464 wrote to memory of 2376	2464	DllCommonsvc.exe	90
PID 2464 wrote to memory of 2272	2464	DllCommonsvc.exe	91
PID 2464 wrote to memory of 2272	2464	DllCommonsvc.exe	91
PID 2464 wrote to memory of 2272	2464	DllCommonsvc.exe	91
PID 2464 wrote to memory of 2364	2464	DllCommonsvc.exe	92
PID 2464 wrote to memory of 2364	2464	DllCommonsvc.exe	92
PID 2464 wrote to memory of 2364	2464	DllCommonsvc.exe	92
PID 2464 wrote to memory of 1520	2464	DllCommonsvc.exe	93
PID 2464 wrote to memory of 1520	2464	DllCommonsvc.exe	93
PID 2464 wrote to memory of 1520	2464	DllCommonsvc.exe	93
PID 2464 wrote to memory of 1524	2464	DllCommonsvc.exe	94
PID 2464 wrote to memory of 1524	2464	DllCommonsvc.exe	94
PID 2464 wrote to memory of 1524	2464	DllCommonsvc.exe	94
PID 2464 wrote to memory of 2428	2464	DllCommonsvc.exe	103
PID 2464 wrote to memory of 2428	2464	DllCommonsvc.exe	103
PID 2464 wrote to memory of 2428	2464	DllCommonsvc.exe	103
PID 2428 wrote to memory of 2196	2428	cmd.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7328c5daf3f4f56d623ae43cf3c2653b01772bea64d8a743eab238abf44339aa.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7328c5daf3f4f56d623ae43cf3c2653b01772bea64d8a743eab238abf44339aa.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\SpeechEngines\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\es-ES\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\en-US\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p7c82gnH1p.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2196
      - C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat"
        7⤵
        
        PID:2288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:824
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"
        9⤵
        
        PID:1508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2000
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"
        11⤵
        
        PID:2496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1160
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"
        13⤵
        
        PID:1536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1620
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat"
        15⤵
        
        PID:2292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2356
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"
        17⤵
        
        PID:2796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1168
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"
        19⤵
        
        PID:1496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2116
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat"
        21⤵
        
        PID:2516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1468
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat"
        23⤵
        
        PID:840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2848
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\SpeechEngines\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\SpeechEngines\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Music\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\en-US\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7caf65cd3ac3458fd305c66dc5876b4

SHA1
46ccdad037c5125f956442997f748d4b2d0ed964

SHA256
050072a4cdfde9e8e9af994f57178b41fa63b333a3c275ace0233a409790f998

SHA512
a5f98849d49ab49a145aa6deb1e6f06aac33243f4082f6903ec594beecc2ec4fe556635305713192fc4ba049ae1d06230665ee668ff7064e8e9d7cc41591afe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88e5004a769eba8288560a8fea3d495b

SHA1
784ede7d17d787855cc9ee2f061d63fdc8de67c4

SHA256
84c067bec72c47089039a17668b65d01bf943be4d581918a7f6867b563d59ab6

SHA512
bcaf6a8eee0bc9719ceddc50232aa4407196e58c7580e1d76e58ab7b68fb8fb0b96b72510a27cd52cde759e7914131ba0665c7fa653258ddf444c8600da67c81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f94bda3447ec7fce60eaccc255765960

SHA1
d1e3c1cc338241f8f8b607c31134f912cc56e24c

SHA256
ed02e5264e73f2a98081482ffb96798c21b2857b5572dbc375451f7d2fe693b9

SHA512
ee1632b8f9b26411085af21d57d150024913a68b155444a43a2cff57c839da1c842e8c2a68d09eead8daf33a7d43027bb694e2fcdd52cffd2e0768b5531667d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
418915ac20ee400f9a32fdb85aab7e91

SHA1
06e5e9ac2a117272c8041aa178cd63d1047be7d6

SHA256
0d97d50607d7802baaf2b1de6dfa2400e8fd2f85c93bd304eb524e7a4e34532e

SHA512
239f58459114f77f918641e89d919eca7b252f85793860599ef93c0b5776927ab88f654c39bd9b9497225ef2579b758a377ec1c42a266e8d6dc850c36cee531f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b208b83337c310fdc981836724baec4

SHA1
335b2547074a67df2f5cddf340f6beba4a1403c5

SHA256
1480eadfa5f45a4e0f3950ef393002e2db2ac54bd1050e5d2968d608c55406ab

SHA512
31f7e0e0fe084e65bc23741a609da32ec020cdff7932663f9df83355c43ec59848d2cf7fcbdd4116eb676ef1232c2dfa5a98a58dee72c815892289c0f35b047e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8690c349fe4cf09c086e5ddfceb92897

SHA1
ba0fce662f48d90dce9733e3b5acc8bc1230e1ac

SHA256
abd2b357055521ca8acf43f844a6ac98653dd7a3d2da770ea33e24754528509b

SHA512
8b83b129f488bfeae2352ee1e9e3213a501bf414dc9b8f5ff49d846523d1b41c91978787b5dc3615c51ef6bad52c05c46e53fd0ced445fc984c916251267f76a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecb66f99620caab651a04b365fc9383d

SHA1
bf21c92083543f9995fa0cbe4938ae10953512a5

SHA256
2c24914b4bb52561f326b57ea1a792f09602c8f5895270e0abbce09522159000

SHA512
e168b18043f5e7ca56ab9f4de367c1236d49d8b763306e82389ec03b69c8439c092ab0e21f0ffbff52c973f1ad02f7de756f074ffb32d5e242739808184b5629

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35590cb5500e555b40689a8f1019caa8

SHA1
672644c2071a9c27026e96b6198bd8a7fdaae048

SHA256
5bfa31d8cb37a5d17e8d3abf0c6c81a2dedb17c6499d89d4281db7e28850c180

SHA512
158e68c21cac3e48053cbb62150c699cad3685103f16335b4285d93ca9510ac3627117b356e374808551b66c1b88b09bcba8448a93f77130daa352a9a5b3a291

Download Submit
C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat

Filesize
194B

MD5
ebbacef2ee4cb531a6f58cf94bcce3e2

SHA1
f98d41620d847ce264565b2dbd4eb943e28bf7a8

SHA256
23baae1a2839dbfa3a2471ddd0ffbf0edf27eaece838067319981522add9345e

SHA512
ae422beb3faf7f5314e28e7ae2bfb6384d5e98c6bd4f59885c2ab02ca8345250239a9eb6d58e74c32b8f5b4ede422f7ff969ee193c977ee10829cf88682a0cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat

Filesize
194B

MD5
d5e16bd7410410225ebbed3431f1c146

SHA1
811ca8b9f1f2af5919612391de3d2ed6b33119fb

SHA256
c3ac54c599a800ff1f393dabc7157339c96aa2211c7d9a06964408acea23b11f

SHA512
9c688619f2cb99645449c6aa78ca07b0e5e2f423cedd9b536fc3365f943faa864e9eac8c3c5fc84f2f508069138809df1011e61fd9223ad1c3ba5d7ba6224716

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF7D8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat

Filesize
194B

MD5
e45ec6d2a10845e312af37d81d89d575

SHA1
0fe713c75be1d297f7fec78659ed847378560249

SHA256
ef4ec76b56435d9052aa6d4f953d69a72717e38b9f59720c0831359ee0387462

SHA512
6e55b758f2436f76b8183d0d95103c378f2f08509d260df4619bbe4dc830d63fd7a29000b363a6c44ec271c68d0ac97fa1d1648d10d41599dcbcc20f9192f423

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF7FB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat

Filesize
194B

MD5
06d66ef40d50f206d1acef24317b6aa8

SHA1
a41239883e768a464b4db7cf41b8ba20e7dd7156

SHA256
42d02749691a86b962ef0b6f335859fe3a777adc57c4e56cc18c2e39071d9de1

SHA512
096ded153ccbb479339bc86aac9684a3dcb8e079f2fe31bd85c904a981c8928a90f22b8b0955800667734c45abd339c90cfb02fcd4293f67b4d686e894ad8ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat

Filesize
194B

MD5
eb87c9ad79c019f62b20fab9629a476d

SHA1
1e8d9a08730ca2677f676b2332bbaaba050416a0

SHA256
4de1b74225e02ec3fe499b4938b4b35573a311026ef7a0b1100fa4f933aa0136

SHA512
eab755d33d9149d2865a0c6ac90f70058a7242c96dc23e9403ba30f9734cb3e2aabdd55ea55944460a32dbc1d9e6413fa802d276309de1e2612159835d878cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat

Filesize
194B

MD5
21d16cc592fc6289683c82b258a0d225

SHA1
a84779b2ebf8f3c104f5655368d558291b3f9cf0

SHA256
af1f2636e0357055d880dd1fc2e54e99a974f1b94d93896af327ddba26d593ff

SHA512
7f601f4c9620829b430fd2a253b1d1dc5e3920397c9b9d348ee85c4108a3e144ac1b9b9e4d604e0a757c7abf818b4758466c91a8b9164e960540bd464a92a4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat

Filesize
194B

MD5
f268efaf91c2a307dafc2f2345b55870

SHA1
3f574cd54c7e3b4d69d0610ed13a0107ca21b877

SHA256
8ac126aeadbedebc7849383badeb76946926aa997c4e7e3c092d1f4e53ad7a6d

SHA512
d50567c06ee21d9fbbb0d7fe606808556b6581c6d90b45f31f40c2cc478eb4ee71deb9850436b1474b8aa3f4fd9fcc3c6ff09d71b1aa8417a3986ade5b11d747

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat

Filesize
194B

MD5
9c15bfc2efd29f561f201ae98890a5e1

SHA1
1815f07d2ec2dc4df00cc0f3106345449a03b52a

SHA256
af66eaaaad5898c0c22bd96f109a8e247b4b56eb011d6322067ba0f7a7f508a5

SHA512
fe556db6697e217a595db298a3319698ba049251147f375ca4f4c49e3151191a12b9b731a76e9fd32e50bd44422dc4755d4a5b056495deae37655f236cd40098

Download Submit
C:\Users\Admin\AppData\Local\Temp\p7c82gnH1p.bat

Filesize
194B

MD5
47c849192339e2a02b1c9a3d73eacdb2

SHA1
1edcb721144d96bf426df9eb1ac2b312ea55a14e

SHA256
c1c161ddd25def745f6a7f06cd062096aa8ac5a2154b618caf13ce2266b1677e

SHA512
b6b0d4fe58ed9965ae33ca0e17df7a9c4b74be51c23ebf16198e7875fb570c108cdcb68459fba8996cc62f632722954a32fde91c059008be3a454e3768a91a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat

Filesize
194B

MD5
3f8f60b4ee1a80a18dc337360f9f0118

SHA1
cab86cee5b4e0a79ba40af495e7f63a994389787

SHA256
ce833415dc95deb2dbfcc9db02c69306eda750136ee6bf4826b04c0e16354133

SHA512
70e226e7e5cfb96ecb1460f7bce1c7b925e1168a6bfeb7920ef293bcba35a889c581db71ab1e3e8bfc603dedeadbfca785cd2270a87e8b3f9da3d79626d4eb25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
52cc4b00d4fc3adfa964f894ca04a4a7

SHA1
06a9cb8226283fb1a82428c02dbd75cabe92314f

SHA256
e0bf186f39f99580a03236e7e3ebc04c4e136f5b064f1eeafa4b799607d0313e

SHA512
5983320a06dc9207fa26e4a975586e4262c820914433480e8d1d3ba11eda65a00e13aa3bb4543729111e45405c869a2e63811cb5c16e80a4d9376635eeb50e17

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/772-376-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/1168-255-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/1440-70-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/1440-77-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1728-315-0x00000000011F0000-0x0000000001300000-memory.dmp

Filesize
1.1MB

Download
memory/1728-316-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2456-436-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/2464-17-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2464-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2464-16-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2464-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2464-13-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/2760-137-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2760-136-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download
memory/2780-674-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/3028-496-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download