dcrat | 6304f1481a816b4bdfbe7f9cad6d643f7400ae32fccc1b0e7106547b5ac49350

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6304f1481a816b4bdfbe7f9cad6d643f7400ae32fccc1b0e7106547b5ac49350.exe
Size

1.3MB
MD5

c5976e58fcc713b9711912ce36de6054
SHA1

f7694e75024ff9e23a33f172d071fceb1d60c8da
SHA256

6304f1481a816b4bdfbe7f9cad6d643f7400ae32fccc1b0e7106547b5ac49350
SHA512

36a2e8804101c31c786b0bdf650f1a6c071efaddd4954cc929c9156370f9d8c988614e984feab5f8c904e106030407f458068c9261c7dd6ec07223c3474f879c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2332	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2332	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d58-10.dat	dcrat
behavioral1/memory/2744-13-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat
behavioral1/memory/2992-52-0x0000000000A20000-0x0000000000B30000-memory.dmp	dcrat
behavioral1/memory/2992-366-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/2364-426-0x0000000000C90000-0x0000000000DA0000-memory.dmp	dcrat
behavioral1/memory/1908-486-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/2344-546-0x0000000000DF0000-0x0000000000F00000-memory.dmp	dcrat
behavioral1/memory/1656-607-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat
behavioral1/memory/556-727-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/2424-787-0x0000000000CA0000-0x0000000000DB0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2356	powershell.exe
2436	powershell.exe
1748	powershell.exe
2392	powershell.exe
2948	powershell.exe
1052	powershell.exe
2124	powershell.exe
888	powershell.exe
1056	powershell.exe
2540	powershell.exe
2412	powershell.exe
1792	powershell.exe
1672	powershell.exe
2420	powershell.exe
1556	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2744	DllCommonsvc.exe
2992	dwm.exe
2660	dwm.exe
1736	dwm.exe
2900	dwm.exe
2992	dwm.exe
2364	dwm.exe
1908	dwm.exe
2344	dwm.exe
1656	dwm.exe
1584	dwm.exe
556	dwm.exe
2424	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2696	cmd.exe
2696	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
31	raw.githubusercontent.com
34	raw.githubusercontent.com
38	raw.githubusercontent.com
41	raw.githubusercontent.com
4	raw.githubusercontent.com
27	raw.githubusercontent.com
13	raw.githubusercontent.com
17	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\en-US\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\de-DE\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\it-IT\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\it-IT\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\de-DE\42af1c969fbb7b	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\WMIADAP.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6304f1481a816b4bdfbe7f9cad6d643f7400ae32fccc1b0e7106547b5ac49350.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2740	schtasks.exe
1664	schtasks.exe
2920	schtasks.exe
864	schtasks.exe
3032	schtasks.exe
1808	schtasks.exe
2072	schtasks.exe
1092	schtasks.exe
2604	schtasks.exe
740	schtasks.exe
1864	schtasks.exe
384	schtasks.exe
1148	schtasks.exe
2264	schtasks.exe
2108	schtasks.exe
2456	schtasks.exe
1948	schtasks.exe
2068	schtasks.exe
2172	schtasks.exe
2628	schtasks.exe
1404	schtasks.exe
780	schtasks.exe
1636	schtasks.exe
1356	schtasks.exe
1244	schtasks.exe
1992	schtasks.exe
2636	schtasks.exe
2296	schtasks.exe
1612	schtasks.exe
3048	schtasks.exe
1528	schtasks.exe
896	schtasks.exe
1472	schtasks.exe
1708	schtasks.exe
2524	schtasks.exe
2268	schtasks.exe
1736	schtasks.exe
2788	schtasks.exe
2480	schtasks.exe
2472	schtasks.exe
1696	schtasks.exe
1940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2744	DllCommonsvc.exe
1748	powershell.exe
2392	powershell.exe
2436	powershell.exe
2540	powershell.exe
888	powershell.exe
2992	dwm.exe
1672	powershell.exe
1056	powershell.exe
1052	powershell.exe
1556	powershell.exe
2124	powershell.exe
2412	powershell.exe
1792	powershell.exe
2420	powershell.exe
2948	powershell.exe
2356	powershell.exe
2660	dwm.exe
1736	dwm.exe
2900	dwm.exe
2992	dwm.exe
2364	dwm.exe
1908	dwm.exe
2344	dwm.exe
1656	dwm.exe
1584	dwm.exe
556	dwm.exe
2424	dwm.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	DllCommonsvc.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2992	dwm.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2660	dwm.exe
Token: SeDebugPrivilege	1736	dwm.exe
Token: SeDebugPrivilege	2900	dwm.exe
Token: SeDebugPrivilege	2992	dwm.exe
Token: SeDebugPrivilege	2364	dwm.exe
Token: SeDebugPrivilege	1908	dwm.exe
Token: SeDebugPrivilege	2344	dwm.exe
Token: SeDebugPrivilege	1656	dwm.exe
Token: SeDebugPrivilege	1584	dwm.exe
Token: SeDebugPrivilege	556	dwm.exe
Token: SeDebugPrivilege	2424	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2380	1480	JaffaCakes118_6304f1481a816b4bdfbe7f9cad6d643f7400ae32fccc1b0e7106547b5ac49350.exe	30
PID 1480 wrote to memory of 2380	1480	JaffaCakes118_6304f1481a816b4bdfbe7f9cad6d643f7400ae32fccc1b0e7106547b5ac49350.exe	30
PID 1480 wrote to memory of 2380	1480	JaffaCakes118_6304f1481a816b4bdfbe7f9cad6d643f7400ae32fccc1b0e7106547b5ac49350.exe	30
PID 1480 wrote to memory of 2380	1480	JaffaCakes118_6304f1481a816b4bdfbe7f9cad6d643f7400ae32fccc1b0e7106547b5ac49350.exe	30
PID 2380 wrote to memory of 2696	2380	WScript.exe	32
PID 2380 wrote to memory of 2696	2380	WScript.exe	32
PID 2380 wrote to memory of 2696	2380	WScript.exe	32
PID 2380 wrote to memory of 2696	2380	WScript.exe	32
PID 2696 wrote to memory of 2744	2696	cmd.exe	34
PID 2696 wrote to memory of 2744	2696	cmd.exe	34
PID 2696 wrote to memory of 2744	2696	cmd.exe	34
PID 2696 wrote to memory of 2744	2696	cmd.exe	34
PID 2744 wrote to memory of 2540	2744	DllCommonsvc.exe	78
PID 2744 wrote to memory of 2540	2744	DllCommonsvc.exe	78
PID 2744 wrote to memory of 2540	2744	DllCommonsvc.exe	78
PID 2744 wrote to memory of 2392	2744	DllCommonsvc.exe	79
PID 2744 wrote to memory of 2392	2744	DllCommonsvc.exe	79
PID 2744 wrote to memory of 2392	2744	DllCommonsvc.exe	79
PID 2744 wrote to memory of 1556	2744	DllCommonsvc.exe	80
PID 2744 wrote to memory of 1556	2744	DllCommonsvc.exe	80
PID 2744 wrote to memory of 1556	2744	DllCommonsvc.exe	80
PID 2744 wrote to memory of 2420	2744	DllCommonsvc.exe	81
PID 2744 wrote to memory of 2420	2744	DllCommonsvc.exe	81
PID 2744 wrote to memory of 2420	2744	DllCommonsvc.exe	81
PID 2744 wrote to memory of 1748	2744	DllCommonsvc.exe	82
PID 2744 wrote to memory of 1748	2744	DllCommonsvc.exe	82
PID 2744 wrote to memory of 1748	2744	DllCommonsvc.exe	82
PID 2744 wrote to memory of 2436	2744	DllCommonsvc.exe	83
PID 2744 wrote to memory of 2436	2744	DllCommonsvc.exe	83
PID 2744 wrote to memory of 2436	2744	DllCommonsvc.exe	83
PID 2744 wrote to memory of 1792	2744	DllCommonsvc.exe	84
PID 2744 wrote to memory of 1792	2744	DllCommonsvc.exe	84
PID 2744 wrote to memory of 1792	2744	DllCommonsvc.exe	84
PID 2744 wrote to memory of 2356	2744	DllCommonsvc.exe	85
PID 2744 wrote to memory of 2356	2744	DllCommonsvc.exe	85
PID 2744 wrote to memory of 2356	2744	DllCommonsvc.exe	85
PID 2744 wrote to memory of 1672	2744	DllCommonsvc.exe	86
PID 2744 wrote to memory of 1672	2744	DllCommonsvc.exe	86
PID 2744 wrote to memory of 1672	2744	DllCommonsvc.exe	86
PID 2744 wrote to memory of 2124	2744	DllCommonsvc.exe	87
PID 2744 wrote to memory of 2124	2744	DllCommonsvc.exe	87
PID 2744 wrote to memory of 2124	2744	DllCommonsvc.exe	87
PID 2744 wrote to memory of 1052	2744	DllCommonsvc.exe	88
PID 2744 wrote to memory of 1052	2744	DllCommonsvc.exe	88
PID 2744 wrote to memory of 1052	2744	DllCommonsvc.exe	88
PID 2744 wrote to memory of 2412	2744	DllCommonsvc.exe	89
PID 2744 wrote to memory of 2412	2744	DllCommonsvc.exe	89
PID 2744 wrote to memory of 2412	2744	DllCommonsvc.exe	89
PID 2744 wrote to memory of 1056	2744	DllCommonsvc.exe	90
PID 2744 wrote to memory of 1056	2744	DllCommonsvc.exe	90
PID 2744 wrote to memory of 1056	2744	DllCommonsvc.exe	90
PID 2744 wrote to memory of 888	2744	DllCommonsvc.exe	91
PID 2744 wrote to memory of 888	2744	DllCommonsvc.exe	91
PID 2744 wrote to memory of 888	2744	DllCommonsvc.exe	91
PID 2744 wrote to memory of 2948	2744	DllCommonsvc.exe	92
PID 2744 wrote to memory of 2948	2744	DllCommonsvc.exe	92
PID 2744 wrote to memory of 2948	2744	DllCommonsvc.exe	92
PID 2744 wrote to memory of 2992	2744	DllCommonsvc.exe	101
PID 2744 wrote to memory of 2992	2744	DllCommonsvc.exe	101
PID 2744 wrote to memory of 2992	2744	DllCommonsvc.exe	101
PID 2992 wrote to memory of 1148	2992	dwm.exe	109
PID 2992 wrote to memory of 1148	2992	dwm.exe	109
PID 2992 wrote to memory of 1148	2992	dwm.exe	109
PID 1148 wrote to memory of 3032	1148	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6304f1481a816b4bdfbe7f9cad6d643f7400ae32fccc1b0e7106547b5ac49350.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6304f1481a816b4bdfbe7f9cad6d643f7400ae32fccc1b0e7106547b5ac49350.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\de-DE\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\en-US\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\fr-FR\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3032
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"
        8⤵
        
        PID:1644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2456
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
        10⤵
        
        PID:2356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2228
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtXcZTVakC.bat"
        12⤵
        
        PID:2728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1772
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PJw82jcrZC.bat"
        14⤵
        
        PID:1664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2944
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"
        16⤵
        
        PID:2524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1588
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"
        18⤵
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1504
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"
        20⤵
        
        PID:1724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2152
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"
        22⤵
        
        PID:2348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1756
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat"
        24⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3012
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"
        26⤵
        
        PID:1888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2620
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\de-DE\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77791cbe10fc9bada22bb426582924a5

SHA1
5f132013e66c62f2df936391aca2c1bf2074d5a6

SHA256
29dbee2ebc2dbc6c3ecaac04de5ac0bd5fa5b62c244706183b08f8ad88b1ad89

SHA512
b7919f5542bd701cd5b7a3a2fb9e98a716ac78389accb007396f164c434cf2a9edfb1d1ded42fcd71bc6d9225157aaa1b032221799fb77b64d2b5125f8dba705

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1bd783fb9a6a18d5f85fc2417ef6f30d

SHA1
8b61a976da08b5d8f0a92849b77d54afff6f96c0

SHA256
b7c427afa77f70055668f6915c8ad9eed642b40d9b7068b091a608d319c1c3de

SHA512
ca1c7c9a5d398a0477c2fef96976ca951c607fd58c9e322221f23c34f83c0eb4fb665e1194f7b00cfa516b20a4e379fcaa3084dab06fc25978a67060fae99426

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
836125197cb622ba5131974f333ac7f0

SHA1
b74a85a82245cfa9206d20e4fa875e3cabc89367

SHA256
641d2ee39a4aab7638a63b71691f8bb894e5d962ae9f05d6d21fa93a29550313

SHA512
60908d25b312cac3e92a7215761233016ee000b502fa4266b9bd405570e5d75e2c42619e199542ed0833e1e0029fc37727b7abe534fa577f19e641c5ce42b663

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a058dcf48889ed3238de695ec474985a

SHA1
7653e1b26587f3c24d7e94bf9749198630542957

SHA256
c2ac5a60bb5ab20ac1aafeba901b921bcaf7f821543af03fe307de01fd500a51

SHA512
1d3480fc863edd4021ca637e60c4fbf4a534cb0a367c2f293c53e4354ee48c8267436a1df3e70096eb9ed28939800be996b6aca547f50a2655bcb6352bbb5062

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
266116ce749b9fa93a8ab0231807e2ab

SHA1
3535e2b39946611103a836aff9c742ea599fc08d

SHA256
7054a28a03e2a3b501f2880d310d990a733d1925fde10038851123538e01b4c1

SHA512
1fd8e0c5dc713937854ded815abc8ab0842f2f02aedd564807ad7d96e80cc15dd936e438316c4f63dd573d9e019ba71dd6684c92c917f52dfd37ab6e19e0637c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35c414b2bfa921e07b3fcba83cff071b

SHA1
909653ac4ae9e50e8af2329b07bafd5ae95f6b05

SHA256
fc14701409a914ef0e4536964a8d9f6bc87628a93dfd1fd9f48d48f43957a804

SHA512
0de24bb9621f60d2ccedd424000aea6eacfe31ec329a3b728d98727b1ac8448209c295f17da721c684c002530e8d4641a8b610f62605ffe31ea864771ca955e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6eb3348836cf7d026b7a460ff286fed

SHA1
1475f2cac5ded45030ed6c09914578f121438a3d

SHA256
40596c65538b2bd6f8e4ce0e708ce713995b430f19406cae1f4c0782762592af

SHA512
ad22d9d6170944239b6fdff86f714490ef32858890450a22b6e3814f0522a34619fc6211cb6ba1f010fb8294fa3caea2342ee663c15a146669cd8d224e0676fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0fe3c0c2a63f17f200727b09c6e9cacf

SHA1
0d3d37e9370ac59c36148dfbb9f95fbeb02521ff

SHA256
5b09316aa49084a32ed5eac83b99229e548b9936ed1695502522b4d635f7020c

SHA512
141543a3481f3afdef4be55d831ae003e72b1c48ae31f8cd740610a4f63267ff88759ab01bbf19c4d032c5a1aad0dbc08e55fce3a05c512a9f171bc5ac079501

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf791bde5177180f8522c79fc59f1d71

SHA1
2e5c9830142768a035b21123723342c7fe7cf2a6

SHA256
e48270668288da2036734fce3b621fdc7bf75c27b9cb0bcdf4464006f234294f

SHA512
f3aba45f0b4a753e0438656b105020bbd008658cddde39409cf58e1a499f4bd4d72ef4a36e336e41aef698aa02607b64f9cde8fa3881136d8de1e30cf354621c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
970fef76421877b8fc153b401cc6426e

SHA1
0a39f1b2d78996d1a715b321471e96367317dd71

SHA256
2ddde58bf6d97a3cbb5db055757accf7ee778eb048ad7a465d0c2b2cb10295c2

SHA512
3c7b4f7caa54bb78f385de57fab107c7b5d1f0f7870e0cccfd006fcd10aa035b46fc0cafe71c0bb5f931330205436d64af65d51aa1b6e11401a1237840dce05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat

Filesize
221B

MD5
ba92a4300f2dd100a398c8ca3b3be4bd

SHA1
19ca7d47e46948ca671643a85a4356e7e5db1cf7

SHA256
61aea91be36b04609fda5de66bb1485a356cb06edef054f20e637844ed67b069

SHA512
c281490baaea84f90d431c3974c3e3d0b31a3aa7c436d562b9ee45e5f34279e9f976ac015ff4d9022898634a9481473341ae7219f148357dda38646042af6f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat

Filesize
221B

MD5
cd7352593b092143ec93a1e8695d8e2f

SHA1
132be02043c92d059b40cbc6db617dfbf7763d5e

SHA256
f6750d17dd8b511ae7390319cfd15fa4a65b6d2dd3afc20e547804595066b909

SHA512
48957c74bf9a465b497ac1aeacfb33c08f448f1f3074f080d770b622884407776a0e72165601a3f2414ab68b872eaf9d28903b4a3d5c4c3ad8ace118f30bcc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFCB8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat

Filesize
221B

MD5
4e8e8eb1580fe4c1f096119f43000a6f

SHA1
37ac740b2d1e0702598bdbf70a2ca35de02cfc18

SHA256
afeaed99a2bfbeec9ed4c40363e9508dee07d85441de35b49d79f17d32cd5741

SHA512
34527a072b077402d6d04b1d104981be4fcf7a644c7a1c1ad1df3cdbf28a5eda7e5ec9d200196a3679cbc47290e396b839220d81f9dcdea4f7e3abcbab22bb4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PJw82jcrZC.bat

Filesize
221B

MD5
230c7f9905b1ae037aa3a1571bc62e24

SHA1
bdf3b0e0080256537314391ef4833a02b4b77548

SHA256
1d6063bc2e3974444d36e83afad2f8f4d7500548641c8603adc61a0916bdcc24

SHA512
2397a46caa4c1dd3b36f902ec1e677557e45fd7fc329b340e0a6967976ee3fd1d97c7da2e4b6dbc6218ea16a342ee39cb65f4ba5484da636015147bcc9bbbcbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QtXcZTVakC.bat

Filesize
221B

MD5
47e0ed82da50f8ae627ccd1674a3fb58

SHA1
1a42fe8c979f397eca2598456d774195c7411ad3

SHA256
5a090e2fcb786d2bb5830a9f8804e559015c192619352a3c83a1c5586fe85398

SHA512
52b825805cb2052587de9e1f6222c370bbaa1df8d19fad64dd8b176e3aad2bdaa7b27598496c17d8dc1aac6f59ab4df0da2a54c80637bdc7355814e940eff9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFCFA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat

Filesize
221B

MD5
e2e6607cadbd2e0474d2abdcc665c467

SHA1
fe6a958ad4431a00cd1657e8a5a8fece3554a1ec

SHA256
78424b044629a415f19fb8cd7e841c06243512f9dd3d3b6b3f31f1bf347edf9d

SHA512
b08114b2c88eef1f967b3914748c25035005f6f8141f07e6edbc83ea1fd02ad95dc4497cd08cbdaa38feaf8b0b461134901024755bcad1991284f91eb4224849

Download Submit
C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat

Filesize
221B

MD5
c3e6ddaeb38df6c7b8ea8b0caebc2263

SHA1
dc3af8ca1b51cf178e2061adc0387ee3d09751be

SHA256
1d25ede7ad8d11e8c074144020acbaf0eb6cfb4c1303fe55620032f3d3bcb555

SHA512
55f3976185a66c6c8b5795ec1a790a626beee1792d2abba128364dca4178f82ae82547bc457878d91d3551b7e58db9e59f546d5405adef5a78ae0f16dbc50257

Download Submit
C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat

Filesize
221B

MD5
9cfcf518f7f1b0db912e089c37eb9eea

SHA1
9992260cd891121d0b8b04c0106e2fb43ba35b6a

SHA256
8da2bf0d03118f9157185af3b9dd00bc9ce6bef946d917a43906cbb07d184e84

SHA512
da95366bbaf9b9c56999a94ebdd6dd10de38f839a89db154d56d78765ee6e08faec7372a353d82b611d11209608bfa2f14e0b04f3cf4eb10d4486c89b75cb92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat

Filesize
221B

MD5
b6dfc66db0300e9e88e83afb5ee47c82

SHA1
b231cc0594c98558c2b2ebf4ec9b48d9a888bdcd

SHA256
a65818f198c4424755cfaec86eba7a9bd44c7dec1b703d15b837d9091529851b

SHA512
c4f661208930d732cbe95ed7614d1cdbb35d5a5d70134c915c7826b6941d737042cdaeac9b824b0979feeb2aa4d8f0ff64b2374f4f2f375ddcbfed25a5988425

Download Submit
C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat

Filesize
221B

MD5
fad471c74dd7c4c671b80434081c26e5

SHA1
979c0ebeb854708cbeea853364cfdfaa80c0a8fa

SHA256
ae3abc3c4671a74845c36b841f08ff698c742c4764380f8cc484f6d3ea8da468

SHA512
46843acf80a4f7decf50cffe39346c789593e15b828e4d9ef93b016cd6d0a929624e333dbc921b75f516496decbc1f581ebe6c38ca351e831b5be69c784b32a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

Filesize
221B

MD5
1eaca2bae75983cee584af98b7df0586

SHA1
f730002e421183ef09188ebbd7c5c42932fd916a

SHA256
f697f4deab9267cef24f9831afdc93458484ad392803e9a3c1c75b6501c9ec85

SHA512
2f9de2e543046a4ab6cb553963eae6c26d8074e24bc06f9b00a4a67d51dc8d4a90db4fa1a15cba84f42d8d0f4adfd57ce6afb3dbc6468bb2f5cb6bc51c4a7749

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
91bf9996fd8f9c232fba9a132e75197f

SHA1
04b28c3a9d7eccb6ac549bb5c1a91dcab94f45b4

SHA256
cdebb1a321c25a33029afa4dd810c2dac8dcfc752a542ab9459519a013ca2060

SHA512
b0f1b4343563021230514740ad42d4b12a983a4a6aa9689936eb8617130c1561094131c9567d0de05538a6dee19855fe83f38d0ba20215ea2436f4ac1ca09731

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/556-727-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/1656-608-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/1656-607-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download
memory/1736-247-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1748-63-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/1748-62-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1908-486-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/2344-547-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2344-546-0x0000000000DF0000-0x0000000000F00000-memory.dmp

Filesize
1.1MB

Download
memory/2364-426-0x0000000000C90000-0x0000000000DA0000-memory.dmp

Filesize
1.1MB

Download
memory/2424-787-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2424-788-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2744-17-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2744-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2744-15-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2744-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2744-13-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/2992-99-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2992-366-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/2992-52-0x0000000000A20000-0x0000000000B30000-memory.dmp

Filesize
1.1MB

Download