dcrat | d455a89f681f0d987f3ea0df58c20534d8582fb00f595e1b008b714a5fb700e0

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d455a89f681f0d987f3ea0df58c20534d8582fb00f595e1b008b714a5fb700e0.exe
Size

1.3MB
MD5

f73c4ce7481193c2a7a0d8a3c25381f9
SHA1

6b2d8adc33ebdb1c300a813e12150088a4a1a046
SHA256

d455a89f681f0d987f3ea0df58c20534d8582fb00f595e1b008b714a5fb700e0
SHA512

ac74884b839d58c2944b84de3096769bffcc095500287dc4eaaa8ba8d7699191286f85787cba8158bc30fcde19dc8f44c67c752fc18b32b69d51168e16581dcf
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2060	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2060	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000191ad-12.dat	dcrat
behavioral1/memory/2188-13-0x0000000000E90000-0x0000000000FA0000-memory.dmp	dcrat
behavioral1/memory/2320-136-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/memory/2352-195-0x00000000009C0000-0x0000000000AD0000-memory.dmp	dcrat
behavioral1/memory/2324-255-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/1668-315-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/2384-376-0x0000000000F70000-0x0000000001080000-memory.dmp	dcrat
behavioral1/memory/1012-436-0x0000000001010000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/2808-497-0x0000000001190000-0x00000000012A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1044	powershell.exe
2508	powershell.exe
1588	powershell.exe
1584	powershell.exe
1596	powershell.exe
1736	powershell.exe
1924	powershell.exe
1244	powershell.exe
1652	powershell.exe
1684	powershell.exe
1716	powershell.exe
2372	powershell.exe
2548	powershell.exe
2280	powershell.exe
896	powershell.exe
2532	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2188	DllCommonsvc.exe
2320	services.exe
2352	services.exe
2324	services.exe
1668	services.exe
2384	services.exe
1012	services.exe
2808	services.exe
2172	services.exe
3020	services.exe
2764	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2780	cmd.exe
2780	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sv-SE\101b941d020240	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\sv-SE\lsm.exe	DllCommonsvc.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\bin\0a1fd5f707cd16	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\de-DE\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\de-DE\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\es-ES\services.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\fr-FR\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\fr-FR\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\es-ES\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\101b941d020240	DllCommonsvc.exe
File created	C:\Windows\system\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\system\ebf1f9fa8afd6d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d455a89f681f0d987f3ea0df58c20534d8582fb00f595e1b008b714a5fb700e0.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2980	schtasks.exe
1156	schtasks.exe
2872	schtasks.exe
1640	schtasks.exe
2120	schtasks.exe
344	schtasks.exe
780	schtasks.exe
2652	schtasks.exe
2776	schtasks.exe
340	schtasks.exe
1608	schtasks.exe
604	schtasks.exe
2008	schtasks.exe
916	schtasks.exe
1660	schtasks.exe
2928	schtasks.exe
2612	schtasks.exe
2860	schtasks.exe
1516	schtasks.exe
1208	schtasks.exe
680	schtasks.exe
2912	schtasks.exe
2136	schtasks.exe
3064	schtasks.exe
1728	schtasks.exe
572	schtasks.exe
1196	schtasks.exe
2220	schtasks.exe
2840	schtasks.exe
2144	schtasks.exe
1856	schtasks.exe
448	schtasks.exe
2584	schtasks.exe
2936	schtasks.exe
2500	schtasks.exe
928	schtasks.exe
2148	schtasks.exe
1676	schtasks.exe
1328	schtasks.exe
2656	schtasks.exe
1732	schtasks.exe
2312	schtasks.exe
1688	schtasks.exe
2516	schtasks.exe
1744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2188	DllCommonsvc.exe
2188	DllCommonsvc.exe
2188	DllCommonsvc.exe
2548	powershell.exe
2508	powershell.exe
1736	powershell.exe
1044	powershell.exe
1596	powershell.exe
896	powershell.exe
1924	powershell.exe
1684	powershell.exe
1584	powershell.exe
2280	powershell.exe
1716	powershell.exe
2372	powershell.exe
1244	powershell.exe
1652	powershell.exe
1588	powershell.exe
2532	powershell.exe
2320	services.exe
2352	services.exe
2324	services.exe
1668	services.exe
2384	services.exe
1012	services.exe
2808	services.exe
2172	services.exe
3020	services.exe
2764	services.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	DllCommonsvc.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2320	services.exe
Token: SeDebugPrivilege	2352	services.exe
Token: SeDebugPrivilege	2324	services.exe
Token: SeDebugPrivilege	1668	services.exe
Token: SeDebugPrivilege	2384	services.exe
Token: SeDebugPrivilege	1012	services.exe
Token: SeDebugPrivilege	2808	services.exe
Token: SeDebugPrivilege	2172	services.exe
Token: SeDebugPrivilege	3020	services.exe
Token: SeDebugPrivilege	2764	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2520	1928	JaffaCakes118_d455a89f681f0d987f3ea0df58c20534d8582fb00f595e1b008b714a5fb700e0.exe	30
PID 1928 wrote to memory of 2520	1928	JaffaCakes118_d455a89f681f0d987f3ea0df58c20534d8582fb00f595e1b008b714a5fb700e0.exe	30
PID 1928 wrote to memory of 2520	1928	JaffaCakes118_d455a89f681f0d987f3ea0df58c20534d8582fb00f595e1b008b714a5fb700e0.exe	30
PID 1928 wrote to memory of 2520	1928	JaffaCakes118_d455a89f681f0d987f3ea0df58c20534d8582fb00f595e1b008b714a5fb700e0.exe	30
PID 2520 wrote to memory of 2780	2520	WScript.exe	31
PID 2520 wrote to memory of 2780	2520	WScript.exe	31
PID 2520 wrote to memory of 2780	2520	WScript.exe	31
PID 2520 wrote to memory of 2780	2520	WScript.exe	31
PID 2780 wrote to memory of 2188	2780	cmd.exe	33
PID 2780 wrote to memory of 2188	2780	cmd.exe	33
PID 2780 wrote to memory of 2188	2780	cmd.exe	33
PID 2780 wrote to memory of 2188	2780	cmd.exe	33
PID 2188 wrote to memory of 2548	2188	DllCommonsvc.exe	80
PID 2188 wrote to memory of 2548	2188	DllCommonsvc.exe	80
PID 2188 wrote to memory of 2548	2188	DllCommonsvc.exe	80
PID 2188 wrote to memory of 1736	2188	DllCommonsvc.exe	81
PID 2188 wrote to memory of 1736	2188	DllCommonsvc.exe	81
PID 2188 wrote to memory of 1736	2188	DllCommonsvc.exe	81
PID 2188 wrote to memory of 2280	2188	DllCommonsvc.exe	82
PID 2188 wrote to memory of 2280	2188	DllCommonsvc.exe	82
PID 2188 wrote to memory of 2280	2188	DllCommonsvc.exe	82
PID 2188 wrote to memory of 1044	2188	DllCommonsvc.exe	83
PID 2188 wrote to memory of 1044	2188	DllCommonsvc.exe	83
PID 2188 wrote to memory of 1044	2188	DllCommonsvc.exe	83
PID 2188 wrote to memory of 1652	2188	DllCommonsvc.exe	84
PID 2188 wrote to memory of 1652	2188	DllCommonsvc.exe	84
PID 2188 wrote to memory of 1652	2188	DllCommonsvc.exe	84
PID 2188 wrote to memory of 896	2188	DllCommonsvc.exe	85
PID 2188 wrote to memory of 896	2188	DllCommonsvc.exe	85
PID 2188 wrote to memory of 896	2188	DllCommonsvc.exe	85
PID 2188 wrote to memory of 1684	2188	DllCommonsvc.exe	86
PID 2188 wrote to memory of 1684	2188	DllCommonsvc.exe	86
PID 2188 wrote to memory of 1684	2188	DllCommonsvc.exe	86
PID 2188 wrote to memory of 1924	2188	DllCommonsvc.exe	87
PID 2188 wrote to memory of 1924	2188	DllCommonsvc.exe	87
PID 2188 wrote to memory of 1924	2188	DllCommonsvc.exe	87
PID 2188 wrote to memory of 1244	2188	DllCommonsvc.exe	88
PID 2188 wrote to memory of 1244	2188	DllCommonsvc.exe	88
PID 2188 wrote to memory of 1244	2188	DllCommonsvc.exe	88
PID 2188 wrote to memory of 2532	2188	DllCommonsvc.exe	89
PID 2188 wrote to memory of 2532	2188	DllCommonsvc.exe	89
PID 2188 wrote to memory of 2532	2188	DllCommonsvc.exe	89
PID 2188 wrote to memory of 2508	2188	DllCommonsvc.exe	90
PID 2188 wrote to memory of 2508	2188	DllCommonsvc.exe	90
PID 2188 wrote to memory of 2508	2188	DllCommonsvc.exe	90
PID 2188 wrote to memory of 2372	2188	DllCommonsvc.exe	91
PID 2188 wrote to memory of 2372	2188	DllCommonsvc.exe	91
PID 2188 wrote to memory of 2372	2188	DllCommonsvc.exe	91
PID 2188 wrote to memory of 1584	2188	DllCommonsvc.exe	92
PID 2188 wrote to memory of 1584	2188	DllCommonsvc.exe	92
PID 2188 wrote to memory of 1584	2188	DllCommonsvc.exe	92
PID 2188 wrote to memory of 1596	2188	DllCommonsvc.exe	93
PID 2188 wrote to memory of 1596	2188	DllCommonsvc.exe	93
PID 2188 wrote to memory of 1596	2188	DllCommonsvc.exe	93
PID 2188 wrote to memory of 1716	2188	DllCommonsvc.exe	94
PID 2188 wrote to memory of 1716	2188	DllCommonsvc.exe	94
PID 2188 wrote to memory of 1716	2188	DllCommonsvc.exe	94
PID 2188 wrote to memory of 1588	2188	DllCommonsvc.exe	95
PID 2188 wrote to memory of 1588	2188	DllCommonsvc.exe	95
PID 2188 wrote to memory of 1588	2188	DllCommonsvc.exe	95
PID 2188 wrote to memory of 2624	2188	DllCommonsvc.exe	112
PID 2188 wrote to memory of 2624	2188	DllCommonsvc.exe	112
PID 2188 wrote to memory of 2624	2188	DllCommonsvc.exe	112
PID 2624 wrote to memory of 2868	2624	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d455a89f681f0d987f3ea0df58c20534d8582fb00f595e1b008b714a5fb700e0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d455a89f681f0d987f3ea0df58c20534d8582fb00f595e1b008b714a5fb700e0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\control\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\sv-SE\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\bin\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\es-ES\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9VddvjHMjC.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2868
      - C:\Program Files\VideoLAN\VLC\plugins\control\services.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"
        7⤵
        
        PID:1936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1896
        
        C:\Program Files\VideoLAN\VLC\plugins\control\services.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\services.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"
        9⤵
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1576
        
        C:\Program Files\VideoLAN\VLC\plugins\control\services.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\services.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat"
        11⤵
        
        PID:1980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2528
        
        C:\Program Files\VideoLAN\VLC\plugins\control\services.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\services.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"
        13⤵
        
        PID:2980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2780
        
        C:\Program Files\VideoLAN\VLC\plugins\control\services.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\services.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"
        15⤵
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3036
        
        C:\Program Files\VideoLAN\VLC\plugins\control\services.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\services.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LW19r029AS.bat"
        17⤵
        
        PID:1072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2200
        
        C:\Program Files\VideoLAN\VLC\plugins\control\services.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\services.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat"
        19⤵
        
        PID:1244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1400
        
        C:\Program Files\VideoLAN\VLC\plugins\control\services.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\services.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat"
        21⤵
        
        PID:2636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2940
        
        C:\Program Files\VideoLAN\VLC\plugins\control\services.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\services.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat"
        23⤵
        
        PID:2952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2800
        
        C:\Program Files\VideoLAN\VLC\plugins\control\services.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\services.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\plugins\control\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\control\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\plugins\control\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\SysWOW64\sv-SE\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\SysWOW64\sv-SE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\sv-SE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\fr-FR\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\fr-FR\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\de-DE\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\system\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\system\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\system\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97ec95f68e8afe4c16c49f9d51371665

SHA1
2e5d69151c1154b7125d340dc54361c6b7681e6e

SHA256
c728765e4eb6a7c5068d2895edc882c656b48b4deae3dd69e699573839c76e28

SHA512
dedbf1c55dbd776efc6f6dffac91a25e2eeaf9007b5efe774475b25622aaca8c0124d4d2a2d38bc23efc7ed602e44cc66e25d3525cc835c71671924a23982f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2672d280590b19e3ee3c1998f91512f3

SHA1
e1c2576233aba5cef41c3408b1632ce5a97bf5d2

SHA256
e6ef9963b04a1c0df1d5cbf116011cef2fe5e5180a45ab8dd7020298de0472e3

SHA512
34ab813c306e8a42a179a8d697af43fa7fb7d99ea3eff062cdcc82643c006b5d9cbc3cca3f30106f44cdfe06bbef6864ae3f8c88a3cda0b1f20f4eca22473d76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
447a9803f3b471be9e71a6dc6ebec5a1

SHA1
e45ba730b768a10891ca1fb1f5bb2de354922bfa

SHA256
6b27d28e1779ed5f4dfee67a4ffc1c45f434791ad5df002ffccc09e49b61550b

SHA512
6798072e87070376d19d55bde932b7f1d71ee86fc3c2e9eff2fa506a195995029f5383e9bb3276e7f0d1fe71c6f0ccba02e466611684e9f1d5d1f7a8aa9c03d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72048943ff9f40d9df2bd4f5b4988d72

SHA1
5c81a5f65e181c850988e7b756a44736bb19131e

SHA256
de6e5b5a8c85e567fab576e957a6a16bb3b44942ca7fb0dae7b63ca05782ec36

SHA512
bb255680dc46dc8c49c2ba79d360f9b8660c73e87f18c6774f5b2085910789b87c4db5978b6014fa003fd5e419c5f2d249da87bbee45f5c57682d0c010061640

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15d678bb48753d49991cb5155029d9da

SHA1
9072acf014482b9cbec5f01b4308f210a99948d1

SHA256
e705199ebf2337d50dc7b87650c5c600e6d245e2ff92d8a0b9775810f1295fd9

SHA512
e01cfa8447b0240f8be6c06414eec4251f3329b1196b1981df989b4585865d25c52fff7f1cb92b71d0ee34678b343c6278cbd5c8001e0586f75a10d2800bdbe3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1911ea9d867c684daf1ef78b8ac922d6

SHA1
d218c6d7f37953dd3c964bab071452bb316ca603

SHA256
b68a69d03e9cc69fe44bee180523199e32dcd315ce933656da0fdd24a6401470

SHA512
ad014fa9d27ab2fd7e2457195463b55b02ca9ef92bab22a665827bed5176ff930e6ba8156fe6dde3ec49fba9aba3d6c65556ac5d833496cd8923f97be303e6ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f60e647f1342e2bedc61cab301aff00b

SHA1
c1f2ddda2cacb1ec348ba1127433eb7257b02add

SHA256
4a12a481f48dd80542fe80d5c28022db40ee9faaeccd6dd583d63b9c089cb276

SHA512
a93aca910be59f59e925e4a66d75eb9a8ddeb76dcd04835241affdacd6b2e395db5b45eab62c8c467f7b134b4e3d2197119eecc8a9a389fae8c1ceea3ba0f22a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
036fe7d7d9d33dce9bbc485115953f67

SHA1
67cb5ff2b5e315cc5ddbcf0a7a35c3d1cb3a4dfe

SHA256
658f9f5e04d55f8682db7f207074141fe6f120b248393f7bbecc037cf331d67e

SHA512
4a381f0cc8a12b405d38105ec356e892b07694956c91a89c808a86cbb622354b3cc190d3362251999abba2f2f94ccfda36117b452525924d7b4593dd4e7a4477

Download Submit
C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat

Filesize
223B

MD5
0d5c791672fc89ece568569f5ef227e2

SHA1
7b2fad4e967b36af3a438c7893b0d58926df7985

SHA256
258e570e0973d167e896612b8f9c8d567f066551beb4b567c52d55de7a17bde8

SHA512
bdcaccbc45faabfeba4a33baee16753745a9b186adcb353807bfc9237a67cdde943e9673aef96502b4a369886280e019766ef1df5aa1593d9db4c8c77dba568d

Download Submit
C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat

Filesize
223B

MD5
5652255c4b2259a681e860c87c3a53e8

SHA1
bf9ccb8645932d992b42b6e4048ba6adb9777eaf

SHA256
32f1b3b114b31ed22379bab75d9ebd419f16180508821793cb741306dc11cdcd

SHA512
f7d08d6abb1cb16ffbb2476bae5ba6fd6af92ab5e6afafadc91b9f6a05708728b90e376f719b910ce32be77b4e11030b5e68e6e23140bb5b6cb847a3844f075a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9VddvjHMjC.bat

Filesize
223B

MD5
cfcf4b070d847c1d0ae8f5e4d1c84d6e

SHA1
3e21dc991ed682289ecac9a62088fd4e6d4198ff

SHA256
22be4746cadad72eee0a16df452cac0141ff0e1bceb852e5e8ca8592213c75de

SHA512
1c00065f6d5aa4acd03b05dc9f829d745e660952a2382efa39806b8feac4d8301176b5b42ece65c5f5f1fd630a0bf258ae447e9b3a8473356b8242965a4d0fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF153.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LW19r029AS.bat

Filesize
223B

MD5
3f2b57bdd9c6b0331f82e11e5d1b1a0b

SHA1
d5ded84985426675b06f926b835a8f403210105f

SHA256
eefc0e4ff1a7959dc0d285d42e6dd22317862604e630dddb47bbf25661744035

SHA512
b640c390d02a5ba1409e8af2a765fb07661fb75dd1da95dee6110f8c88cf64894642b58a697dd34651c5fc1b9c6c4d77110df1f3cf88850fe83fb73f4a1b2394

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

Filesize
223B

MD5
e9f8d97b20a727c9381d0e055b8d900b

SHA1
e85ed14cacd9b5dde8296abb947ca18477611cc8

SHA256
b49405c759d6c47e6cc4637720fb9d0afdcd198c0d90af5f48120c81059d6c60

SHA512
862b95a9bb86748f522df20f64449cfde7f8f0f9399eb29293d4a916c0ad93c6d77c4c4a73261ec5c31dc71e4a85131b0a022b590742e38b39128bae5a352b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF175.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat

Filesize
223B

MD5
44851780febce2a4fb9c46fb214ef8cc

SHA1
5bf98fa30e078975a40c3712768dc9292fb9e1e9

SHA256
3b214c0fbb4f8b3251a13698cd4b0641a1bb3b7c72b6c88cc1ca21d6723bad0b

SHA512
c218a6ec4b7aae0d763c0a05af8b7872711533e11769f7a6ca236ace2efea71a961acdb7f0c85d92a74c149673727a41a10200769ac4a4eb321e67cb7423466b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat

Filesize
223B

MD5
3b1bd20c5f4dec80c22e34c05873b948

SHA1
a1306aa800cd4f1d88fc93a39f0fc6e3a3a27d19

SHA256
abda5d78c9dc6780b6f596f37496a888675d5a12208248aba2f48728d4484967

SHA512
3c5b743da093b6e20be38c52437c33a69cce3e584588bc0461ebea530c809f8ac6b49635a8fb10d1fc90cc25968b4aa995927f9a2222f36d6e52f1d97ff6dff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat

Filesize
223B

MD5
b1d71fd149bbf4218ccf835e125124d8

SHA1
2186b73f38499d91ca2fa310088c674374abbc5d

SHA256
05972c908a746366c53c3cbe309f504c2b5bf1c41439b705e020f2102b40977b

SHA512
e6567517a63899aec7bb805ed0314789bb62b420dc3052071d743e561791ccd34e489d97fcb9394b0ee52f140f3db6f5118851d091ae72c2b3e7e336647f3c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat

Filesize
223B

MD5
c76c3ac5cf568c461a6a6fc4c5529e94

SHA1
d57c0bc161b6c17e7663e967b696b16693f2d016

SHA256
8ab0bb2a576851ce5fc3e05a0070ce687aa1d3842cf89e32c11b30e778b835c8

SHA512
8d4f5bf8bed9adafd65d3b447cc5c8099b11b4fb79748e2f66a634876a183afdb535b8a25470666ae535b69c8e69e7d1933a7e4cfef875608f8e7fa0280d89ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat

Filesize
223B

MD5
85931d5fb91cf43f8d613640a1806c7c

SHA1
837bd483ad16c58d269ca0dcf9f7ec6dcedaea8f

SHA256
2ba0250513793042a6a2c62ff0cfc4c8613ab85f5d3d918030e779564973255a

SHA512
a1372641d18b25a1395cbb61e314f0c756dde9e0929d46ffde79e57b537f5aedafeec415484f1d9970a01403dd044974e1cf7aafe0a6c5b3c4b77bd26695074e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3ab01861174198da704def975591f5b1

SHA1
71b8435f115b575d90b99b23c5bc78219ff653dc

SHA256
113559e047f89135dbf26ee11b2dac793cf2973dee314e6f429697e3a0525ee9

SHA512
93212c2d2411f8a0be157a043ca6f9a98b224f48a6e99c550937d1a62f0944594b41e6a3c34adaa503e3322acd1e0e997cfd7f3f01f77be22a2c04955143730d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1012-437-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/1012-436-0x0000000001010000-0x0000000001120000-memory.dmp

Filesize
1.1MB

Download
memory/1668-316-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1668-315-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/2188-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2188-17-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2188-16-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/2188-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2188-13-0x0000000000E90000-0x0000000000FA0000-memory.dmp

Filesize
1.1MB

Download
memory/2320-136-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/2324-255-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/2352-195-0x00000000009C0000-0x0000000000AD0000-memory.dmp

Filesize
1.1MB

Download
memory/2384-376-0x0000000000F70000-0x0000000001080000-memory.dmp

Filesize
1.1MB

Download
memory/2548-83-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2548-99-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2764-675-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2808-497-0x0000000001190000-0x00000000012A0000-memory.dmp

Filesize
1.1MB

Download