dcrat | bd8be0c8de288527b0d43d2a694c3e0a73e67d0234a2188aeced05866556a362

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/12/2024, 23:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_bd8be0c8de288527b0d43d2a694c3e0a73e67d0234a2188aeced05866556a362.exe
Size

1.3MB
MD5

94d79c15227f7ab22693a8f9f8745b2d
SHA1

a81139160531cae0aa1f4d43ed9a096b30422f89
SHA256

bd8be0c8de288527b0d43d2a694c3e0a73e67d0234a2188aeced05866556a362
SHA512

26f2a00f4ea6e6e30162daa0cf02e318cefc8a8779a123405c11e64b566421a364baa8f0bfd4f692d6951b81e2d6b9c0ee0ad71a295092e28c524ea0adea93da
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	1172	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1172	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016dd2-9.dat	dcrat
behavioral1/memory/2772-13-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/2768-129-0x0000000000AA0000-0x0000000000BB0000-memory.dmp	dcrat
behavioral1/memory/1044-188-0x0000000000BC0000-0x0000000000CD0000-memory.dmp	dcrat
behavioral1/memory/2432-248-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2216	powershell.exe
2236	powershell.exe
2612	powershell.exe
1688	powershell.exe
996	powershell.exe
3052	powershell.exe
1968	powershell.exe
2432	powershell.exe
1892	powershell.exe
2116	powershell.exe
2188	powershell.exe
2108	powershell.exe
2092	powershell.exe
2128	powershell.exe
1896	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2772	DllCommonsvc.exe
2768	conhost.exe
1044	conhost.exe
2432	conhost.exe
2376	conhost.exe
2288	conhost.exe
272	conhost.exe
2772	conhost.exe
2664	conhost.exe
2948	conhost.exe
2724	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2228	cmd.exe
2228	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\conhost.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\fr-FR\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\fr-FR\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\Setup\State\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\State\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\b75386f1303e64	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bd8be0c8de288527b0d43d2a694c3e0a73e67d0234a2188aeced05866556a362.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3000	schtasks.exe
776	schtasks.exe
1684	schtasks.exe
2952	schtasks.exe
1964	schtasks.exe
3036	schtasks.exe
1916	schtasks.exe
1864	schtasks.exe
1780	schtasks.exe
2224	schtasks.exe
2880	schtasks.exe
2988	schtasks.exe
1616	schtasks.exe
2052	schtasks.exe
2980	schtasks.exe
2100	schtasks.exe
1960	schtasks.exe
2704	schtasks.exe
2012	schtasks.exe
2504	schtasks.exe
2392	schtasks.exe
276	schtasks.exe
568	schtasks.exe
1704	schtasks.exe
2640	schtasks.exe
2528	schtasks.exe
1496	schtasks.exe
112	schtasks.exe
1696	schtasks.exe
2656	schtasks.exe
2032	schtasks.exe
1456	schtasks.exe
2132	schtasks.exe
2284	schtasks.exe
1528	schtasks.exe
2664	schtasks.exe
1760	schtasks.exe
1636	schtasks.exe
1384	schtasks.exe
2364	schtasks.exe
2764	schtasks.exe
1140	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2772	DllCommonsvc.exe
996	powershell.exe
2108	powershell.exe
3052	powershell.exe
2612	powershell.exe
2188	powershell.exe
2216	powershell.exe
2128	powershell.exe
2432	powershell.exe
2092	powershell.exe
1688	powershell.exe
2236	powershell.exe
1896	powershell.exe
2116	powershell.exe
1892	powershell.exe
1968	powershell.exe
2768	conhost.exe
1044	conhost.exe
2432	conhost.exe
2376	conhost.exe
2288	conhost.exe
272	conhost.exe
2772	conhost.exe
2664	conhost.exe
2948	conhost.exe
2724	conhost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	DllCommonsvc.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	2768	conhost.exe
Token: SeDebugPrivilege	1044	conhost.exe
Token: SeDebugPrivilege	2432	conhost.exe
Token: SeDebugPrivilege	2376	conhost.exe
Token: SeDebugPrivilege	2288	conhost.exe
Token: SeDebugPrivilege	272	conhost.exe
Token: SeDebugPrivilege	2772	conhost.exe
Token: SeDebugPrivilege	2664	conhost.exe
Token: SeDebugPrivilege	2948	conhost.exe
Token: SeDebugPrivilege	2724	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 1404	2072	JaffaCakes118_bd8be0c8de288527b0d43d2a694c3e0a73e67d0234a2188aeced05866556a362.exe	30
PID 2072 wrote to memory of 1404	2072	JaffaCakes118_bd8be0c8de288527b0d43d2a694c3e0a73e67d0234a2188aeced05866556a362.exe	30
PID 2072 wrote to memory of 1404	2072	JaffaCakes118_bd8be0c8de288527b0d43d2a694c3e0a73e67d0234a2188aeced05866556a362.exe	30
PID 2072 wrote to memory of 1404	2072	JaffaCakes118_bd8be0c8de288527b0d43d2a694c3e0a73e67d0234a2188aeced05866556a362.exe	30
PID 1404 wrote to memory of 2228	1404	WScript.exe	31
PID 1404 wrote to memory of 2228	1404	WScript.exe	31
PID 1404 wrote to memory of 2228	1404	WScript.exe	31
PID 1404 wrote to memory of 2228	1404	WScript.exe	31
PID 2228 wrote to memory of 2772	2228	cmd.exe	33
PID 2228 wrote to memory of 2772	2228	cmd.exe	33
PID 2228 wrote to memory of 2772	2228	cmd.exe	33
PID 2228 wrote to memory of 2772	2228	cmd.exe	33
PID 2772 wrote to memory of 996	2772	DllCommonsvc.exe	77
PID 2772 wrote to memory of 996	2772	DllCommonsvc.exe	77
PID 2772 wrote to memory of 996	2772	DllCommonsvc.exe	77
PID 2772 wrote to memory of 2108	2772	DllCommonsvc.exe	78
PID 2772 wrote to memory of 2108	2772	DllCommonsvc.exe	78
PID 2772 wrote to memory of 2108	2772	DllCommonsvc.exe	78
PID 2772 wrote to memory of 2612	2772	DllCommonsvc.exe	79
PID 2772 wrote to memory of 2612	2772	DllCommonsvc.exe	79
PID 2772 wrote to memory of 2612	2772	DllCommonsvc.exe	79
PID 2772 wrote to memory of 3052	2772	DllCommonsvc.exe	80
PID 2772 wrote to memory of 3052	2772	DllCommonsvc.exe	80
PID 2772 wrote to memory of 3052	2772	DllCommonsvc.exe	80
PID 2772 wrote to memory of 2216	2772	DllCommonsvc.exe	81
PID 2772 wrote to memory of 2216	2772	DllCommonsvc.exe	81
PID 2772 wrote to memory of 2216	2772	DllCommonsvc.exe	81
PID 2772 wrote to memory of 2092	2772	DllCommonsvc.exe	82
PID 2772 wrote to memory of 2092	2772	DllCommonsvc.exe	82
PID 2772 wrote to memory of 2092	2772	DllCommonsvc.exe	82
PID 2772 wrote to memory of 2236	2772	DllCommonsvc.exe	83
PID 2772 wrote to memory of 2236	2772	DllCommonsvc.exe	83
PID 2772 wrote to memory of 2236	2772	DllCommonsvc.exe	83
PID 2772 wrote to memory of 2128	2772	DllCommonsvc.exe	84
PID 2772 wrote to memory of 2128	2772	DllCommonsvc.exe	84
PID 2772 wrote to memory of 2128	2772	DllCommonsvc.exe	84
PID 2772 wrote to memory of 1968	2772	DllCommonsvc.exe	85
PID 2772 wrote to memory of 1968	2772	DllCommonsvc.exe	85
PID 2772 wrote to memory of 1968	2772	DllCommonsvc.exe	85
PID 2772 wrote to memory of 2432	2772	DllCommonsvc.exe	86
PID 2772 wrote to memory of 2432	2772	DllCommonsvc.exe	86
PID 2772 wrote to memory of 2432	2772	DllCommonsvc.exe	86
PID 2772 wrote to memory of 1892	2772	DllCommonsvc.exe	87
PID 2772 wrote to memory of 1892	2772	DllCommonsvc.exe	87
PID 2772 wrote to memory of 1892	2772	DllCommonsvc.exe	87
PID 2772 wrote to memory of 2116	2772	DllCommonsvc.exe	88
PID 2772 wrote to memory of 2116	2772	DllCommonsvc.exe	88
PID 2772 wrote to memory of 2116	2772	DllCommonsvc.exe	88
PID 2772 wrote to memory of 1896	2772	DllCommonsvc.exe	89
PID 2772 wrote to memory of 1896	2772	DllCommonsvc.exe	89
PID 2772 wrote to memory of 1896	2772	DllCommonsvc.exe	89
PID 2772 wrote to memory of 2188	2772	DllCommonsvc.exe	90
PID 2772 wrote to memory of 2188	2772	DllCommonsvc.exe	90
PID 2772 wrote to memory of 2188	2772	DllCommonsvc.exe	90
PID 2772 wrote to memory of 1688	2772	DllCommonsvc.exe	91
PID 2772 wrote to memory of 1688	2772	DllCommonsvc.exe	91
PID 2772 wrote to memory of 1688	2772	DllCommonsvc.exe	91
PID 2772 wrote to memory of 2568	2772	DllCommonsvc.exe	96
PID 2772 wrote to memory of 2568	2772	DllCommonsvc.exe	96
PID 2772 wrote to memory of 2568	2772	DllCommonsvc.exe	96
PID 2568 wrote to memory of 2856	2568	cmd.exe	109
PID 2568 wrote to memory of 2856	2568	cmd.exe	109
PID 2568 wrote to memory of 2856	2568	cmd.exe	109
PID 2568 wrote to memory of 2768	2568	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd8be0c8de288527b0d43d2a694c3e0a73e67d0234a2188aeced05866556a362.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd8be0c8de288527b0d43d2a694c3e0a73e67d0234a2188aeced05866556a362.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\fr-FR\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0CVVhmKGJ8.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2856
      - C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat"
        7⤵
        
        PID:1368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1964
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
        9⤵
        
        PID:836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2920
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat"
        11⤵
        
        PID:2520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:700
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"
        13⤵
        
        PID:684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2172
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat"
        15⤵
        
        PID:672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2908
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
        17⤵
        
        PID:2092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2432
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"
        19⤵
        
        PID:2708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:952
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"
        21⤵
        
        PID:1404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1648
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat"
        23⤵
        
        PID:2484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1724
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"
        25⤵
        
        PID:3028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Libraries\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Setup\State\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc2180b4ac15bbcae611b835da55a6ed

SHA1
f44010531cd46189f795675f679c9f2db82a60b2

SHA256
246bd90ea1d619166518b98226d2418473debe8529ac2ec918f69addce8696fa

SHA512
f4a5724be55abc484ef362da6d1e7318ca37e56ebb2377dcbd12c3fb98bf9051d95e1c8bde650f784b19cd8e71f7594dfc089d223f748d61e1689b8def517d4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aee992a927fd5a43b1e0c05facf29255

SHA1
ffbfb345213eecfe4cf77709903d6f4271039dc7

SHA256
39ff190bdc4805f05516951f1792cb10a86937749524f82af296aec8bc6dac68

SHA512
1376f44c2925773ffc5445c21d48ba6a9609a5de1bb06464fab728286102d8806bc828d91409428b49de28fe57f472b76672ce1bb6d05994701bdf2ce3f6d048

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15193edace5c3d78e34a728fdc9343de

SHA1
c55fc9499a7603d7aab6938f021257445c1dc811

SHA256
01c04b772bd933eea9cca9c4e169a46e2c35ecff998d4d32db4616249f0b1174

SHA512
4faa45dc84934d6a046627b9219e72bcd8c3bc4f34daacb689870217091d77722359a0792c6065ca562576e5678529824373d7247a27be1c7463341a01849ac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4df72c4b8c7b059fdcd3d9e63ee575ab

SHA1
500c50a9d5211c77808a90c060ced848cfb1ce53

SHA256
5d688e317170f216e5d46881a2c67343755de40604cc3949b85fc4805f2844fd

SHA512
82a1155ec696763b40fc1f14459a17154ac75ae738fbd5a4cba04a03435d0af853245912464b1a717de7c757335a91f684d9a35372ead0f80436e67a87c8b1ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e540d8461558ea36b0a8ef32f911239

SHA1
4ef512f6dfd558591819f9ebdcda1b31bbe18516

SHA256
0069ebd85e951cc534775921f255d8e5ce63b4fa47a2b155f7b7252b480ecfab

SHA512
242aea1501f7cc4a0f8dc7af4986843ca13f1260f33561c6fffb7286d9bf136f1988596140f6d811dcfa7afa6c52dcb89b13567451ff90dd2fdfa4d857b70fd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6aac14fd99f295c1adcb2b4603fefe32

SHA1
f26ffbc81a6f7d868e005dd87b054ec543317a7c

SHA256
e6013ba07046d25b6804915fbd21494bab4e6238524929333fa18ec82a6ada9e

SHA512
141f7ba025097fbf6380c690a3d089df3d5cb3e6e79cf51c35b7caaa653b703c89b7c0e71739f2bcf229267ee95f06ceaa549224e371d01e98206d1f08fb3f19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db0aaf13493d6c48293634f4a30d8b99

SHA1
d78b2b8b0b66b4229ef92de64bf06b2b4c28a0dc

SHA256
e99417abc48c881c63760cf723af896777745204d3aa77a5afe00c51161e8212

SHA512
5d3d021c1bc94c72b44beb67714a2c6d5dbe7baf2a3e887e5d76e44a329cf9fdcd30f344f2323799257eb05fb356d2dea13c84585967e954cc00bbde4975bba5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57c91f2b590fc752e9e1af7c2bb0d5ce

SHA1
0df9ace9b7d98452e1cc0fd0fd18c8fd68449878

SHA256
06d3c129c7e64d983d96fdd17c71a07b8d82ddc9ee3f139e0758606081e59836

SHA512
33e609b22e140d6a3b81485b587c2904a46b307cf04b06855905ce50f462b4a5eceee2d320943bb7898d4e2dc1bb1a8ce318f136c118ce55a8c80ef8bd8aefff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0dbd5bba790bb66ee47206fdaf7589c8

SHA1
a044b01d2fd7654142574dc8b8a67fdbdf63a8ee

SHA256
78178e668c2eb1b8cf49baf264bd1429bb38de2d3b3244d7feb712b82eff7d54

SHA512
6b4e276d3697cb58ec99cca4b3a9fbdc4027f8aba5841be6e356e7de14f22eda0eb6b0aba14f76e9c7290786491a9fe14311919e3b5d662134253ca9542231b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0CVVhmKGJ8.bat

Filesize
239B

MD5
d67f4cf07a98a2a008df00bc69dacea8

SHA1
922aad2589c303fad617b798991fc21e1c167802

SHA256
ed27a2dd2f6b5b35058bea55be561b5156166f3b7c5e33dce8369e42c6eb1908

SHA512
df24e26f68adb2013e72fb1635c1e7754719b7958639a48296be94798f4fe6b398593ec3823e08c4181e36b735a43e5d684e100136a336c9874a38d471d2d323

Download Submit
C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat

Filesize
239B

MD5
2b1b30dcb3f9278850b16b92f50eb4bb

SHA1
95d30bec18d38b379feb73505a710371d5c61e76

SHA256
fdaab97a2b1247d4af29aad046a53ab1c097bc515f03844a776c6c78f9d4f927

SHA512
6b33e60e9766d8956b37434717a59ef813b6012495951064ef80a968983e81c494cc7baea0a888831e103e57a661f4a181d5b17fd418594aa4c40b4637182ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat

Filesize
239B

MD5
f232d14ddb5299af2be9af90654076bb

SHA1
ceb3f65fef50515e2bcd2f4108d02385bf48eda7

SHA256
144034dd8197b24e5b900a8b0c253541209f5cfcedf95ff8891b3a323de712c2

SHA512
06b85e9a8493e53de244ee8f442ad5a19895672b14c288d277d4e60b8839cf5eff2a02716814579c7582bb559125ece74b06c09413afbfb145aa3370e561f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat

Filesize
239B

MD5
03413431d9ed2424b9974eab3939f566

SHA1
8adfad6b139a8f7b150fe5c196e762ca501bca11

SHA256
a0a51dffdc3e306565d18879d6b1e216aded0fd77afe388badc67aa98cf11cb3

SHA512
0a6cb979a954c506225b3ba7fdf0d8afda09bf4c6d29aca8243d710264345995f6479e56eaeea23d2333acab522d6f68e263c7db2ffa67b1f7d7153ea7c7299c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF73C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat

Filesize
239B

MD5
275d826fc1a998b47b203ecf244d3fe9

SHA1
273422e0e5bc1df9052b50a94b84b4dea378433c

SHA256
266fed43024564cc570bd7bac13fe1fe4b1a001073f48d5aa6b955015bb84cec

SHA512
0b10ede918fe8a9e2ea5ed46867a24d0fcedc9bdc4eb1246d0c08ebbfeeec3452f3ce3754e6069b87cb64c1576ae517c2f3dfce607a492fd8f7b458b27c5f263

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat

Filesize
239B

MD5
ced707ef3bbda7635ddf6ff541df5f33

SHA1
b77681ac76d1e65241d974906f0eb15346e44777

SHA256
74a73af3cdbd4ec1009f6a6d0e6f31e239cb0aa86d77602e6380d15678d6d2d9

SHA512
86c918a806511b5f387a27a5cca45bf9002d2d34e02235b2d26e7d0f46b845a0e3d68ac4c07cdbee3c944b78e474d5da4871a4d0b418c115422e2981fc7311d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF75F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat

Filesize
239B

MD5
8585434966f168affb116d11bc6d54d7

SHA1
486408eba2d0a424eb8366929aa4ee5423796350

SHA256
223431ba18bb42dc0dec0af698a15851af37b2eab0aa80e980aa24182487e804

SHA512
bdbfdfb2b2a9d91a1fc916b4429d2f3f39ba5b42eb7de2653af9c33ffb44f82aa6b348c65d3cbd6ae79bb5b7984d964fae247270758d7cccd21bb4993e3cad11

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat

Filesize
239B

MD5
1826ac6fa41d8b16cc7e65d2b1488d33

SHA1
a2fa7cc056752bab8a0efe20f67662a4b53add53

SHA256
f6fff3051f16249a565f09779533d4818aa83c3c4cc82d723307bfaf94851e94

SHA512
a233d73add8f1b4d399de0f0863c088806f30beb9ae8ca6e84615340b56cb2261f82645b5e5cf34c4d0f58d13c374d21816eb5e5ca5716ca3edff461bc8badf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat

Filesize
239B

MD5
5b2ac4bdb978769b50fe512e0d835b7e

SHA1
22c9bfd0a0b37c4c1e479dcf14512f011094de2b

SHA256
934fc468156cf72ddbbeacb73b440c04c9ec9df0919340798f033cfee15088e5

SHA512
6b5d4f08d4de8421eefc3365f0989de0a609a0148516e87723f42eeaf8151b52892441107b350168f5600f52e4b305435e97726b43bf335fe3438dc6eda502d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat

Filesize
239B

MD5
43ea9c9e0d7e951f0708e73c38ff29f6

SHA1
3c1dd2e771fa4a4fd816d1f4e78e467d7ab2ca78

SHA256
431f6e7987fcb2f8e221451c3e216a6674920669123397abd62ef987227a712f

SHA512
cac530fc1e4ab554cece237c0f46290ee079e30bedb74c3cf162a0a78eef07436d76cad3754ebeca3acc1d8281317a1113608ec31f4053d1346ea2f41c7fb562

Download Submit
C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat

Filesize
239B

MD5
2f6a75dec43f57c846c0b7ad0c06fe72

SHA1
4b8ca9963234806778292632299af93429dfefe5

SHA256
c105cb2d98874dff1d5162b6a89689b4596284a8f244d80d053d076b54bfb538

SHA512
8c30e5f086d9ff39a8f6eb590675a1386e3725f34b529ef49a550ffcd5d2677071a25ccdfc2184b8b9c7d6d733f37a8b456f7222b47768e26879e56c978a2b9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KMZD3XQ4F79L29HXZI94.temp

Filesize
7KB

MD5
563f19975f85cd51af1df5b3d9148313

SHA1
696803c21c0b99c42c0b572f839e49d9aef8c3b0

SHA256
a6f74cc5a0b8c52db7797183e0be69b424f31ed1c3b9069053b813510945598c

SHA512
be70240f7cacc7dec496fefc2dc359f872e7cb445e069854b6334cc878ec86ece5a9f11e6b418d325266c3133ffcdb5701f8d18d8ffb3126c868af469cc178d8

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/272-426-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/996-61-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/1044-188-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

Filesize
1.1MB

Download
memory/2108-60-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2432-248-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/2724-663-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2768-129-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/2772-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2772-13-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download
memory/2772-14-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/2772-15-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2772-16-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download