dcrat | 9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1

Analysis

max time kernel
146s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1.exe
Size

1.3MB
MD5

de77b73f02aa71c5554295b73db978db
SHA1

7da112d26c4f550cb31f702f6cba43ddf28ed9e0
SHA256

9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1
SHA512

9860344170efc484940633fa0daf0e7258d2892815153002e5012bddd671ef960b399977cf1c04c6454c9682968cfd346e9f9d34c5c27e76c812a86999beec41
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2548	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000186de-9.dat	dcrat
behavioral1/memory/2940-13-0x0000000001140000-0x0000000001250000-memory.dmp	dcrat
behavioral1/memory/2440-157-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/2948-216-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/memory/2584-276-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/2736-454-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/2420-514-0x00000000011F0000-0x0000000001300000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2584	powershell.exe
2736	powershell.exe
2524	powershell.exe
2592	powershell.exe
2832	powershell.exe
3032	powershell.exe
1240	powershell.exe
2872	powershell.exe
2916	powershell.exe
3000	powershell.exe
2668	powershell.exe
3028	powershell.exe
1572	powershell.exe
2808	powershell.exe
332	powershell.exe
1420	powershell.exe
2824	powershell.exe
2724	powershell.exe
2552	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2940	DllCommonsvc.exe
2440	dllhost.exe
2948	dllhost.exe
2584	dllhost.exe
2312	dllhost.exe
2200	dllhost.exe
2736	dllhost.exe
2420	dllhost.exe
2864	dllhost.exe
1524	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2816	cmd.exe
2816	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\1610b97d3ab4a7	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Help\OEM\services.exe	DllCommonsvc.exe
File created	C:\Windows\Help\OEM\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\it-IT\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\it-IT\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\System\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\System\1610b97d3ab4a7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2936	schtasks.exe
484	schtasks.exe
2128	schtasks.exe
1540	schtasks.exe
1652	schtasks.exe
2288	schtasks.exe
2800	schtasks.exe
1436	schtasks.exe
2960	schtasks.exe
236	schtasks.exe
2004	schtasks.exe
1464	schtasks.exe
2892	schtasks.exe
908	schtasks.exe
1516	schtasks.exe
2296	schtasks.exe
2988	schtasks.exe
2440	schtasks.exe
2104	schtasks.exe
2240	schtasks.exe
2820	schtasks.exe
2344	schtasks.exe
1508	schtasks.exe
3056	schtasks.exe
1404	schtasks.exe
2276	schtasks.exe
1480	schtasks.exe
2076	schtasks.exe
2788	schtasks.exe
608	schtasks.exe
2860	schtasks.exe
2616	schtasks.exe
668	schtasks.exe
1864	schtasks.exe
808	schtasks.exe
572	schtasks.exe
1624	schtasks.exe
1960	schtasks.exe
1904	schtasks.exe
2056	schtasks.exe
1836	schtasks.exe
2972	schtasks.exe
2096	schtasks.exe
888	schtasks.exe
2772	schtasks.exe
1100	schtasks.exe
2008	schtasks.exe
1996	schtasks.exe
2676	schtasks.exe
2384	schtasks.exe
1956	schtasks.exe
2328	schtasks.exe
1936	schtasks.exe
2684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2940	DllCommonsvc.exe
2940	DllCommonsvc.exe
2940	DllCommonsvc.exe
2940	DllCommonsvc.exe
2940	DllCommonsvc.exe
2940	DllCommonsvc.exe
2940	DllCommonsvc.exe
2940	DllCommonsvc.exe
2940	DllCommonsvc.exe
2940	DllCommonsvc.exe
2940	DllCommonsvc.exe
2724	powershell.exe
2584	powershell.exe
2592	powershell.exe
2832	powershell.exe
2824	powershell.exe
3032	powershell.exe
3028	powershell.exe
2524	powershell.exe
2668	powershell.exe
2736	powershell.exe
2808	powershell.exe
1240	powershell.exe
1572	powershell.exe
2872	powershell.exe
332	powershell.exe
2916	powershell.exe
3000	powershell.exe
1420	powershell.exe
2552	powershell.exe
2440	dllhost.exe
2948	dllhost.exe
2584	dllhost.exe
2312	dllhost.exe
2200	dllhost.exe
2736	dllhost.exe
2420	dllhost.exe
2864	dllhost.exe
1524	dllhost.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	DllCommonsvc.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2440	dllhost.exe
Token: SeDebugPrivilege	2948	dllhost.exe
Token: SeDebugPrivilege	2584	dllhost.exe
Token: SeDebugPrivilege	2312	dllhost.exe
Token: SeDebugPrivilege	2200	dllhost.exe
Token: SeDebugPrivilege	2736	dllhost.exe
Token: SeDebugPrivilege	2420	dllhost.exe
Token: SeDebugPrivilege	2864	dllhost.exe
Token: SeDebugPrivilege	1524	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2704	2748	9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1.exe	31
PID 2748 wrote to memory of 2704	2748	9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1.exe	31
PID 2748 wrote to memory of 2704	2748	9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1.exe	31
PID 2748 wrote to memory of 2704	2748	9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1.exe	31
PID 2704 wrote to memory of 2816	2704	WScript.exe	32
PID 2704 wrote to memory of 2816	2704	WScript.exe	32
PID 2704 wrote to memory of 2816	2704	WScript.exe	32
PID 2704 wrote to memory of 2816	2704	WScript.exe	32
PID 2816 wrote to memory of 2940	2816	cmd.exe	34
PID 2816 wrote to memory of 2940	2816	cmd.exe	34
PID 2816 wrote to memory of 2940	2816	cmd.exe	34
PID 2816 wrote to memory of 2940	2816	cmd.exe	34
PID 2940 wrote to memory of 2592	2940	DllCommonsvc.exe	90
PID 2940 wrote to memory of 2592	2940	DllCommonsvc.exe	90
PID 2940 wrote to memory of 2592	2940	DllCommonsvc.exe	90
PID 2940 wrote to memory of 2824	2940	DllCommonsvc.exe	91
PID 2940 wrote to memory of 2824	2940	DllCommonsvc.exe	91
PID 2940 wrote to memory of 2824	2940	DllCommonsvc.exe	91
PID 2940 wrote to memory of 2584	2940	DllCommonsvc.exe	92
PID 2940 wrote to memory of 2584	2940	DllCommonsvc.exe	92
PID 2940 wrote to memory of 2584	2940	DllCommonsvc.exe	92
PID 2940 wrote to memory of 2724	2940	DllCommonsvc.exe	93
PID 2940 wrote to memory of 2724	2940	DllCommonsvc.exe	93
PID 2940 wrote to memory of 2724	2940	DllCommonsvc.exe	93
PID 2940 wrote to memory of 2668	2940	DllCommonsvc.exe	94
PID 2940 wrote to memory of 2668	2940	DllCommonsvc.exe	94
PID 2940 wrote to memory of 2668	2940	DllCommonsvc.exe	94
PID 2940 wrote to memory of 2832	2940	DllCommonsvc.exe	95
PID 2940 wrote to memory of 2832	2940	DllCommonsvc.exe	95
PID 2940 wrote to memory of 2832	2940	DllCommonsvc.exe	95
PID 2940 wrote to memory of 2552	2940	DllCommonsvc.exe	96
PID 2940 wrote to memory of 2552	2940	DllCommonsvc.exe	96
PID 2940 wrote to memory of 2552	2940	DllCommonsvc.exe	96
PID 2940 wrote to memory of 3032	2940	DllCommonsvc.exe	97
PID 2940 wrote to memory of 3032	2940	DllCommonsvc.exe	97
PID 2940 wrote to memory of 3032	2940	DllCommonsvc.exe	97
PID 2940 wrote to memory of 3028	2940	DllCommonsvc.exe	98
PID 2940 wrote to memory of 3028	2940	DllCommonsvc.exe	98
PID 2940 wrote to memory of 3028	2940	DllCommonsvc.exe	98
PID 2940 wrote to memory of 1240	2940	DllCommonsvc.exe	99
PID 2940 wrote to memory of 1240	2940	DllCommonsvc.exe	99
PID 2940 wrote to memory of 1240	2940	DllCommonsvc.exe	99
PID 2940 wrote to memory of 1572	2940	DllCommonsvc.exe	100
PID 2940 wrote to memory of 1572	2940	DllCommonsvc.exe	100
PID 2940 wrote to memory of 1572	2940	DllCommonsvc.exe	100
PID 2940 wrote to memory of 2872	2940	DllCommonsvc.exe	101
PID 2940 wrote to memory of 2872	2940	DllCommonsvc.exe	101
PID 2940 wrote to memory of 2872	2940	DllCommonsvc.exe	101
PID 2940 wrote to memory of 2736	2940	DllCommonsvc.exe	102
PID 2940 wrote to memory of 2736	2940	DllCommonsvc.exe	102
PID 2940 wrote to memory of 2736	2940	DllCommonsvc.exe	102
PID 2940 wrote to memory of 2916	2940	DllCommonsvc.exe	103
PID 2940 wrote to memory of 2916	2940	DllCommonsvc.exe	103
PID 2940 wrote to memory of 2916	2940	DllCommonsvc.exe	103
PID 2940 wrote to memory of 3000	2940	DllCommonsvc.exe	104
PID 2940 wrote to memory of 3000	2940	DllCommonsvc.exe	104
PID 2940 wrote to memory of 3000	2940	DllCommonsvc.exe	104
PID 2940 wrote to memory of 2808	2940	DllCommonsvc.exe	105
PID 2940 wrote to memory of 2808	2940	DllCommonsvc.exe	105
PID 2940 wrote to memory of 2808	2940	DllCommonsvc.exe	105
PID 2940 wrote to memory of 2524	2940	DllCommonsvc.exe	106
PID 2940 wrote to memory of 2524	2940	DllCommonsvc.exe	106
PID 2940 wrote to memory of 2524	2940	DllCommonsvc.exe	106
PID 2940 wrote to memory of 332	2940	DllCommonsvc.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1.exe
"C:\Users\Admin\AppData\Local\Temp\9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\OEM\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q7RH5Uwztf.bat"
        5⤵
        
        PID:1856
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1772
      - C:\Users\Admin\Searches\dllhost.exe
        
        "C:\Users\Admin\Searches\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"
        7⤵
        
        PID:1844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2040
        
        C:\Users\Admin\Searches\dllhost.exe
        
        "C:\Users\Admin\Searches\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
        9⤵
        
        PID:1288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2532
        
        C:\Users\Admin\Searches\dllhost.exe
        
        "C:\Users\Admin\Searches\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"
        11⤵
        
        PID:2616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1840
        
        C:\Users\Admin\Searches\dllhost.exe
        
        "C:\Users\Admin\Searches\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"
        13⤵
        
        PID:2172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2140
        
        C:\Users\Admin\Searches\dllhost.exe
        
        "C:\Users\Admin\Searches\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0x9T38u1li.bat"
        15⤵
        
        PID:1776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1872
        
        C:\Users\Admin\Searches\dllhost.exe
        
        "C:\Users\Admin\Searches\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PeSwWR6joe.bat"
        17⤵
        
        PID:1444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2988
        
        C:\Users\Admin\Searches\dllhost.exe
        
        "C:\Users\Admin\Searches\dllhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat"
        19⤵
        
        PID:1536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2440
        
        C:\Users\Admin\Searches\dllhost.exe
        
        "C:\Users\Admin\Searches\dllhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
        21⤵
        
        PID:2524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2948
        
        C:\Users\Admin\Searches\dllhost.exe
        
        "C:\Users\Admin\Searches\dllhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Saved Games\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Saved Games\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Searches\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Searches\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\System\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\System\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\OEM\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Help\OEM\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\OEM\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc9fe17a463297866c3c3057c5130dee

SHA1
3cf6d857594fb8c783a28d7c5979c5087f72e76b

SHA256
c58e9efd231320fdf2da8f51aed13c712f99bca2530747912be0173ba5aef6e6

SHA512
e81bc7dfa7c11e2eb06e4378bf432ef6a203a0525bc31dd7fbbff7721b4f0e26e6edeab856f193190035599c2c8831a8268c5e707c667ac76306d3b8cd35af7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd19806c929725ca309d369f01116db0

SHA1
29af1dd176dec6028922139a521fa7baf7842bfa

SHA256
332704d39e008a549cf481a6673f80b71712ca5561a2922a364ce4fdd430f7f0

SHA512
ef9ea1ab7552703151f1e376d275ddeb6a3e06df31bb6c9fdc028905c14a437d11c84a60fad1390b6f0504595b2fd7c7ae424a65865c14e133d91f1544b54fb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
105d6294be99731d4bbe3b97e598d97d

SHA1
14926bbd41d6c57f971f3c96739c59e59f1a4482

SHA256
522d08abaf0810a523f7b930892879f1977567ef281e2c26641232fbbd8f7477

SHA512
6bd260dbd627e41890a8fbc1a7401b90185c65f58ca0e63454811cfa43ce2841e1cb99e094469d253807796c4c5d8f5eaaa1d1d992a316e8aa8f934f79debd90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f4ea772c32f2989cf8c4d13edc7b1dc

SHA1
f9ea878ff94f2294ab7993e57d20e19e93589812

SHA256
215b5d401268212372178634a59f1c5cc51e54ae655586006ccf5683342d1868

SHA512
5d5139c5228520ef47c03d06af044b6e415b5bd4d720a95794b5925bbe9baa954785976cefade5e169a3128c7fa1c91711c6a662d9a30e37f3536f092ff29548

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de3c939d39f89751d44c865829a9d815

SHA1
5c70302e66858e67c910fd978af5b8a383888315

SHA256
049056957fa147261aaf109660e4a81ff9185fc2945cf99821ead6564e6fd5fd

SHA512
0776fe83c1778f43c5308fd89cad48c0168adef0e45abedd284d0bd2195c5eed385b636602e7dfd43ffbed323b9a0713452bf59a66aa7b8323b422757a9e18fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8814b7a97c2b6305ee9781625b550b7

SHA1
0c572d6a27418704e6e98c70f9079c22031ad912

SHA256
c32a25f9916840a1f9e577c416c7167c39a929b63e3002f02d94a5580d1eb0bb

SHA512
49b8517e21fca817ad1e30c7a343cfbf4e4cd3145d7fcb4ed329b2362482f6c93f741b37197ede6ef0cd5f1ad5875c86b9f63df2af4db421f9d61628ef59e58f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04095aaddd26c2c68321a0a40ce09843

SHA1
b832b6a81806d1b38e01c286219931d00e113937

SHA256
b070176802dc17dc20f83d9f05846bb8bf6f905461cf550b1e634cf8001755ac

SHA512
57e2ecbe391252cea8b88efdcab0eb22a9d3059e1d5a0fed0424a1cb52eca88d589095b6a26a93ce01d7157c797dc2003597a619767a7299dc5535962cd8ff1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0x9T38u1li.bat

Filesize
200B

MD5
ea71739aeb4bbd97a57bc9488e6ca339

SHA1
1e366ac79fe165339f13b5e091d4609ba53ff0b2

SHA256
5072875f2a0497ab35b960143b24deed5b3e8072b9ccb18183232ef6ed8d9860

SHA512
e8594822b2ffe2f11c37f91ab58335c76234fef4e839d51c11f8e880cc91bff65278a643a178c77909a3d782cbc48d4b5c1b55201b78fdd0a35156ae8fed1700

Download Submit
C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat

Filesize
200B

MD5
9b10c5cc97f632afe0a7245908934ab2

SHA1
945c3f6f31bb1b42e9a6f4066408d046fafb99b1

SHA256
5109ddbe1a445147497839efce7b6ad5451fe1d73a8dfdbe8e457fc55e7f4548

SHA512
a774e3494a3b4c67073d4a3bb6cf4f1f1d1c00d6844febfc369041ad092435a1a136a91e0cc1f177124fe9079469801bdc6753c2c78107c2e298cecd3bb7e86c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab48E4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat

Filesize
200B

MD5
e22da095b1363a972d8bafa3743e03c1

SHA1
c9680fbab178487d8367aa7e70ecda4be8500dd5

SHA256
69b51aeeb608201ae033c7b660b3172c8072e9df1ca08ee898707a0bf4423f32

SHA512
95a05b3e45f49c0b00b3f098ddc8ab37d7d97f64d801c07e218c8b0c4ca3977d91bc4db4675a7c5f9e210f1919a593bb2358caff123e1b221d31d790dc4d16d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

Filesize
200B

MD5
9403731dba77f83f69f7762de1c36404

SHA1
9d0711572301012e5cf2bff91d4341991ff7d3d5

SHA256
2ce756aebfa47c3b9fed933caad2fcb97270b2ec2e999001b74329c4618c090f

SHA512
8f12d01eb277d54365618a39f8e228802c2e7b6a1e6c98fa12416aee87d4301cd16e6c9900ec622eea8b2f45b96b212c41e46ef30962528fef6906930b26c8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PeSwWR6joe.bat

Filesize
200B

MD5
84f65b38a216a936641c3b6e4438425c

SHA1
9cf6d029b4a31dd89c1d7452da7ac0c3e8e4a87e

SHA256
8cc6961232b52fbb2ba57ffb73d9ac6c405bc95c5fc83322e7c7f81f1c7f6d46

SHA512
e4a2087fc9cbe8ab153f43f78129c325b9abb90f33c5b8c9bd27db0a3800df54a28a2ceb929c9e07fbb0b7dabfab8e1b05a63033fd339046fa50b430d2158c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar48F7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

Filesize
200B

MD5
af027a9beb73dd0dd952790ee563c400

SHA1
4c4412ff8ec5ddebcb51ea7fc34124a4154c95b1

SHA256
41c9658f7095d17cd291dfa88b88fb204765d506bd7c2b7c090bfa5d5c25438f

SHA512
57acb15eb73069cc49665fee7f700b6bbde6117d6f47251f05492572281595348066af429313f1931c8182809f6002399a65729d2719ae5355f7323226793691

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat

Filesize
200B

MD5
6e6d2be61f21f7b48b2e6b47b5c3c7c4

SHA1
2ef9a8da27a0f62dd5e21b3268ac707f4fb1d399

SHA256
bf9ff83eeb31c467a5894bfd9b9efc6308352bb733b15a6ed408eed74c198761

SHA512
0e54e684cdef26fb0a522d43ba86af49f94f66e01247fe3cfae81de2287fb94777e23cc8c6319e42854633ac1a831e35d4900dffc9eb97c36b86e9b85c6583f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\q7RH5Uwztf.bat

Filesize
200B

MD5
77371a8bd24e4c7359d6f23ebec1d6c8

SHA1
1ba55f7febb0107c87d6b23ef495fe7e6b57640b

SHA256
f58fd16dbecd21986dfe5d248951598439a642affddc6ac71869dcf6c3f388e9

SHA512
037eb673c9a58a3ea8781db44548af578926366557efeb4549324873121d033df3013a1ca4b348a8063aee4a28b70e06c8f116931a71a5fef1b1a60b206c2ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat

Filesize
200B

MD5
dd567bbfb1a406df146831d5540b61cc

SHA1
ad4e36277fb3bdadef4804c613fe1df3f6af0532

SHA256
663ad8f50cdf50a6adcedb595f267b4481d2c900251f55c06a6eac8e30e38a73

SHA512
e58c2110fe98dafdda4ee2ea5223e0788c9d59aeb911444d8b3c4565da09349eef1a47b3bb5b8dd3834c038411e3bed2f340d160fb68a3792bda950cf0fe1fc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZQB41TI5E8X09PFQ9HGQ.temp

Filesize
7KB

MD5
fb7ed3090adea65c17ba0019c2df683d

SHA1
74c7c30b2cdf831e38788b4ec4db1d1337aa804f

SHA256
9d2697f30109a14b9adcfa5a2a684cdfd38ab3ad1259279c4304620d65bd0ff1

SHA512
13628a0fd2537a72c594d9c580b1b53ccfbebdc2987ccc8eba03f9f601d99e4e7bda25740fcb6affffa52d1eb2189536787973c229ad38f7b8496c4a23979bb4

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/2420-515-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2420-514-0x00000000011F0000-0x0000000001300000-memory.dmp

Filesize
1.1MB

Download
memory/2440-157-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2584-276-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/2584-92-0x000000001B850000-0x000000001BB32000-memory.dmp

Filesize
2.9MB

Download
memory/2724-97-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2736-454-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/2864-575-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2940-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2940-15-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/2940-16-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2940-13-0x0000000001140000-0x0000000001250000-memory.dmp

Filesize
1.1MB

Download
memory/2940-17-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/2948-216-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download