dcrat | e2d03b6739a8de1b747e53f350420d32e8d3d930a988089e1b9edf6e598c4a6e

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2d03b6739a8de1b747e53f350420d32e8d3d930a988089e1b9edf6e598c4a6e.exe
Size

1.3MB
MD5

ff93deacee9f31af19efda4595731582
SHA1

ba6d683976b798f81282262ffec4246375938c22
SHA256

e2d03b6739a8de1b747e53f350420d32e8d3d930a988089e1b9edf6e598c4a6e
SHA512

0d4d8c937b432e8667a9d0e5c0f8f2dd6c2c273ae3b1100914cfeeb09034662f52200aeaa1c30d3f02c33b3ef55691d8c1f2ffbd1487a9f482f202d15d159e3c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2708	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2708	schtasks.exe	33

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000193b8-9.dat	dcrat
behavioral1/memory/2916-13-0x0000000000CC0000-0x0000000000DD0000-memory.dmp	dcrat
behavioral1/memory/1708-84-0x0000000000830000-0x0000000000940000-memory.dmp	dcrat
behavioral1/memory/1352-156-0x0000000000900000-0x0000000000A10000-memory.dmp	dcrat
behavioral1/memory/1968-216-0x0000000000F60000-0x0000000001070000-memory.dmp	dcrat
behavioral1/memory/1688-335-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat
behavioral1/memory/872-395-0x0000000001360000-0x0000000001470000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1628	powershell.exe
1500	powershell.exe
1624	powershell.exe
1880	powershell.exe
3012	powershell.exe
2608	powershell.exe
3004	powershell.exe
2340	powershell.exe
1648	powershell.exe
876	powershell.exe
1504	powershell.exe
1572	powershell.exe
2640	powershell.exe
1872	powershell.exe
2112	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2916	DllCommonsvc.exe
1708	Idle.exe
1352	Idle.exe
1968	Idle.exe
2912	Idle.exe
1688	Idle.exe
872	Idle.exe
1944	Idle.exe
2916	Idle.exe
2604	Idle.exe
3012	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2788	cmd.exe
2788	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\it-IT\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\it-IT\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2d03b6739a8de1b747e53f350420d32e8d3d930a988089e1b9edf6e598c4a6e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1228	schtasks.exe
2372	schtasks.exe
1712	schtasks.exe
2444	schtasks.exe
2976	schtasks.exe
1764	schtasks.exe
1612	schtasks.exe
1688	schtasks.exe
2120	schtasks.exe
2728	schtasks.exe
948	schtasks.exe
2472	schtasks.exe
2740	schtasks.exe
924	schtasks.exe
2004	schtasks.exe
2000	schtasks.exe
2536	schtasks.exe
2756	schtasks.exe
1652	schtasks.exe
1536	schtasks.exe
1596	schtasks.exe
1036	schtasks.exe
1948	schtasks.exe
1292	schtasks.exe
1576	schtasks.exe
2680	schtasks.exe
2132	schtasks.exe
672	schtasks.exe
840	schtasks.exe
2412	schtasks.exe
1236	schtasks.exe
2776	schtasks.exe
2928	schtasks.exe
3028	schtasks.exe
940	schtasks.exe
2176	schtasks.exe
1072	schtasks.exe
2408	schtasks.exe
2624	schtasks.exe
2700	schtasks.exe
2872	schtasks.exe
2432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2916	DllCommonsvc.exe
1708	Idle.exe
1572	powershell.exe
2640	powershell.exe
2608	powershell.exe
1872	powershell.exe
3004	powershell.exe
1648	powershell.exe
1880	powershell.exe
1504	powershell.exe
2340	powershell.exe
1628	powershell.exe
1500	powershell.exe
1624	powershell.exe
3012	powershell.exe
876	powershell.exe
1352	Idle.exe
1968	Idle.exe
2912	Idle.exe
1688	Idle.exe
872	Idle.exe
1944	Idle.exe
2916	Idle.exe
2604	Idle.exe
3012	Idle.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	DllCommonsvc.exe
Token: SeDebugPrivilege	1708	Idle.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	1352	Idle.exe
Token: SeDebugPrivilege	1968	Idle.exe
Token: SeDebugPrivilege	2912	Idle.exe
Token: SeDebugPrivilege	1688	Idle.exe
Token: SeDebugPrivilege	872	Idle.exe
Token: SeDebugPrivilege	1944	Idle.exe
Token: SeDebugPrivilege	2916	Idle.exe
Token: SeDebugPrivilege	2604	Idle.exe
Token: SeDebugPrivilege	3012	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2056	2060	e2d03b6739a8de1b747e53f350420d32e8d3d930a988089e1b9edf6e598c4a6e.exe	29
PID 2060 wrote to memory of 2056	2060	e2d03b6739a8de1b747e53f350420d32e8d3d930a988089e1b9edf6e598c4a6e.exe	29
PID 2060 wrote to memory of 2056	2060	e2d03b6739a8de1b747e53f350420d32e8d3d930a988089e1b9edf6e598c4a6e.exe	29
PID 2060 wrote to memory of 2056	2060	e2d03b6739a8de1b747e53f350420d32e8d3d930a988089e1b9edf6e598c4a6e.exe	29
PID 2056 wrote to memory of 2788	2056	WScript.exe	30
PID 2056 wrote to memory of 2788	2056	WScript.exe	30
PID 2056 wrote to memory of 2788	2056	WScript.exe	30
PID 2056 wrote to memory of 2788	2056	WScript.exe	30
PID 2788 wrote to memory of 2916	2788	cmd.exe	32
PID 2788 wrote to memory of 2916	2788	cmd.exe	32
PID 2788 wrote to memory of 2916	2788	cmd.exe	32
PID 2788 wrote to memory of 2916	2788	cmd.exe	32
PID 2916 wrote to memory of 1624	2916	DllCommonsvc.exe	76
PID 2916 wrote to memory of 1624	2916	DllCommonsvc.exe	76
PID 2916 wrote to memory of 1624	2916	DllCommonsvc.exe	76
PID 2916 wrote to memory of 1572	2916	DllCommonsvc.exe	77
PID 2916 wrote to memory of 1572	2916	DllCommonsvc.exe	77
PID 2916 wrote to memory of 1572	2916	DllCommonsvc.exe	77
PID 2916 wrote to memory of 2640	2916	DllCommonsvc.exe	79
PID 2916 wrote to memory of 2640	2916	DllCommonsvc.exe	79
PID 2916 wrote to memory of 2640	2916	DllCommonsvc.exe	79
PID 2916 wrote to memory of 3004	2916	DllCommonsvc.exe	81
PID 2916 wrote to memory of 3004	2916	DllCommonsvc.exe	81
PID 2916 wrote to memory of 3004	2916	DllCommonsvc.exe	81
PID 2916 wrote to memory of 2340	2916	DllCommonsvc.exe	82
PID 2916 wrote to memory of 2340	2916	DllCommonsvc.exe	82
PID 2916 wrote to memory of 2340	2916	DllCommonsvc.exe	82
PID 2916 wrote to memory of 1880	2916	DllCommonsvc.exe	85
PID 2916 wrote to memory of 1880	2916	DllCommonsvc.exe	85
PID 2916 wrote to memory of 1880	2916	DllCommonsvc.exe	85
PID 2916 wrote to memory of 1628	2916	DllCommonsvc.exe	86
PID 2916 wrote to memory of 1628	2916	DllCommonsvc.exe	86
PID 2916 wrote to memory of 1628	2916	DllCommonsvc.exe	86
PID 2916 wrote to memory of 3012	2916	DllCommonsvc.exe	88
PID 2916 wrote to memory of 3012	2916	DllCommonsvc.exe	88
PID 2916 wrote to memory of 3012	2916	DllCommonsvc.exe	88
PID 2916 wrote to memory of 1648	2916	DllCommonsvc.exe	89
PID 2916 wrote to memory of 1648	2916	DllCommonsvc.exe	89
PID 2916 wrote to memory of 1648	2916	DllCommonsvc.exe	89
PID 2916 wrote to memory of 876	2916	DllCommonsvc.exe	90
PID 2916 wrote to memory of 876	2916	DllCommonsvc.exe	90
PID 2916 wrote to memory of 876	2916	DllCommonsvc.exe	90
PID 2916 wrote to memory of 1872	2916	DllCommonsvc.exe	91
PID 2916 wrote to memory of 1872	2916	DllCommonsvc.exe	91
PID 2916 wrote to memory of 1872	2916	DllCommonsvc.exe	91
PID 2916 wrote to memory of 2608	2916	DllCommonsvc.exe	93
PID 2916 wrote to memory of 2608	2916	DllCommonsvc.exe	93
PID 2916 wrote to memory of 2608	2916	DllCommonsvc.exe	93
PID 2916 wrote to memory of 2112	2916	DllCommonsvc.exe	94
PID 2916 wrote to memory of 2112	2916	DllCommonsvc.exe	94
PID 2916 wrote to memory of 2112	2916	DllCommonsvc.exe	94
PID 2916 wrote to memory of 1504	2916	DllCommonsvc.exe	96
PID 2916 wrote to memory of 1504	2916	DllCommonsvc.exe	96
PID 2916 wrote to memory of 1504	2916	DllCommonsvc.exe	96
PID 2916 wrote to memory of 1500	2916	DllCommonsvc.exe	98
PID 2916 wrote to memory of 1500	2916	DllCommonsvc.exe	98
PID 2916 wrote to memory of 1500	2916	DllCommonsvc.exe	98
PID 2916 wrote to memory of 1708	2916	DllCommonsvc.exe	106
PID 2916 wrote to memory of 1708	2916	DllCommonsvc.exe	106
PID 2916 wrote to memory of 1708	2916	DllCommonsvc.exe	106
PID 1708 wrote to memory of 2372	1708	Idle.exe	107
PID 1708 wrote to memory of 2372	1708	Idle.exe	107
PID 1708 wrote to memory of 2372	1708	Idle.exe	107
PID 2372 wrote to memory of 2416	2372	cmd.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e2d03b6739a8de1b747e53f350420d32e8d3d930a988089e1b9edf6e598c4a6e.exe
"C:\Users\Admin\AppData\Local\Temp\e2d03b6739a8de1b747e53f350420d32e8d3d930a988089e1b9edf6e598c4a6e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\it-IT\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
    - - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2416
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat"
        8⤵
        
        PID:1448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2264
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"
        10⤵
        
        PID:2712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2192
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
        12⤵
        
        PID:776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1116
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat"
        14⤵
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2308
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat"
        16⤵
        
        PID:1444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2260
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
        18⤵
        
        PID:868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2136
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat"
        20⤵
        
        PID:2668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2536
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat"
        22⤵
        
        PID:2964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1692
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Pictures\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c07affe5b6caa07cc86f565fc9bc781

SHA1
9849875a1932ee7fde4979a36d82aae160eb7809

SHA256
1fd8605bfb692a6c433748cac90fcf558dc957c126198a2b8d95d0da4b030dc5

SHA512
16766c5d8c597a7d9f9988103518a68cb072734b8b1a7e7d04ec009b62903798dc88a50cb367ca5eaa06a94f118c8a0b4fa58afbedf81b0288fad9765d629ecc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75c8e5baf068ac25dba19cbc4ae07139

SHA1
05a3629b8150f80c13df7186fe07ce1f954c197c

SHA256
10e96515eb28132135897fbe62a5f0e824ebc71bcf5f057e9fafdaa9e43d0da6

SHA512
7dab89886963eaaf5d54783fb18b2d6ddc1c647af34246f1c7c15326ac61c9bf54da7b223e2ccc30ac46e657c02aa380a1b4759158ed25de93d00793eb2a3e63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
605499019855852392fd6c5d5dccecce

SHA1
019fa33cf1be9b80907b838b771956382b2d0580

SHA256
32acfe93d725dd3dd0db92827daa513e5f85159ae082518bd1b5bec2c57cd76f

SHA512
717fb87087534afd34723d783f23f3e235d7510667bd3a9314dc6b17a63dfaf4b87775a17e41042098c95a23171ff0986b78ca5ec55a8cdc59c192b6cc673212

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4dc3163e1f786a33570f6efdf705bfc8

SHA1
4edad4bcb266f4519f8741ae3f63d9d5efdbb7f2

SHA256
2524d7c3494cbf9f418c9e1917e1ac206ee5da6b4ef83fe554b0b5c3e1eaf099

SHA512
0739ecf768f59c0e2cd61d143319c0c8d52f767b4990a4c4e0a07e10dc111bf6f9b4a2c7ea99b33b2e8e041f178c61d294de23fdf5e670976fc37f7a52d5a3b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0480a706c664e3f4886afad1633c0df5

SHA1
6597578f5af8943313fadccbe8afc07b1ee93ef8

SHA256
1fe80dae04f3ac0212972b22bfc8b137cf8232079fa69a07ccb254bf18cc5727

SHA512
f19bc80d69120c4715fca8a8d032b1e5214a041be33b67ed324b28b20cc979ed41d2d521f14e98bc8ba90e64aed25ad61aa5829d0c39758a1e387f39e8c54386

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8196af41c87a44cdab817a38ecc8e114

SHA1
f08ec1127914e2b99297deb71551e432c3a52d2e

SHA256
a0a7d643a58c2c09a4c4ffc8667847bd8e667dfef58c1fa6113497558fd7943a

SHA512
94fb7b7c28f02e6386bd6741815defde2a31e8a655e7870f6bb8a01cf23a59f13a9ed12873c3f2cb99668d3db330ecd922affda6a3d84c4070321e36806d24e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
421e35532f07564553c93dd5d7b54489

SHA1
c0a0502f54994da36dc3bf815d6d292e6b4208a2

SHA256
a51d1aa71f4486259653010650d9eefcda51d8bb82a202347bbb086fdd4d52e0

SHA512
b5f3dc435e97a00548aa832a8d7e2ec321b3a357efa9b40e5ec87ad36ba0e7b38ae782b681be163abbcd7e0eca107a8e1f401a5d6ebe699354914f568b5d8161

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b52312d63b8fc3ce423d1a0558c4f30a

SHA1
2fdd3015af7817d63b9cd39a4f5c54ef9605104e

SHA256
911b1d18326cda7d493c6013e49205c29e2ee7b558684cf55c17393de263a149

SHA512
c8f2806fff81526305838ed5f5e943ac1926da029b97b8653b251538dbf8ec476154434bfe858d85d5ecd6c7da9233677e0d45c5fb90dcbf7c90c74a96e0f3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat

Filesize
245B

MD5
84e3499b902da3ec5e68515fd8515f59

SHA1
55c6ca95d03cca84d607f10c4d34132861240e71

SHA256
d666dbe48c6c7744cdb2e509e37dbdc58f6dcf77ffd2a6864ab27a50f18f2ea7

SHA512
a98c30ed2acfe8c47aa0943e05de2c9e9178fdc8579feccdb5fdc3e3f7601c5ecfbedb02a99595490381063e1ba59c462cac1e340f49d88e0a842ba258ebbdf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

Filesize
245B

MD5
63cbd3776feaf8372589b5a940c91cb9

SHA1
6b4fcac82002333861cbc29638a638ca5c07293f

SHA256
a51da205b973cacfca63be3ebcd1fd7c33c599484c349887d510a1fcc56b613d

SHA512
fcbd26f0df84397848ad6687de8eb1d9db08097f4249f688312a2bf3482cea5b6800344af14c578b7047559862015f173fa357ac63983a870aa20d2e652a22c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBE81.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat

Filesize
245B

MD5
132e6d49e9a66bc91977ef98446ae189

SHA1
58f4ada6f3100c0707bedd755156a3bff6e844fb

SHA256
da2595e2815203d88dbd9730ad733ea40bf246c5147ca66fb23a1f3913b9feab

SHA512
3e3624584a7c0b2b16b8b815d52a5a6267c535c1e2f05b47a87435e908148109fefff18c79a1490e80015e2d0a40b6b9aad2263f773f718472f0bdff8e0d9a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat

Filesize
245B

MD5
4d248b075362a0e219c03acfb00917e6

SHA1
aeafeb957530da8155ca1fed3df8dde0ba97d26b

SHA256
13cecfefcaa2694bf9fb95e4a3c6e4ce6120292d9ecc2715e9611c226b37b942

SHA512
15e92fc8b6c1510e6dee90e8be9da737b7c06ad62d734b82f8097e9565149accc28010cae909091257c6b0aafe858ac46bfa2bae60416a41fdf14de17882ecf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBEC2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat

Filesize
245B

MD5
35d4a9ecb172b9483a71f15808b87d99

SHA1
dd708517be6be56b62f6a928e7f3be2e45ec8075

SHA256
2b186a4786dc2f5721875693766d2537dbd8d63cf8047ccfca19853e5a9cf932

SHA512
e2ad146a42734e02f02aeabf9d1bcd563769bcc00963f80812511d8f9d03b829553a1f5e7b8da60584f0d092784f12243483bbe65b39d1d05b066df7bc36f0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

Filesize
245B

MD5
c33fc028f87f60e59783b3a1ae807c31

SHA1
db9f4da74a76fdfd4970e7bc9c8bd8648c60ce20

SHA256
dbbaec4e70285d3b8ca2babf0286bb5699b67b95bb9569e065c26020bcb51bde

SHA512
f06d536ff91aa31640df1a97e9ba664241b18bd7630a14223e0997bd3ed53a1c78932bca440ba5f659e25b407927446e56ed3e4212eeceefaf445d15da632b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat

Filesize
245B

MD5
7aba2dc4891a47e26adc75321d9e6e57

SHA1
c079a47e2300ba6c490c482df02c485b33794e3d

SHA256
56b905a6024cf171fd9973cb36b0fa6c159ac1d78e4294648c8c742c11680797

SHA512
4ab0ceca5a8f36b67d09fa707de4c32c21f29b788894699560bde5a59f206f4043cd291bda31be7b3fc49cdfe9fb5e1b5af54f847852e7344ed413162ab66861

Download Submit
C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat

Filesize
245B

MD5
4b6feee15d6248b1387183f4724b4af2

SHA1
2c1668b1ea474f301cb14eff34b3aa9358c5a4f0

SHA256
7cf0d880fb055cbb35b4afe0f0685d7a8282b7c0779229ea5ffc251697a98fec

SHA512
73cd3c661449fbcfe434c3d0d2ac12048f9116dbf74792698f6961f7456ce9dfc1b4d726e34bbf448db7dff159ecb7895bf5c9c8846bfc8048fe4fd5734252b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat

Filesize
245B

MD5
18a2df6b64e6f60286ec5362d522927c

SHA1
8716e09aa6e28cbf0c1a3039f1d02ad3cd71f86f

SHA256
7b534f5053cfcf806b09ef597206105b60b59a2e1d52744ce52c6b93741bf78e

SHA512
f88bd35946752921fe5e3b4f6539c1b25d6a844fe7b505fb385d512f6ab952c604e0b0939d9069e954276f92499a75991b83dd52004684ecc8eef11e08aa1bec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L8JN8AK858K2MB1URUAN.temp

Filesize
7KB

MD5
d0a85446c121bc10d04a0154472e63e3

SHA1
2329c8ff34d194e093b52f235bfb160dace6bafa

SHA256
9e1a533b214b8798a4035e63e0f8381c29432147fd647717dbac95f3d79f4052

SHA512
5e5a5e446311f1afac5e3f842a844addf31b87c0902055695d63017c27f1731fc1d350c348168006685376239a4406c0adbb081af166bf8ddfe321048eca5b9a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/872-395-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download
memory/872-396-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/1352-156-0x0000000000900000-0x0000000000A10000-memory.dmp

Filesize
1.1MB

Download
memory/1572-96-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/1688-335-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/1708-95-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1708-84-0x0000000000830000-0x0000000000940000-memory.dmp

Filesize
1.1MB

Download
memory/1880-97-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1968-216-0x0000000000F60000-0x0000000001070000-memory.dmp

Filesize
1.1MB

Download
memory/2916-17-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2916-16-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/2916-15-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/2916-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2916-13-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

Filesize
1.1MB

Download