dcrat | 6b360d4fb5a97b7378996743825018da9ec84f1b7f5617b92f30f328cf5e7e7b

Analysis

max time kernel
145s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b360d4fb5a97b7378996743825018da9ec84f1b7f5617b92f30f328cf5e7e7b.exe
Size

1.3MB
MD5

2d43b7285ad34590d90a7b7f88a364ab
SHA1

123f2f9b8856744a72568161a013e470a24cbcf6
SHA256

6b360d4fb5a97b7378996743825018da9ec84f1b7f5617b92f30f328cf5e7e7b
SHA512

6ee2f8b95e05d12747f0fd096ad0789beab06052b32a743b92509811f3f7f9a4b9a4621de0ff22e9b134697b7537ea0c99ad77639aae0e2dd0765d29ba23ceed
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2404	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000019570-9.dat	dcrat
behavioral1/memory/2812-13-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2676-100-0x00000000012D0000-0x00000000013E0000-memory.dmp	dcrat
behavioral1/memory/1912-137-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/2344-197-0x0000000000990000-0x0000000000AA0000-memory.dmp	dcrat
behavioral1/memory/2840-316-0x00000000010D0000-0x00000000011E0000-memory.dmp	dcrat
behavioral1/memory/2488-376-0x0000000001140000-0x0000000001250000-memory.dmp	dcrat
behavioral1/memory/1144-495-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1808	powershell.exe
2056	powershell.exe
1720	powershell.exe
296	powershell.exe
1744	powershell.exe
1988	powershell.exe
2412	powershell.exe
304	powershell.exe
1960	powershell.exe
1616	powershell.exe
1740	powershell.exe
652	powershell.exe
1012	powershell.exe
1176	powershell.exe
1812	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2812	DllCommonsvc.exe
2676	DllCommonsvc.exe
1912	DllCommonsvc.exe
2344	DllCommonsvc.exe
2824	DllCommonsvc.exe
2840	DllCommonsvc.exe
2488	DllCommonsvc.exe
1724	DllCommonsvc.exe
1144	DllCommonsvc.exe
296	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2360	cmd.exe
2360	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
13	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
30	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\0a1fd5f707cd16	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\Resources\Themes\Aero\it-IT\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Themes\Aero\it-IT\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b360d4fb5a97b7378996743825018da9ec84f1b7f5617b92f30f328cf5e7e7b.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2060	schtasks.exe
2064	schtasks.exe
2380	schtasks.exe
1884	schtasks.exe
2064	schtasks.exe
1996	schtasks.exe
2364	schtasks.exe
1876	schtasks.exe
1928	schtasks.exe
2864	schtasks.exe
1724	schtasks.exe
1288	schtasks.exe
1580	schtasks.exe
2032	schtasks.exe
2460	schtasks.exe
2036	schtasks.exe
812	schtasks.exe
980	schtasks.exe
2352	schtasks.exe
1340	schtasks.exe
1756	schtasks.exe
2380	schtasks.exe
1916	schtasks.exe
2268	schtasks.exe
2188	schtasks.exe
2292	schtasks.exe
1856	schtasks.exe
2004	schtasks.exe
2192	schtasks.exe
592	schtasks.exe
2480	schtasks.exe
2636	schtasks.exe
2096	schtasks.exe
2212	schtasks.exe
2088	schtasks.exe
1144	schtasks.exe
2952	schtasks.exe
2676	schtasks.exe
1572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2056	powershell.exe
296	powershell.exe
1808	powershell.exe
652	powershell.exe
1720	powershell.exe
1176	powershell.exe
304	powershell.exe
1960	powershell.exe
1012	powershell.exe
1988	powershell.exe
1744	powershell.exe
2676	DllCommonsvc.exe
1740	powershell.exe
2412	powershell.exe
1616	powershell.exe
1812	powershell.exe
1912	DllCommonsvc.exe
2344	DllCommonsvc.exe
2824	DllCommonsvc.exe
2840	DllCommonsvc.exe
2488	DllCommonsvc.exe
1724	DllCommonsvc.exe
1144	DllCommonsvc.exe
296	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	DllCommonsvc.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2676	DllCommonsvc.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1912	DllCommonsvc.exe
Token: SeDebugPrivilege	2344	DllCommonsvc.exe
Token: SeDebugPrivilege	2824	DllCommonsvc.exe
Token: SeDebugPrivilege	2840	DllCommonsvc.exe
Token: SeDebugPrivilege	2488	DllCommonsvc.exe
Token: SeDebugPrivilege	1724	DllCommonsvc.exe
Token: SeDebugPrivilege	1144	DllCommonsvc.exe
Token: SeDebugPrivilege	296	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2944	2184	6b360d4fb5a97b7378996743825018da9ec84f1b7f5617b92f30f328cf5e7e7b.exe	30
PID 2184 wrote to memory of 2944	2184	6b360d4fb5a97b7378996743825018da9ec84f1b7f5617b92f30f328cf5e7e7b.exe	30
PID 2184 wrote to memory of 2944	2184	6b360d4fb5a97b7378996743825018da9ec84f1b7f5617b92f30f328cf5e7e7b.exe	30
PID 2184 wrote to memory of 2944	2184	6b360d4fb5a97b7378996743825018da9ec84f1b7f5617b92f30f328cf5e7e7b.exe	30
PID 2944 wrote to memory of 2360	2944	WScript.exe	31
PID 2944 wrote to memory of 2360	2944	WScript.exe	31
PID 2944 wrote to memory of 2360	2944	WScript.exe	31
PID 2944 wrote to memory of 2360	2944	WScript.exe	31
PID 2360 wrote to memory of 2812	2360	cmd.exe	33
PID 2360 wrote to memory of 2812	2360	cmd.exe	33
PID 2360 wrote to memory of 2812	2360	cmd.exe	33
PID 2360 wrote to memory of 2812	2360	cmd.exe	33
PID 2812 wrote to memory of 1808	2812	DllCommonsvc.exe	65
PID 2812 wrote to memory of 1808	2812	DllCommonsvc.exe	65
PID 2812 wrote to memory of 1808	2812	DllCommonsvc.exe	65
PID 2812 wrote to memory of 2056	2812	DllCommonsvc.exe	66
PID 2812 wrote to memory of 2056	2812	DllCommonsvc.exe	66
PID 2812 wrote to memory of 2056	2812	DllCommonsvc.exe	66
PID 2812 wrote to memory of 1720	2812	DllCommonsvc.exe	67
PID 2812 wrote to memory of 1720	2812	DllCommonsvc.exe	67
PID 2812 wrote to memory of 1720	2812	DllCommonsvc.exe	67
PID 2812 wrote to memory of 296	2812	DllCommonsvc.exe	68
PID 2812 wrote to memory of 296	2812	DllCommonsvc.exe	68
PID 2812 wrote to memory of 296	2812	DllCommonsvc.exe	68
PID 2812 wrote to memory of 652	2812	DllCommonsvc.exe	69
PID 2812 wrote to memory of 652	2812	DllCommonsvc.exe	69
PID 2812 wrote to memory of 652	2812	DllCommonsvc.exe	69
PID 2812 wrote to memory of 1012	2812	DllCommonsvc.exe	71
PID 2812 wrote to memory of 1012	2812	DllCommonsvc.exe	71
PID 2812 wrote to memory of 1012	2812	DllCommonsvc.exe	71
PID 2812 wrote to memory of 1176	2812	DllCommonsvc.exe	73
PID 2812 wrote to memory of 1176	2812	DllCommonsvc.exe	73
PID 2812 wrote to memory of 1176	2812	DllCommonsvc.exe	73
PID 2812 wrote to memory of 1960	2812	DllCommonsvc.exe	76
PID 2812 wrote to memory of 1960	2812	DllCommonsvc.exe	76
PID 2812 wrote to memory of 1960	2812	DllCommonsvc.exe	76
PID 2812 wrote to memory of 304	2812	DllCommonsvc.exe	78
PID 2812 wrote to memory of 304	2812	DllCommonsvc.exe	78
PID 2812 wrote to memory of 304	2812	DllCommonsvc.exe	78
PID 2812 wrote to memory of 1988	2812	DllCommonsvc.exe	79
PID 2812 wrote to memory of 1988	2812	DllCommonsvc.exe	79
PID 2812 wrote to memory of 1988	2812	DllCommonsvc.exe	79
PID 2812 wrote to memory of 1744	2812	DllCommonsvc.exe	81
PID 2812 wrote to memory of 1744	2812	DllCommonsvc.exe	81
PID 2812 wrote to memory of 1744	2812	DllCommonsvc.exe	81
PID 2812 wrote to memory of 1008	2812	DllCommonsvc.exe	86
PID 2812 wrote to memory of 1008	2812	DllCommonsvc.exe	86
PID 2812 wrote to memory of 1008	2812	DllCommonsvc.exe	86
PID 1008 wrote to memory of 2644	1008	cmd.exe	89
PID 1008 wrote to memory of 2644	1008	cmd.exe	89
PID 1008 wrote to memory of 2644	1008	cmd.exe	89
PID 1008 wrote to memory of 2676	1008	cmd.exe	90
PID 1008 wrote to memory of 2676	1008	cmd.exe	90
PID 1008 wrote to memory of 2676	1008	cmd.exe	90
PID 2676 wrote to memory of 1616	2676	DllCommonsvc.exe	100
PID 2676 wrote to memory of 1616	2676	DllCommonsvc.exe	100
PID 2676 wrote to memory of 1616	2676	DllCommonsvc.exe	100
PID 2676 wrote to memory of 2412	2676	DllCommonsvc.exe	101
PID 2676 wrote to memory of 2412	2676	DllCommonsvc.exe	101
PID 2676 wrote to memory of 2412	2676	DllCommonsvc.exe	101
PID 2676 wrote to memory of 1740	2676	DllCommonsvc.exe	102
PID 2676 wrote to memory of 1740	2676	DllCommonsvc.exe	102
PID 2676 wrote to memory of 1740	2676	DllCommonsvc.exe	102
PID 2676 wrote to memory of 1812	2676	DllCommonsvc.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6b360d4fb5a97b7378996743825018da9ec84f1b7f5617b92f30f328cf5e7e7b.exe
"C:\Users\Admin\AppData\Local\Temp\6b360d4fb5a97b7378996743825018da9ec84f1b7f5617b92f30f328cf5e7e7b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\Aero\it-IT\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z0xNA6KN95.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1008
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2644
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\amHMU2DnZz.bat"
        7⤵
        
        PID:808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2596
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"
        9⤵
        
        PID:2984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2572
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\unLkZH0FaU.bat"
        11⤵
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2452
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
        13⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1904
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat"
        15⤵
        
        PID:2572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1808
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat"
        17⤵
        
        PID:2344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1696
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"
        19⤵
        
        PID:2152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2900
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat"
        21⤵
        
        PID:2932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1744
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"
        23⤵
        
        PID:1876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\ja-JP\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\Aero\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\Aero\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77f9c31ab4d09057e8fa78b5db0b4556

SHA1
6d7be62bbccd0c137c25f53df5d8e496339bfc0b

SHA256
ad2039f67ec63065ff6e612c35e34f93fc7354b92bbf26ed32ed27e738dc553f

SHA512
58942da5a2c16f61589ae6f943ad4d135d864714f60a5a8a62ad3a188e7802c876e3a1f466271398d6b12bca4ba115273a5b847041812e1ca62629e01bed1c0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99e6852b4d06507f9454d1621deb5479

SHA1
fccb4fd56d5bab36383742841a28a8c7f2d3f642

SHA256
846b035c6ffa4f583567017fa3a388ca0e124919cc17762debde64805d871625

SHA512
8678111c8017b89104d70b61aeb6bfb9540b3645e76ab5d80b05d2cf373c7a1a78ed3d5441f91d3dfbe68998afe4a7a7146521fd12089048a0e3ca86a1d1fe6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84155fd7f97b7bfb1803906f044cfdf5

SHA1
991510f4c457d88c616ab1e65e2a44a664e99fe0

SHA256
311167bb57542b9cefd15f9d697909f0f475f1086aae26e8418015416baf6395

SHA512
10ea82855efb4973982db441f1353ed4165f6f8bcaf63dad47a023181f0ffbd19d8554dc52fb7a44fb886a7e7d666000fdb774d2c30c938e26238f1a2d14dc66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9d051c63254262319a7b12aa29f2a27

SHA1
9b3d76625b102ab665f106297c2bb77fa83bd5e0

SHA256
eefaecd918913a7e17e2291c16a7776311c420aa4e8ccaf97be665ed8bc325cc

SHA512
f3fbfeb0f19ab4c4c9469b3d7f4c008d94eb5e9ac66236235bdcd6cdc4bb5bfa181844b60fd48a6f5462e44c5940a0d8829ef6531e9e82c7b80787f9861a281c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c2323c871dd7876cd2cc217cf794a49

SHA1
15adb23987768645e84072c8b4b4447ed0df0b1a

SHA256
107d742c862eb4dbee6cb79681d65ae47b444f5f01fed837104c512661d3004f

SHA512
a2814f9f0948f1414349e2a7504b2d91948b615f2329f702e1c1d4152a7ca67e0bea15b5eb1f8ab1c3ae596586e64e39ecc3933981451cb5837c5e311bc4a3bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ce4eb556808c43d9a219cf95ffe1fba

SHA1
eeea16d9c9405ac70ac62c0bd1dd251e156317ef

SHA256
e9699c631dad242da6a916dbc4f7d837a4d740cd1ff1368a1c5f61714fe489ca

SHA512
8f42159ce521f297ea769ef2cdac4e596da5a0db23cbfaeae124e871a12c924a67e166b0ec2b32eb877782d04eec3f17f0976950d7e337d8c0c5f1eef79b6d61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
253a44b9964c79b8a5c6bcbab420655d

SHA1
026e80b68a01924fad876525ca5b24e44afabecf

SHA256
421a19f8bddfde0789fb31e0dc55fc06c95d33b69b471a7b6b6c43466c788a3e

SHA512
2e451bacf503648a5e064a69e2c2a070b89a5b57a84223939261d1f84782e71c03373bba841b9769452add3817f3a0b7418eaa18faf85a7c93de045d2911b3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat

Filesize
244B

MD5
ee195dc479c0f87d09348ac2144646f6

SHA1
35330f8a54004751faf2a47d296647278bffa2cf

SHA256
6e23aaef13dd94528fbde9efc41e0757730eae878cf541b1a1e08ac7aed21a9a

SHA512
79e73f7588a427223147e618d0eed23f1bdb8d1627a6c15f6a1892034498dfdc8085a4c41641e4f1d2288fdf90412c112a7ac2cd9df78611052cb86f3e804c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat

Filesize
244B

MD5
40a9215d3fba5293fbb6a82d2388ca13

SHA1
1e87ef4f76fe31131ed86e21daff92223e5b5709

SHA256
41d1cbaf1a25236335f8a1045fbac81ba9d632ad5518448b286d94601398581c

SHA512
b0cd08ed3f7a2d627d0ecd68aeddf999c6b366ce27663f705c4d931cc3510310940800167dab02df90bdff25cffb876bf36dbfc50920081fb50a9a971ce9b8aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAE2C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat

Filesize
244B

MD5
568b16cb9141ef786cada1336db8cba0

SHA1
88d6242b1f3a412050cbd900a6d1413fd5dca7e1

SHA256
034672f92e705d744de48e8bb4ceefec36e021388d2dedc9d12df85821e9ff4e

SHA512
139680cf3fbb74e887a2cd0808f09bc2d92c73aa928ca6ca292564239fb8b511a7edde8b9649c6b73e5045f35ff6e164a29dd579c79c7fbf514bed8b161a4575

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat

Filesize
244B

MD5
14ecdacfbed32072137330baefe5bb09

SHA1
15d101ac348f44af865c3247418a3d0ccb12c031

SHA256
314906575f32054890a63182670168e0ae9a93afafd47e5a8017927f77109e3b

SHA512
99eb09ddb429b3bae0e083beca0e5b86683b5a0b1c1c79003257e985b44df4ba70554c42ac716b4592bc97ee5842aa521b2d54c0584a1e54b2f51e3bd7e06100

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAE3E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\amHMU2DnZz.bat

Filesize
244B

MD5
fea08fb5d4a4f8dbee1dacfa9fe3470e

SHA1
4d1bb43ada3e9f8dbc1267128c23b3c1412812ee

SHA256
b1f28979c16304fe4b0aaddcade79157f2e00cc45d09e78498ada7082b7d1da2

SHA512
3f26924fe19752a7ad802f85d22d37cbeb676104dabe676d5101874d1f3702d8ce69f3f6491630a0a539ae929b0c813577f0c09e0c4a2104fcd0a3e545a5e325

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat

Filesize
244B

MD5
519879ffb2da78d7cfabca9e714968e8

SHA1
3040ec785e2100ebca90c74fdbfb8b494e84681c

SHA256
740f01d3d51050f44ffcde7d7016b01de0bfe586ae39da73a8173ff50d9b7531

SHA512
95342d9e6aef779e76e521c0ffe0b8a23f0501e4a84f810ee0fa8c1a9f2061453c57b7a6205a7abc8b8481f477cb227fc95a12dbb9ee4b15181faf6c1563625d

Download Submit
C:\Users\Admin\AppData\Local\Temp\unLkZH0FaU.bat

Filesize
244B

MD5
c2f4f1d14da1a4491ad644806e94ea7f

SHA1
f2ab5dff7574823e5d02189c1a77d8419e0004fc

SHA256
f0006b5fdd9f6b01c1e2c1c753d88aad7786980608cd31011d397681b334e85e

SHA512
d357b8a1b961de0a0101e648b21a2ad9405a65f17126ce03d0feb4404f66f68cd7d72466f04dedf4ec335afe4e33d96d999d71717c0344c3047c44c5a629a0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat

Filesize
244B

MD5
e1126a9e2cea4df25c7163c191dd9133

SHA1
af7fb1eb60076da1abcb4628495aa1072aca6f77

SHA256
cb379eec30d41be520c3853ff2602befaae5870feff6710cda644103a4e05c1f

SHA512
b4c70fae591debef4ad5a256eaaeeca8233c10893e44cc2ca68e3d16010374d7228f23846f20c5ef7c552465fc42db285a7cb4be9e32bd18b149d355f5f57e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0xNA6KN95.bat

Filesize
199B

MD5
415b21c9041bbee8dfb980e9626ae82d

SHA1
f0ab575d4652107553d0e1f49df9de49c2c1f33f

SHA256
dd3ea07a2610be25851c94012bade066449fb8b7d27c6a6253bc347235b3c770

SHA512
c66b40c201af3e0678081045ab4def2b9255afeb274cadcf40c001ca30bc2074a808cde49341eeebb8bc40e7b80c725cbf98bf92881d8e411e18bbb9447b609e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat

Filesize
244B

MD5
cb7d13b744f99b50acabefb7451a2d68

SHA1
c90ca105aec70285420aee86912c03d46814d826

SHA256
b00e87f8739cc673edb88957e3cead56daf12f4faffcf40e4320b273f7a37868

SHA512
b1a3040fa1efb08e07a36f849e05856ec65c21c12e1fe16a221139cd40cb8e9aa1c8b2e188e0d0ea079fd506fbbca14627f7b6a4aa2a5d8e430c9b4c2b3e54ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0dbe8e5c36878138a02a56f0224d75c4

SHA1
d6574e7250cdf5c7b2ca7a3be00bd64b0ad0e853

SHA256
6fcbbdbf49860fac322c62ebea78ddba3ade3a0cad9355a857126b1f5dd382dc

SHA512
8ab23e69dc2582c82b2cb4e93e2ce8ca6eb2866f42f21422375fcd519245d58c266d6443e341e3eefc303eb757085bcae567ea80d505544818976825204ff67f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/296-62-0x0000000002800000-0x0000000002808000-memory.dmp

Filesize
32KB

Download
memory/1144-496-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1144-495-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/1740-122-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1740-124-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/1912-138-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1912-137-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/2056-56-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2344-197-0x0000000000990000-0x0000000000AA0000-memory.dmp

Filesize
1.1MB

Download
memory/2488-376-0x0000000001140000-0x0000000001250000-memory.dmp

Filesize
1.1MB

Download
memory/2676-100-0x00000000012D0000-0x00000000013E0000-memory.dmp

Filesize
1.1MB

Download
memory/2812-17-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2812-16-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2812-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2812-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2812-13-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2840-316-0x00000000010D0000-0x00000000011E0000-memory.dmp

Filesize
1.1MB

Download