dcrat | 8bb0f4612e828cee83427abbbb03d6a09485aa2884b4fae85467a3cd20941e81

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bb0f4612e828cee83427abbbb03d6a09485aa2884b4fae85467a3cd20941e81.exe
Size

1.3MB
MD5

b4c07c57a4987e5b7f5c20298ad19c70
SHA1

77fce885753a3ee980cec219e3a468f84209b9b9
SHA256

8bb0f4612e828cee83427abbbb03d6a09485aa2884b4fae85467a3cd20941e81
SHA512

91b0c6dffbfca3551cc32894f77cba5e2702768f005b8681899bc1333a0ac6b0bd241455367d3a01e7162652de6cb2e7ff56beb16cc1773b699cebc08474e59f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2916	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000192f0-9.dat	dcrat
behavioral1/memory/2884-13-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat
behavioral1/memory/2912-129-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/264-189-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/2076-249-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/3036-309-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat
behavioral1/memory/536-428-0x0000000001180000-0x0000000001290000-memory.dmp	dcrat
behavioral1/memory/2024-489-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat
behavioral1/memory/2344-550-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/1936-611-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2496	powershell.exe
1760	powershell.exe
2184	powershell.exe
2076	powershell.exe
2696	powershell.exe
2552	powershell.exe
3052	powershell.exe
608	powershell.exe
1044	powershell.exe
2396	powershell.exe
1704	powershell.exe
348	powershell.exe
2544	powershell.exe
1824	powershell.exe
2320	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2884	DllCommonsvc.exe
2912	System.exe
264	System.exe
2076	System.exe
3036	System.exe
2052	System.exe
536	System.exe
2024	System.exe
2344	System.exe
1936	System.exe
1340	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2772	cmd.exe
2772	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
28	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
25	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\it-IT\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\it-IT\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\27d1bcfc3c54e0	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\msil_system.core.resources_b77a5c561934e089_6.1.7600.16385_fr-fr_35f33be2a14c173b\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\Setup\State\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\State\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bb0f4612e828cee83427abbbb03d6a09485aa2884b4fae85467a3cd20941e81.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2112	schtasks.exe
1508	schtasks.exe
1496	schtasks.exe
2932	schtasks.exe
2148	schtasks.exe
2220	schtasks.exe
1220	schtasks.exe
2352	schtasks.exe
1840	schtasks.exe
2540	schtasks.exe
1320	schtasks.exe
2660	schtasks.exe
1984	schtasks.exe
1536	schtasks.exe
2436	schtasks.exe
2292	schtasks.exe
2248	schtasks.exe
1556	schtasks.exe
2956	schtasks.exe
1568	schtasks.exe
2416	schtasks.exe
2040	schtasks.exe
1632	schtasks.exe
1032	schtasks.exe
1924	schtasks.exe
2692	schtasks.exe
1996	schtasks.exe
2716	schtasks.exe
980	schtasks.exe
2620	schtasks.exe
2228	schtasks.exe
1036	schtasks.exe
1048	schtasks.exe
280	schtasks.exe
2196	schtasks.exe
1876	schtasks.exe
1720	schtasks.exe
2848	schtasks.exe
2964	schtasks.exe
1940	schtasks.exe
1948	schtasks.exe
1084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2884	DllCommonsvc.exe
2884	DllCommonsvc.exe
2884	DllCommonsvc.exe
2552	powershell.exe
2076	powershell.exe
2544	powershell.exe
2696	powershell.exe
2320	powershell.exe
1704	powershell.exe
2184	powershell.exe
348	powershell.exe
1824	powershell.exe
1044	powershell.exe
3052	powershell.exe
1760	powershell.exe
2496	powershell.exe
2396	powershell.exe
608	powershell.exe
2912	System.exe
264	System.exe
2076	System.exe
3036	System.exe
2052	System.exe
536	System.exe
2024	System.exe
2344	System.exe
1936	System.exe
1340	System.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	DllCommonsvc.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	2912	System.exe
Token: SeDebugPrivilege	264	System.exe
Token: SeDebugPrivilege	2076	System.exe
Token: SeDebugPrivilege	3036	System.exe
Token: SeDebugPrivilege	2052	System.exe
Token: SeDebugPrivilege	536	System.exe
Token: SeDebugPrivilege	2024	System.exe
Token: SeDebugPrivilege	2344	System.exe
Token: SeDebugPrivilege	1936	System.exe
Token: SeDebugPrivilege	1340	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2084	1712	8bb0f4612e828cee83427abbbb03d6a09485aa2884b4fae85467a3cd20941e81.exe	30
PID 1712 wrote to memory of 2084	1712	8bb0f4612e828cee83427abbbb03d6a09485aa2884b4fae85467a3cd20941e81.exe	30
PID 1712 wrote to memory of 2084	1712	8bb0f4612e828cee83427abbbb03d6a09485aa2884b4fae85467a3cd20941e81.exe	30
PID 1712 wrote to memory of 2084	1712	8bb0f4612e828cee83427abbbb03d6a09485aa2884b4fae85467a3cd20941e81.exe	30
PID 2084 wrote to memory of 2772	2084	WScript.exe	31
PID 2084 wrote to memory of 2772	2084	WScript.exe	31
PID 2084 wrote to memory of 2772	2084	WScript.exe	31
PID 2084 wrote to memory of 2772	2084	WScript.exe	31
PID 2772 wrote to memory of 2884	2772	cmd.exe	33
PID 2772 wrote to memory of 2884	2772	cmd.exe	33
PID 2772 wrote to memory of 2884	2772	cmd.exe	33
PID 2772 wrote to memory of 2884	2772	cmd.exe	33
PID 2884 wrote to memory of 2184	2884	DllCommonsvc.exe	77
PID 2884 wrote to memory of 2184	2884	DllCommonsvc.exe	77
PID 2884 wrote to memory of 2184	2884	DllCommonsvc.exe	77
PID 2884 wrote to memory of 2544	2884	DllCommonsvc.exe	78
PID 2884 wrote to memory of 2544	2884	DllCommonsvc.exe	78
PID 2884 wrote to memory of 2544	2884	DllCommonsvc.exe	78
PID 2884 wrote to memory of 2076	2884	DllCommonsvc.exe	79
PID 2884 wrote to memory of 2076	2884	DllCommonsvc.exe	79
PID 2884 wrote to memory of 2076	2884	DllCommonsvc.exe	79
PID 2884 wrote to memory of 1824	2884	DllCommonsvc.exe	80
PID 2884 wrote to memory of 1824	2884	DllCommonsvc.exe	80
PID 2884 wrote to memory of 1824	2884	DllCommonsvc.exe	80
PID 2884 wrote to memory of 3052	2884	DllCommonsvc.exe	81
PID 2884 wrote to memory of 3052	2884	DllCommonsvc.exe	81
PID 2884 wrote to memory of 3052	2884	DllCommonsvc.exe	81
PID 2884 wrote to memory of 2320	2884	DllCommonsvc.exe	82
PID 2884 wrote to memory of 2320	2884	DllCommonsvc.exe	82
PID 2884 wrote to memory of 2320	2884	DllCommonsvc.exe	82
PID 2884 wrote to memory of 608	2884	DllCommonsvc.exe	83
PID 2884 wrote to memory of 608	2884	DllCommonsvc.exe	83
PID 2884 wrote to memory of 608	2884	DllCommonsvc.exe	83
PID 2884 wrote to memory of 2696	2884	DllCommonsvc.exe	84
PID 2884 wrote to memory of 2696	2884	DllCommonsvc.exe	84
PID 2884 wrote to memory of 2696	2884	DllCommonsvc.exe	84
PID 2884 wrote to memory of 1044	2884	DllCommonsvc.exe	85
PID 2884 wrote to memory of 1044	2884	DllCommonsvc.exe	85
PID 2884 wrote to memory of 1044	2884	DllCommonsvc.exe	85
PID 2884 wrote to memory of 2396	2884	DllCommonsvc.exe	86
PID 2884 wrote to memory of 2396	2884	DllCommonsvc.exe	86
PID 2884 wrote to memory of 2396	2884	DllCommonsvc.exe	86
PID 2884 wrote to memory of 2496	2884	DllCommonsvc.exe	87
PID 2884 wrote to memory of 2496	2884	DllCommonsvc.exe	87
PID 2884 wrote to memory of 2496	2884	DllCommonsvc.exe	87
PID 2884 wrote to memory of 1704	2884	DllCommonsvc.exe	88
PID 2884 wrote to memory of 1704	2884	DllCommonsvc.exe	88
PID 2884 wrote to memory of 1704	2884	DllCommonsvc.exe	88
PID 2884 wrote to memory of 2552	2884	DllCommonsvc.exe	89
PID 2884 wrote to memory of 2552	2884	DllCommonsvc.exe	89
PID 2884 wrote to memory of 2552	2884	DllCommonsvc.exe	89
PID 2884 wrote to memory of 348	2884	DllCommonsvc.exe	90
PID 2884 wrote to memory of 348	2884	DllCommonsvc.exe	90
PID 2884 wrote to memory of 348	2884	DllCommonsvc.exe	90
PID 2884 wrote to memory of 1760	2884	DllCommonsvc.exe	91
PID 2884 wrote to memory of 1760	2884	DllCommonsvc.exe	91
PID 2884 wrote to memory of 1760	2884	DllCommonsvc.exe	91
PID 2884 wrote to memory of 2500	2884	DllCommonsvc.exe	106
PID 2884 wrote to memory of 2500	2884	DllCommonsvc.exe	106
PID 2884 wrote to memory of 2500	2884	DllCommonsvc.exe	106
PID 2500 wrote to memory of 548	2500	cmd.exe	109
PID 2500 wrote to memory of 548	2500	cmd.exe	109
PID 2500 wrote to memory of 548	2500	cmd.exe	109
PID 2500 wrote to memory of 2912	2500	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8bb0f4612e828cee83427abbbb03d6a09485aa2884b4fae85467a3cd20941e81.exe
"C:\Users\Admin\AppData\Local\Temp\8bb0f4612e828cee83427abbbb03d6a09485aa2884b4fae85467a3cd20941e81.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\it-IT\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JbpPGpjxbE.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:548
      - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat"
        7⤵
        
        PID:1444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2436
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat"
        9⤵
        
        PID:684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2892
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat"
        11⤵
        
        PID:2136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2396
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"
        13⤵
        
        PID:2292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2848
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat"
        15⤵
        
        PID:1028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:908
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat"
        17⤵
        
        PID:2040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2552
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat"
        19⤵
        
        PID:2284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:696
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat"
        21⤵
        
        PID:1756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1292
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat"
        23⤵
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1156
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Fonts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Setup\State\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\Libraries\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e26627e81409682dceab93bf59babb3

SHA1
bd3579eb281eeddeaa39e078c3c9b9a65195c556

SHA256
9c550568c642d53bc85fa31a484d67d896cdc974e8b5140ee3657fdbd5c02f55

SHA512
1a19df55e1128674d90d833b3a5db64852dafed82141f45c7b88e099c7e010b7761ee62bddc744d79aaadc4e199ca5720fb3adfb9110de670715f2e656de7d99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f9323daa513f73963b9175b0e281829

SHA1
18064d78e4be9880322f8b85877e46226da897e9

SHA256
e1560dcc095f8d364e7b8241a617e42ce0c0e718a6491006712bba6ac243f5a6

SHA512
ba4ec355580a6059cc2e598ffd94d989e5ebcc311130b7b4e73dc9e73ae3d65a088dd651d22b1e51e5708ea5e6c6cb864918cd4810466f51bb16f4764018d8b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3a71f396d72588ec805f6ae854f687f

SHA1
05d4cd7d3e5fe34301fbfca15bbd1738582d51e8

SHA256
bb23ad648df109e06c99c7cd5391ab6f3eb554477d86cc30ccf956a5f5b0c8be

SHA512
eda5baaab7f01d4497f3705702a8fe1a671ffd40541c3e8734616184b7006619bb1c76f470855900e32e9785488a4bec750886b74a5e5603289af1da6d4b7d8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42dabe965e603258efd7bd1605ba2da6

SHA1
27c4cb4276de7f24ce62f670fcd7bc7263be7afe

SHA256
dd10fc89f4e1c5173e3069e2375824584946db5d741c4b21c0510e2e21810770

SHA512
26b1f2069f52a60ea86be73aaf835f00d996c29b13918f1e5acae51f41ddbd2ba7b808055908db4898414425731354c2cd9f93e0228d7ee369b722e15567b75e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c521e9ed662001a3b8783b1f37635ef8

SHA1
637334792b709f17371a5f5a670586aa25a2fbb6

SHA256
9cfecb0bd30e454737394a9bc0295dee139d95d79bd717360cbf8fb8bd170d86

SHA512
cb0d23b0cceaa9e3005871f8e0e8359536d1244b317c3d443c3a6d1f35de581252c0a23ea23335829790b1a24e2c3cd235ad5d7e67560cb900508b610b3a25a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fda7e3bd97eef8bc9b622e1a247d7c1f

SHA1
97c77f2702f8c4bd41e5da3825e937c620f54a88

SHA256
8c62ea0457248b3a601451b8296dfe06ae4eda53a3b1f590d78a1c7cd570b8d4

SHA512
9e67ada7fa4a9f5029806d16b796d6908a0cec04ebd9ec63a3b45fe659ddd65be7b9241a633d5682c6bedc12a0ea4e73ee831560c9badf55ff5c0e0221fdd79e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15bcc399d5bcea7ef2b482f3b0696a70

SHA1
e591550f262b0ea55c018726d1ffd29d618035b1

SHA256
7dac9759070fbfbd03eba37b016452df17934cf6f56d8092976fee3846b05b16

SHA512
483f70a59e2c4f7f377a324c6d4b7107cff5a224f2fb85d61e57f8c82b2fea77cd27005aa3e62580ae9e94cc8e45bf8c37bdbc9456a23252f7363aa6a72fee0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8bbd5bbbd0e55ce6d64e20540eada3a

SHA1
1105238bb0d839a43a78e748290319a07e230655

SHA256
fba4c5111469a2c8a90238b5cba6da62ebdda8fc7ebda5a5c06be88a923045a4

SHA512
e822538b1a59238c45b9bf301e174480a765ddab63268e7b16f2b3cfb3b6823afddb8c444924493d1843862e7fdd45df0c8be814593f6496e6fa42b9aeae8d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat

Filesize
224B

MD5
4d9dfca642958545abd16e60d1fd2235

SHA1
d9e995c93728d4e6d5ffaed41c413b2a7048e3b0

SHA256
17ac8ed111fcbddcc75cdf65b7d73bc5e5fbc90c976e67cbe57b280efee87749

SHA512
00673af3cbcdbfa6dd67af744d828a3842b90581fa971d666d2c672e05cb2597c707f619de1c7745c33951f42a7af8c1ae831f941f030a5d9cb045a9cd2f7f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat

Filesize
224B

MD5
dea83f74823c77f10d3438be0a9cf30b

SHA1
d07a6978d341a6f46fa0f22f326a7f6baa9cf0c4

SHA256
f76bbb8901c72170834b9b2dcf3f83e27ef1a5c045f07502acc4dce8fb781d34

SHA512
092f2c90bd9ca8f8e8cbc5d227a366c091be8f2c99472ccad058baa80b8d430886d1c560eb8a051a4a27895b4f67e43775c8d9b5276e0cb700a0cee9b9221cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCA0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat

Filesize
224B

MD5
15d5931652af484bccdfc0f5dd2def0c

SHA1
3d0f441a864f9a35a7cac5b999b03b4bf65d7591

SHA256
8f8303784e0c41b4def7f5f0c9cbcf9179b7feb52bf5a7c48ac38ff4fd1a2f81

SHA512
a7c1564631812776e806a595d4e0b354d0cb70d60c79afb5ade751d6a6cc9ddbae8a2240c28b343ac1302a5147633ed004e259fc63ae875f6a99ed6f7914b6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\JbpPGpjxbE.bat

Filesize
224B

MD5
e1a8758b699a8b7d7cafbeafd6aaf691

SHA1
f374b7b903b5f561fdb2bd5c16e6aceed6ad322c

SHA256
cfb12280f07c3072ea72d158ca3c860c49c9cd986011c4ca542770b604671364

SHA512
4bc6b97ba91fd8b7d6b7335b3513cb9a154de1e7f0a0ca1e5d65f2acf0ab800d9b5ed854f515177087410773f133147b9835b5d73ca096217af3b12f50aa005d

Download Submit
C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat

Filesize
224B

MD5
04a313ae349f402f4b5afa2b6fcdb9dd

SHA1
3a792bc47b0abc2828856e2203ff213972d0f3a2

SHA256
80460afccbe56d0c275228783bf418835b65ca69cbe8aa31e918ddee595f1586

SHA512
ac8930cc86c9d62c95e5afda263d2887c3161ea4c4c4019e40819b0f549bfac0040e9d9f36afa0b064e3f43ead6077d8c79e3db9362bca81e03860e421b012d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat

Filesize
224B

MD5
d6807215f88de7ce04b5e7ed2ae0ea73

SHA1
8e80fd96a5396b2426bbab9b986f96bb485490ef

SHA256
c32536e5ff13567021157d9b3c76b7af89379f26adda92a38dc720a3d027f6f7

SHA512
d8cc9a1eb680628cda8fcab410612db945c032c61d6ced7d3b5a425d543f383e151002b71e12328be35cee3d3703d6d191902c6fb51d927153c6324812643798

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat

Filesize
224B

MD5
e40d20f5efa2bb8448c3e4a062c118b9

SHA1
9ea37146b783c15a4dc5f2ff9cb33eacb972076d

SHA256
0e8d1ac187a8c99ba892f33d5abda767876190e512c47136281275750cc267ce

SHA512
e712f0c2ff28a2dade871d3c37459b73939fbaf501b035fdd86a4424cf7464f903fedca95a053d9aafe773bf4bc06a8707aad43945692c9b99036eeefcf27b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCB3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat

Filesize
224B

MD5
40f23a9c6dfdb9e36c193bf1f5a8bb68

SHA1
63a4d18541a07695a9afd50490b7b238457efec1

SHA256
ba2a350cac7b15a7814a456c89158d961d168ce803b41f8269fb78467bf590b7

SHA512
42eef90d57cd617ce4475839a80048e6c87a6643054e7dbc5fc2527205e2e26ad1ffe1c5585537c85506eca0a462dee81a298c3687b58547a1a92c7b8bf694c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat

Filesize
224B

MD5
0965ac37b175b9e151497efade199f2a

SHA1
efc7479098e8fd455f1bf32cd7bee3893a72aa7b

SHA256
ce42cdc8e57f79ae6cf11bc8c95f5536e4ea1a3016747da6408d552f50c68983

SHA512
6ca8570323e4d5ffe5e1b88d83e8955eb2332db24411593f3a15f629d503e941dd53691883722687402b8dac4b328acdd0c7e8920c76e0741d94e091ea8abe30

Download Submit
C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat

Filesize
224B

MD5
1df077efd61162748cb8da3d4b3ff75f

SHA1
cb8da5c4c40d82301a4b628a46a28901d5c45103

SHA256
b77ac427fcc05ddd2e57948b4f729f7924c1ebe2b589e3bdc3bed55a691895b7

SHA512
090b56b3c37c6853b381df4afc6863c41db009979c50675b540f47f10de12d4c09452d736ce287b53ddf9726fa775caea234732adf3aa143ced693f76d8ead3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
392fd850368f9257e104f0749fff6107

SHA1
9657458af98a5cf8d58dd49e3642fd1eec80de0c

SHA256
671a83f59758fe46887829ab227ca05975b484aaff7b8f595a19a6fb9b4a9f76

SHA512
171dadedea3b0479ce0feb2bf53115bd5111cd9cf5f3edf6ef1c96aef90b9ee9b0ab610528bd23021f99787e4249759c872f2e5b54aeb9b0a7c2524947f3cd20

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/264-189-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/536-428-0x0000000001180000-0x0000000001290000-memory.dmp

Filesize
1.1MB

Download
memory/536-429-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1936-611-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/2024-489-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/2024-490-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2076-249-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/2344-550-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/2344-551-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2552-71-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/2552-64-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2884-17-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2884-16-0x0000000002540000-0x000000000254C000-memory.dmp

Filesize
48KB

Download
memory/2884-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2884-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2884-13-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/2912-130-0x0000000001E90000-0x0000000001EA2000-memory.dmp

Filesize
72KB

Download
memory/2912-129-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/3036-309-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download