dcrat | 89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6.exe
Size

1.3MB
MD5

ca350e5e68dc34e5f3542b32c26d55ee
SHA1

764259e0669a0d4ee80b950f99703ea052e8ee53
SHA256

89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6
SHA512

e28f54a4e027a5e7adaa3bcd890f5fe78cba137fb34b5f985a4f528234eb8988cd4c6cd6019adf117dc29fa4f06b639fa43b7c5a11faf7574cc1f25b23033b07
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2804	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019345-9.dat	dcrat
behavioral1/memory/2724-13-0x00000000008D0000-0x00000000009E0000-memory.dmp	dcrat
behavioral1/memory/2132-83-0x0000000000300000-0x0000000000410000-memory.dmp	dcrat
behavioral1/memory/2912-184-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/1088-304-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat
behavioral1/memory/2152-600-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/564-661-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2560	powershell.exe
2140	powershell.exe
1596	powershell.exe
1748	powershell.exe
3032	powershell.exe
992	powershell.exe
1944	powershell.exe
3068	powershell.exe
2544	powershell.exe
2308	powershell.exe
1972	powershell.exe
2356	powershell.exe
896	powershell.exe
1924	powershell.exe
564	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2724	DllCommonsvc.exe
2132	dwm.exe
2912	dwm.exe
2692	dwm.exe
1088	dwm.exe
1100	dwm.exe
1624	dwm.exe
1180	dwm.exe
852	dwm.exe
2152	dwm.exe
564	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
812	cmd.exe
812	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\it-IT\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\it-IT\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1648	schtasks.exe
1836	schtasks.exe
1700	schtasks.exe
1960	schtasks.exe
540	schtasks.exe
768	schtasks.exe
1476	schtasks.exe
2516	schtasks.exe
2780	schtasks.exe
1076	schtasks.exe
1604	schtasks.exe
2196	schtasks.exe
2952	schtasks.exe
1204	schtasks.exe
828	schtasks.exe
2640	schtasks.exe
2616	schtasks.exe
1744	schtasks.exe
1632	schtasks.exe
2244	schtasks.exe
956	schtasks.exe
1464	schtasks.exe
2964	schtasks.exe
2928	schtasks.exe
1032	schtasks.exe
2520	schtasks.exe
2448	schtasks.exe
1752	schtasks.exe
1468	schtasks.exe
2000	schtasks.exe
2644	schtasks.exe
2212	schtasks.exe
1440	schtasks.exe
2980	schtasks.exe
2672	schtasks.exe
920	schtasks.exe
1708	schtasks.exe
1736	schtasks.exe
1664	schtasks.exe
1452	schtasks.exe
1228	schtasks.exe
2364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2140	powershell.exe
896	powershell.exe
3032	powershell.exe
2308	powershell.exe
2544	powershell.exe
2560	powershell.exe
1924	powershell.exe
564	powershell.exe
2132	dwm.exe
1748	powershell.exe
1972	powershell.exe
2356	powershell.exe
1944	powershell.exe
992	powershell.exe
3068	powershell.exe
1596	powershell.exe
2912	dwm.exe
2692	dwm.exe
1088	dwm.exe
1100	dwm.exe
1624	dwm.exe
1180	dwm.exe
852	dwm.exe
2152	dwm.exe
564	dwm.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	DllCommonsvc.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2132	dwm.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2912	dwm.exe
Token: SeDebugPrivilege	2692	dwm.exe
Token: SeDebugPrivilege	1088	dwm.exe
Token: SeDebugPrivilege	1100	dwm.exe
Token: SeDebugPrivilege	1624	dwm.exe
Token: SeDebugPrivilege	1180	dwm.exe
Token: SeDebugPrivilege	852	dwm.exe
Token: SeDebugPrivilege	2152	dwm.exe
Token: SeDebugPrivilege	564	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2176	2396	JaffaCakes118_89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6.exe	30
PID 2396 wrote to memory of 2176	2396	JaffaCakes118_89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6.exe	30
PID 2396 wrote to memory of 2176	2396	JaffaCakes118_89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6.exe	30
PID 2396 wrote to memory of 2176	2396	JaffaCakes118_89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6.exe	30
PID 2176 wrote to memory of 812	2176	WScript.exe	31
PID 2176 wrote to memory of 812	2176	WScript.exe	31
PID 2176 wrote to memory of 812	2176	WScript.exe	31
PID 2176 wrote to memory of 812	2176	WScript.exe	31
PID 812 wrote to memory of 2724	812	cmd.exe	33
PID 812 wrote to memory of 2724	812	cmd.exe	33
PID 812 wrote to memory of 2724	812	cmd.exe	33
PID 812 wrote to memory of 2724	812	cmd.exe	33
PID 2724 wrote to memory of 2544	2724	DllCommonsvc.exe	77
PID 2724 wrote to memory of 2544	2724	DllCommonsvc.exe	77
PID 2724 wrote to memory of 2544	2724	DllCommonsvc.exe	77
PID 2724 wrote to memory of 3032	2724	DllCommonsvc.exe	78
PID 2724 wrote to memory of 3032	2724	DllCommonsvc.exe	78
PID 2724 wrote to memory of 3032	2724	DllCommonsvc.exe	78
PID 2724 wrote to memory of 2560	2724	DllCommonsvc.exe	79
PID 2724 wrote to memory of 2560	2724	DllCommonsvc.exe	79
PID 2724 wrote to memory of 2560	2724	DllCommonsvc.exe	79
PID 2724 wrote to memory of 2308	2724	DllCommonsvc.exe	80
PID 2724 wrote to memory of 2308	2724	DllCommonsvc.exe	80
PID 2724 wrote to memory of 2308	2724	DllCommonsvc.exe	80
PID 2724 wrote to memory of 2140	2724	DllCommonsvc.exe	81
PID 2724 wrote to memory of 2140	2724	DllCommonsvc.exe	81
PID 2724 wrote to memory of 2140	2724	DllCommonsvc.exe	81
PID 2724 wrote to memory of 992	2724	DllCommonsvc.exe	82
PID 2724 wrote to memory of 992	2724	DllCommonsvc.exe	82
PID 2724 wrote to memory of 992	2724	DllCommonsvc.exe	82
PID 2724 wrote to memory of 1596	2724	DllCommonsvc.exe	83
PID 2724 wrote to memory of 1596	2724	DllCommonsvc.exe	83
PID 2724 wrote to memory of 1596	2724	DllCommonsvc.exe	83
PID 2724 wrote to memory of 564	2724	DllCommonsvc.exe	84
PID 2724 wrote to memory of 564	2724	DllCommonsvc.exe	84
PID 2724 wrote to memory of 564	2724	DllCommonsvc.exe	84
PID 2724 wrote to memory of 1944	2724	DllCommonsvc.exe	85
PID 2724 wrote to memory of 1944	2724	DllCommonsvc.exe	85
PID 2724 wrote to memory of 1944	2724	DllCommonsvc.exe	85
PID 2724 wrote to memory of 896	2724	DllCommonsvc.exe	88
PID 2724 wrote to memory of 896	2724	DllCommonsvc.exe	88
PID 2724 wrote to memory of 896	2724	DllCommonsvc.exe	88
PID 2724 wrote to memory of 1972	2724	DllCommonsvc.exe	90
PID 2724 wrote to memory of 1972	2724	DllCommonsvc.exe	90
PID 2724 wrote to memory of 1972	2724	DllCommonsvc.exe	90
PID 2724 wrote to memory of 1924	2724	DllCommonsvc.exe	91
PID 2724 wrote to memory of 1924	2724	DllCommonsvc.exe	91
PID 2724 wrote to memory of 1924	2724	DllCommonsvc.exe	91
PID 2724 wrote to memory of 3068	2724	DllCommonsvc.exe	94
PID 2724 wrote to memory of 3068	2724	DllCommonsvc.exe	94
PID 2724 wrote to memory of 3068	2724	DllCommonsvc.exe	94
PID 2724 wrote to memory of 1748	2724	DllCommonsvc.exe	96
PID 2724 wrote to memory of 1748	2724	DllCommonsvc.exe	96
PID 2724 wrote to memory of 1748	2724	DllCommonsvc.exe	96
PID 2724 wrote to memory of 2356	2724	DllCommonsvc.exe	97
PID 2724 wrote to memory of 2356	2724	DllCommonsvc.exe	97
PID 2724 wrote to memory of 2356	2724	DllCommonsvc.exe	97
PID 2724 wrote to memory of 2132	2724	DllCommonsvc.exe	107
PID 2724 wrote to memory of 2132	2724	DllCommonsvc.exe	107
PID 2724 wrote to memory of 2132	2724	DllCommonsvc.exe	107
PID 2132 wrote to memory of 2464	2132	dwm.exe	109
PID 2132 wrote to memory of 2464	2132	dwm.exe	109
PID 2132 wrote to memory of 2464	2132	dwm.exe	109
PID 2464 wrote to memory of 1528	2464	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\it-IT\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1528
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat"
        8⤵
        
        PID:2780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2088
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat"
        10⤵
        
        PID:1164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2292
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"
        12⤵
        
        PID:1496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1588
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"
        14⤵
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:956
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
        16⤵
        
        PID:1992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3068
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"
        18⤵
        
        PID:696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2356
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"
        20⤵
        
        PID:1216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2808
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"
        22⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2920
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat"
        24⤵
        
        PID:2908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Music\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c556fa9c267dc4907bee3b6448f35c30

SHA1
ec5c9ca98a099b4d8e6970fc73cf0c7171c379aa

SHA256
a54e6813400ed0377aeb1dfc1c853eaabd085ecc26e30bfad92601455b95def9

SHA512
4ebe44f78e8c28e8ab9eb572457d1e0d994375bc7b73237f19dc75f924809ba3322d98ef5f72b2fa76a2ef0b5b7e6beeffbda08f09bb432f8733fb0ee833a16e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a3e7622731976f1ba07295275963f21

SHA1
59df93d8b97e924851b1e865bb241c23a587a470

SHA256
8e9caa09d82806c6fd0e646706bef50dad3c1374715af1b291e6fc438538a229

SHA512
f2be6565b4dccb54a10294aaf63e16058f1218365f2e39be60f54d9b07584227db08fa2886fb8915d83e443aebb5a208c507f1abe1634639a3d9722741b28ec0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c534a5ea07ed548b19aa3ba53d862912

SHA1
9356bdc06f2f7ab04b21dc9eba1d9781bbc03ade

SHA256
28e6aeffe105a44aa01d7a9a2dfac95495b981593abc46432fdca9863541dc42

SHA512
8b7e67a902cfb96ec052960ad8605fb8fa35c945c32ddd3dd6e82dbb43e50d4cc52ca3ba1b52e0c9e11994fec79b5403a86bcab2a5e6d2fa703b80b48430c975

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
854e9d29eb1470de06e82f5506f72b42

SHA1
feae3f9c57b96f83eff37ffd66b06d4c99635017

SHA256
411a9d93b02b0fcdf1e9304ca397a32d5a0a76f9766fcdfc84526b4249533b57

SHA512
fe540b4d7847b04771bd27544b0a7d3e908489c0de12de60def9d67fb4b6021ffdfdbc23cb98087adc36b186a8b5e25c4904724cc8a42aa8a21be71205157273

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4483694ddd8db7fe5be5c2a079ad02cd

SHA1
8779d438544ddb7f0697e87f8c05cc1e0ad1bab5

SHA256
7d05ef20292e4bba146ff739388cd644422d98c6f92b28d4d5e00c71ed1c3b92

SHA512
1af1c674fba0b5db80691bc0ff63b4ad9e8dfe12cd9353d7f8e19f673ff92d838b5ffe373319b2d7aa4dc9b4f5ed53d0a5b42611f2508ce739e6d085fef068ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd770674c2da24ec4c6e3aa22da1ab29

SHA1
a3c7e709a618ca8dea7e023779260fdae782da23

SHA256
7b1db0355d7216ad2f1b443f4a6fc27fda42ae271a43b965bedd10367c139ab3

SHA512
536ad56c85c34766b8136a9118f40aa31836d07ecada177907e3f2a444893519dd9998e507ab04400a6818d9e39d16f071a13885911c4a4505261b2bb1ed3acb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6488d240fb87af82d45e934b6c00b538

SHA1
e52c2f1cb45bd43bf22ac504268c3a8bf12faa3f

SHA256
e60a9e2ea162765e4d51bd1faa4cd274ae1ac80b734dfb1605d85d0243216c82

SHA512
c3374c1ddcdb89c3abe363d3d8f5d87907e91bdcd2b98eb0f9aceae171413df4aa0db238ac8f53b67c7fb7fc1d758cd7454d0cab5c17448cb19eda2412a4f434

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1a29ea1b0cacb25766696788f9d6386

SHA1
4d7dacf08625d498b6b4574ad2b827dd5ff048c9

SHA256
985f22bc6af21fbbc2cfb9ed385bdf7d4ba5653b69928c350c417d3d75df5efb

SHA512
d951b42764fb63dd964f5ede71991b1f1a42511ce65b30c714826e5e982a5f02dfe57942ff1149c4e0965eb65dd0e328455c34cb95bbe619e8686e856a5e95d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93f2b95f004169ce046920912b161ec7

SHA1
6b164105518e501f812a11694423dc9b34de5318

SHA256
110967581f5f16a23bff8e3f9078fc2f386f0722ce8dfbd95f81d962175bb34d

SHA512
4a2bb6631dc73af78547614073b5fe335a6c27d942ce57b1d0aefce30f9bb72845fec2b887bd2331c0769eb2d228fb7ed5519fa3fd1dff6c0047e71e95480b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat

Filesize
221B

MD5
61af3d691b82d6151a29107f6bc41009

SHA1
b290a19681c3914ebb846451205e7963dcc62d8a

SHA256
6df67748d611b38ff061812ef6c5adea7c38c748359f4a63ff7985ab330a5c05

SHA512
e7fe4499b0592e52db3663c7f1124c15ceb3c373873fe065c84879c5511225cee06190c85c2394444be5fffee55e4ef9c8e9feecd5f417bfec90c817fae1e660

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF672.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat

Filesize
221B

MD5
402f3afadd4d249b42eb9a81e50e349b

SHA1
3527f17aaabb52ea3adf2a49c1236f126299045f

SHA256
a975545a5047fdd6ab213e9d043ff367262cf3405118f3580d55b75b2e04269e

SHA512
87d0fd0ea6667a906dedb2b51300789a57346c4e9c6f5c4da5ac45f6dbbfaca1f5bcd5057e93dd4ae1fa56a37c9a3d1761d092769b7e9788a5b93392b7abc2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF6A3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat

Filesize
221B

MD5
1cdd4a7340fea863c8c96b1f272d5f09

SHA1
c92254a34d25689805401adcfc1f25d466365ae5

SHA256
163cfdad0649aa6b30f73ac703ef0239ed42877e93085b4fff097157673fc776

SHA512
7b81ab44413790a7eb9e6c84536ce28d988bbb5a53692f67bd7d655a726e84826f0b8992265543888341f923d222c49c20efda9143880c744a89e278a5288d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat

Filesize
221B

MD5
52d0e0cc1cc0a5bac33108902ced6176

SHA1
44013e78e226c404d772f67958c03de0e8039f9b

SHA256
d87a77d7302a2244efc4a970907dc2c73cd169044bb2b70db85c5446aaca64f5

SHA512
4052a5048bb82dde6c8358a333113799acfdd5364d0504c543f47654cf1d4afbaf9d39d14b90cfee1e874d7b049df05791fcf957765e13d0ee217e6572a23895

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat

Filesize
221B

MD5
02166b47f26783440f18166a36014942

SHA1
e8042236593cfd61133c0c318f1431405e0fea37

SHA256
4c025bb8dc8f3c162a588cc4342f712b4babc3a5036c859a167b520862e2cc10

SHA512
50cf670fb8591df3235b9ab39d782853e9b6c830d127d0cb20e281daacdcf5c71379ef48604cdea8b4da952fe65f03549d3dd79876b95ec68545e349ddfa110f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat

Filesize
221B

MD5
1920a9d1bdbc5b9df04302037c958afd

SHA1
0573834f7e6a9124f9244ac983d60eba2e6435f8

SHA256
1b93f97f8f115ae1eccdac5742045cd0e12215c988df5a50fab218b13e06b16d

SHA512
2fb2dc21bd34d819bcf3be0041bf81ace7f72f4128e19a94660d3482d5570c012f8837be43fc23399e6ba6434a12a77eaa1f697bb504d0fcde7e5f18ed10e945

Download Submit
C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

Filesize
221B

MD5
efe4e824bc44a6f2a2610f23c2f84f30

SHA1
e81f18f760bf48d272a1f14a8931a3276dc82216

SHA256
34a2272b310998ca9acbc82955657b19963c7c231c0af8ad4d2e312de1316a76

SHA512
73bb886e331dcf0bf54f026cdbd726c116c4024d7aa3d3c9a765a290b33603041b2d96f0131bcd3da0ae8722d91b0a63e312d91a63855563c92a69b0aed7ce83

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat

Filesize
221B

MD5
7ad5a80e37e1513f43a1b24e7ebc2a81

SHA1
eba52f896fd9be067e7b933bdc87b7a8ba28c789

SHA256
be289c0d66289bfac237e43b467931a275e9f507c0f45860afd9cd5d5e5e6511

SHA512
3d7b845d0ba4601061b68af494924a62aa9326c3ec7adea74d80922b7a51ab9eab84eb7408ce0ffbe31e353dc9fefc7c327bc0711e2f69c1b11791491c397b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat

Filesize
221B

MD5
d05ea4aa0572e3a93c129251f159e265

SHA1
7ce7424833b6cbc7a02aeff70579baafa8429b3d

SHA256
071566f5e8ba2ebdd311680ff33ac1789adf30e53e891d6811748ae0f16bac97

SHA512
b3871559e2c94f5b53d93ce3dd9ad5c8ffed4aa176b5326c9d1138deb593652fe1e64d431b1fc437c88206ee993be642fd45e68bbf6282ece013c07a7f51ee5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat

Filesize
221B

MD5
ba312892b15e4cf8d128e350b907a8a6

SHA1
32f412a913c2ef4c017635c8757ef7474553e002

SHA256
2346b0f79ec6ffbf43c9732dd66f99284bd1e828a8b08a530de7e78d3bb35df0

SHA512
d5b5fd09a5ad47e2648fae65a08dc05bf846a3bd91d1cb23d5c0fa527bb4276f30b01b4ce3b0175d1d16ad632cde1adcf7bd5383a6264b9b3cf59638869d5915

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
30551729d6e37f210d04dea6ec06b498

SHA1
7ed80f8b2996632f1a6e4e539d147214688b989d

SHA256
93aec395f9d5df9cfdf3160d7088ba594e9356f19f4bf2875c7ef00bfa1506f0

SHA512
c873c2192851c2f22e428c1e079ab30fe432e46cf91e84ccf1da35b136f36c54eb011d0dcd2e79a64e84e51f9980a701e8872a4a4b2af780b06ecfe93989ba03

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/564-661-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/1088-304-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/2132-83-0x0000000000300000-0x0000000000410000-memory.dmp

Filesize
1.1MB

Download
memory/2140-59-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/2140-58-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2152-600-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/2152-601-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/2692-244-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2724-17-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2724-16-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2724-15-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2724-14-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2724-13-0x00000000008D0000-0x00000000009E0000-memory.dmp

Filesize
1.1MB

Download
memory/2912-184-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download