dcrat | 6de70c88b47c6441f088554108f0fabebc07314ed49c96d74adced7eea0f4cab

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6de70c88b47c6441f088554108f0fabebc07314ed49c96d74adced7eea0f4cab.exe
Size

1.3MB
MD5

e8e0480d3f4c2985aa5f1f9c871b8a88
SHA1

a2e673efdbce3e911369ef9f2841799a7e32ce4e
SHA256

6de70c88b47c6441f088554108f0fabebc07314ed49c96d74adced7eea0f4cab
SHA512

6a712ac26c912fac5a34d5ff8b6e6182b005eec357c17cc94e61400b89e86ed845ece2950f7ba90cf87417b8ac39a4e60e9a8fd55af7a65a631859e87dda5143
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2824	schtasks.exe	35

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000019030-9.dat	dcrat
behavioral1/memory/1056-13-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/560-147-0x0000000000F60000-0x0000000001070000-memory.dmp	dcrat
behavioral1/memory/1792-207-0x0000000001340000-0x0000000001450000-memory.dmp	dcrat
behavioral1/memory/2948-267-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/2136-327-0x00000000012B0000-0x00000000013C0000-memory.dmp	dcrat
behavioral1/memory/1960-387-0x00000000012E0000-0x00000000013F0000-memory.dmp	dcrat
behavioral1/memory/1244-447-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/3036-507-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2952-567-0x00000000008C0000-0x00000000009D0000-memory.dmp	dcrat
behavioral1/memory/2656-627-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/3020-687-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2376	powershell.exe
2772	powershell.exe
2664	powershell.exe
2760	powershell.exe
2148	powershell.exe
2332	powershell.exe
2680	powershell.exe
2864	powershell.exe
2792	powershell.exe
1060	powershell.exe
2320	powershell.exe
2152	powershell.exe
2948	powershell.exe
2828	powershell.exe
2592	powershell.exe
824	powershell.exe
2676	powershell.exe
2132	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1056	DllCommonsvc.exe
560	WMIADAP.exe
1792	WMIADAP.exe
2948	WMIADAP.exe
2136	WMIADAP.exe
1960	WMIADAP.exe
1244	WMIADAP.exe
3036	WMIADAP.exe
2952	WMIADAP.exe
2656	WMIADAP.exe
3020	WMIADAP.exe

Loads dropped DLL 2 IoCs

pid	Process
3052	cmd.exe
3052	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\it-IT\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\it-IT\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\fr-FR\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\27d1bcfc3c54e0	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\system\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\cc11b995f2a76d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6de70c88b47c6441f088554108f0fabebc07314ed49c96d74adced7eea0f4cab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2604	schtasks.exe
2208	schtasks.exe
2288	schtasks.exe
1924	schtasks.exe
2572	schtasks.exe
2888	schtasks.exe
1140	schtasks.exe
352	schtasks.exe
1196	schtasks.exe
2360	schtasks.exe
2448	schtasks.exe
3056	schtasks.exe
1540	schtasks.exe
888	schtasks.exe
3004	schtasks.exe
1760	schtasks.exe
956	schtasks.exe
2624	schtasks.exe
1732	schtasks.exe
1648	schtasks.exe
1912	schtasks.exe
1376	schtasks.exe
1612	schtasks.exe
1524	schtasks.exe
1756	schtasks.exe
2628	schtasks.exe
3032	schtasks.exe
756	schtasks.exe
2372	schtasks.exe
1860	schtasks.exe
2460	schtasks.exe
1812	schtasks.exe
2056	schtasks.exe
2732	schtasks.exe
3036	schtasks.exe
1792	schtasks.exe
1428	schtasks.exe
960	schtasks.exe
1560	schtasks.exe
2968	schtasks.exe
2520	schtasks.exe
2388	schtasks.exe
1220	schtasks.exe
2408	schtasks.exe
2204	schtasks.exe
568	schtasks.exe
1488	schtasks.exe
744	schtasks.exe
3048	schtasks.exe
2228	schtasks.exe
2560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1056	DllCommonsvc.exe
1056	DllCommonsvc.exe
1056	DllCommonsvc.exe
2320	powershell.exe
2152	powershell.exe
2864	powershell.exe
2792	powershell.exe
2132	powershell.exe
2828	powershell.exe
2760	powershell.exe
2680	powershell.exe
2772	powershell.exe
824	powershell.exe
2332	powershell.exe
2592	powershell.exe
2948	powershell.exe
2148	powershell.exe
1060	powershell.exe
2664	powershell.exe
2376	powershell.exe
2676	powershell.exe
560	WMIADAP.exe
1792	WMIADAP.exe
2948	WMIADAP.exe
2136	WMIADAP.exe
1960	WMIADAP.exe
1244	WMIADAP.exe
3036	WMIADAP.exe
2952	WMIADAP.exe
2656	WMIADAP.exe
3020	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	DllCommonsvc.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	560	WMIADAP.exe
Token: SeDebugPrivilege	1792	WMIADAP.exe
Token: SeDebugPrivilege	2948	WMIADAP.exe
Token: SeDebugPrivilege	2136	WMIADAP.exe
Token: SeDebugPrivilege	1960	WMIADAP.exe
Token: SeDebugPrivilege	1244	WMIADAP.exe
Token: SeDebugPrivilege	3036	WMIADAP.exe
Token: SeDebugPrivilege	2952	WMIADAP.exe
Token: SeDebugPrivilege	2656	WMIADAP.exe
Token: SeDebugPrivilege	3020	WMIADAP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2332	2368	JaffaCakes118_6de70c88b47c6441f088554108f0fabebc07314ed49c96d74adced7eea0f4cab.exe	30
PID 2368 wrote to memory of 2332	2368	JaffaCakes118_6de70c88b47c6441f088554108f0fabebc07314ed49c96d74adced7eea0f4cab.exe	30
PID 2368 wrote to memory of 2332	2368	JaffaCakes118_6de70c88b47c6441f088554108f0fabebc07314ed49c96d74adced7eea0f4cab.exe	30
PID 2368 wrote to memory of 2332	2368	JaffaCakes118_6de70c88b47c6441f088554108f0fabebc07314ed49c96d74adced7eea0f4cab.exe	30
PID 2332 wrote to memory of 3052	2332	WScript.exe	32
PID 2332 wrote to memory of 3052	2332	WScript.exe	32
PID 2332 wrote to memory of 3052	2332	WScript.exe	32
PID 2332 wrote to memory of 3052	2332	WScript.exe	32
PID 3052 wrote to memory of 1056	3052	cmd.exe	34
PID 3052 wrote to memory of 1056	3052	cmd.exe	34
PID 3052 wrote to memory of 1056	3052	cmd.exe	34
PID 3052 wrote to memory of 1056	3052	cmd.exe	34
PID 1056 wrote to memory of 2376	1056	DllCommonsvc.exe	87
PID 1056 wrote to memory of 2376	1056	DllCommonsvc.exe	87
PID 1056 wrote to memory of 2376	1056	DllCommonsvc.exe	87
PID 1056 wrote to memory of 1060	1056	DllCommonsvc.exe	88
PID 1056 wrote to memory of 1060	1056	DllCommonsvc.exe	88
PID 1056 wrote to memory of 1060	1056	DllCommonsvc.exe	88
PID 1056 wrote to memory of 2760	1056	DllCommonsvc.exe	89
PID 1056 wrote to memory of 2760	1056	DllCommonsvc.exe	89
PID 1056 wrote to memory of 2760	1056	DllCommonsvc.exe	89
PID 1056 wrote to memory of 2320	1056	DllCommonsvc.exe	90
PID 1056 wrote to memory of 2320	1056	DllCommonsvc.exe	90
PID 1056 wrote to memory of 2320	1056	DllCommonsvc.exe	90
PID 1056 wrote to memory of 2148	1056	DllCommonsvc.exe	91
PID 1056 wrote to memory of 2148	1056	DllCommonsvc.exe	91
PID 1056 wrote to memory of 2148	1056	DllCommonsvc.exe	91
PID 1056 wrote to memory of 2332	1056	DllCommonsvc.exe	92
PID 1056 wrote to memory of 2332	1056	DllCommonsvc.exe	92
PID 1056 wrote to memory of 2332	1056	DllCommonsvc.exe	92
PID 1056 wrote to memory of 2864	1056	DllCommonsvc.exe	93
PID 1056 wrote to memory of 2864	1056	DllCommonsvc.exe	93
PID 1056 wrote to memory of 2864	1056	DllCommonsvc.exe	93
PID 1056 wrote to memory of 824	1056	DllCommonsvc.exe	94
PID 1056 wrote to memory of 824	1056	DllCommonsvc.exe	94
PID 1056 wrote to memory of 824	1056	DllCommonsvc.exe	94
PID 1056 wrote to memory of 2152	1056	DllCommonsvc.exe	95
PID 1056 wrote to memory of 2152	1056	DllCommonsvc.exe	95
PID 1056 wrote to memory of 2152	1056	DllCommonsvc.exe	95
PID 1056 wrote to memory of 2772	1056	DllCommonsvc.exe	96
PID 1056 wrote to memory of 2772	1056	DllCommonsvc.exe	96
PID 1056 wrote to memory of 2772	1056	DllCommonsvc.exe	96
PID 1056 wrote to memory of 2680	1056	DllCommonsvc.exe	97
PID 1056 wrote to memory of 2680	1056	DllCommonsvc.exe	97
PID 1056 wrote to memory of 2680	1056	DllCommonsvc.exe	97
PID 1056 wrote to memory of 2676	1056	DllCommonsvc.exe	98
PID 1056 wrote to memory of 2676	1056	DllCommonsvc.exe	98
PID 1056 wrote to memory of 2676	1056	DllCommonsvc.exe	98
PID 1056 wrote to memory of 2948	1056	DllCommonsvc.exe	99
PID 1056 wrote to memory of 2948	1056	DllCommonsvc.exe	99
PID 1056 wrote to memory of 2948	1056	DllCommonsvc.exe	99
PID 1056 wrote to memory of 2132	1056	DllCommonsvc.exe	100
PID 1056 wrote to memory of 2132	1056	DllCommonsvc.exe	100
PID 1056 wrote to memory of 2132	1056	DllCommonsvc.exe	100
PID 1056 wrote to memory of 2664	1056	DllCommonsvc.exe	101
PID 1056 wrote to memory of 2664	1056	DllCommonsvc.exe	101
PID 1056 wrote to memory of 2664	1056	DllCommonsvc.exe	101
PID 1056 wrote to memory of 2792	1056	DllCommonsvc.exe	102
PID 1056 wrote to memory of 2792	1056	DllCommonsvc.exe	102
PID 1056 wrote to memory of 2792	1056	DllCommonsvc.exe	102
PID 1056 wrote to memory of 2828	1056	DllCommonsvc.exe	104
PID 1056 wrote to memory of 2828	1056	DllCommonsvc.exe	104
PID 1056 wrote to memory of 2828	1056	DllCommonsvc.exe	104
PID 1056 wrote to memory of 2592	1056	DllCommonsvc.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6de70c88b47c6441f088554108f0fabebc07314ed49c96d74adced7eea0f4cab.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6de70c88b47c6441f088554108f0fabebc07314ed49c96d74adced7eea0f4cab.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\MF\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\it-IT\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xgGS4hucr4.bat"
        5⤵
        
        PID:1252
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:844
      - C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"
        7⤵
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1168
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"
        9⤵
        
        PID:1656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1244
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat"
        11⤵
        
        PID:784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1856
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"
        13⤵
        
        PID:2324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2088
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"
        15⤵
        
        PID:1760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1792
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"
        17⤵
        
        PID:1520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2948
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat"
        19⤵
        
        PID:2328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2100
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"
        21⤵
        
        PID:2132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:352
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat"
        23⤵
        
        PID:584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1516
        
        C:\Users\Default User\WMIADAP.exe
        
        "C:\Users\Default User\WMIADAP.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\system\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\system\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\system\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\MF\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\MF\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\MF\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Templates\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22dbc6cd51ff9a83d0b5a39a3bf73ec8

SHA1
f71ccf5057e511ef5570cacb8f7885302e32ee02

SHA256
efcf5ab6ddb892fb19a580bd471544bd198e2f65bd3b7f52cecb91d4c9b121db

SHA512
b2c19e04d69a5518753c5504bc30213b0fd86405d394a43cb81969827a7c42ba34680e49518a505192b7bc58bc9fde09dc6500c1d6a273b5bd8e4cc1e53696d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af3697122d6275edf484f94e3a9dd113

SHA1
ac879bf48907b740c605e624a8f0dea734ff567f

SHA256
7cfa3db5a3ad782231dc90f7c45d0a79e7f34e2f7b2df6383b7ec80ba33a5fe4

SHA512
e0bdf3dcd5f132291fc43ed246bdc4455892b3511306bb1e4426b6e61a1b2e0d251d04471d48778b3b1c2fb785ad293caef350028c342f756d53ef6ab47bfacc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09138c0e645c280595acb4688c7fbe50

SHA1
0e712578e389399acff746d8093142b3373474f0

SHA256
78567f7bdd5d3cf24685e2080e859b4fed18a1d5a68a2535d071775956cf2900

SHA512
d3bd8b40ed50002894f80b34d1390f6683313f346d17fd379fcda72e4cde630c735822c872484435b9c09720869cf0f36045a4933fea89bbe5dc89a827d609df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa82b32a4e4ae59d9d393805eb73e242

SHA1
fd7739efe0a78f6df674acc24a28deee42806529

SHA256
82bbd646ef8a305e1861c4e647e40394e0ddcc7c9d839fdde2091f764f43ddb7

SHA512
5a8d25349e255f6b64c873d8cfa6fdb721184dbadd5dfc9980c7d1df760d40caa0946af74b5294bdd37f012ca024cbc1560a6087c7a9a681d85763aa31cdaeb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3844ea7b2d035d0265118476bdc1d63d

SHA1
3f9225b3916458ee83c6f8f9db0c62b8a779cd07

SHA256
2bea733a21d1fff01fa8b219a3eb004e81e78a5df70383ea4400b317ee383594

SHA512
f57473df11951e775a7636091a6bd90081ea953ad97eaa156f3bce2747fe1bc2454a9a7544d2f993a8c335587ba2cf86fe373867b470ab109fe7eaf90275b7c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
941a648e23d243b76c0ae058a8517970

SHA1
7d546c46b370d0833e40c83668998858129dc98a

SHA256
a8d99730d2e5a176bdad13a53e9e5fda9745ab010f82231ac9edb5625c2b8ad7

SHA512
31e23da26774ebdbdd47242975a45674b33b773e761ff0abe653b8fd5c96893afd30b4484a137c5bc7021184cad51dba07ca66e94a29be40068009d3ff549ee9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8e970121eba1ff432b4bcd67e1b1f5c

SHA1
3871d1793646febaa53b1db178176a76ceb658d0

SHA256
f30a64cc82d967240144e1db8be783a94c481de004565e3a28ad884a6f143601

SHA512
13c3e8b1b6b57283ff4571710279dbe7b421e549e39fb8c5f220c2315a6832cb58464b48cb60b0d4e63fec0c6f20cac8e7e8dd506f99b8b8c054e3540cd18b1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9eaef0105a546f9f93a2a57111d90ed9

SHA1
7c4f2a5dd8fa44f90745163f325d0e4df873edcc

SHA256
c4de985e2b30e7cf1e26d6da00dc5601ef651c94f96e39344a03584e53c7a9ad

SHA512
4ee5aa54858ca6fd15c85e932c9ba5c2331bcbd5de3f92190e6c2294d0fc39223aadf4deca33851adcc26f38147b4cbe6087d0b001d5b510a0252c9731f73816

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat

Filesize
198B

MD5
153f8d74d037a0cc0f74d8c0b95e2bfd

SHA1
4cca63ef2242f388960274ec90ca5ab86779f928

SHA256
76cb4ea6f201ca7827abeaaa813e31bc24ca0ff841c0401864be857809ab624f

SHA512
9736e6b946b1ba96ddb942b9ce7aeae0dbcfbb29c190ca4ebf7984652a7c5d807d4e5041af9d14b9aa53749d739ee71522aa407200ddd041b82111779a99bd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat

Filesize
198B

MD5
9379ada1368d6fd80fce33fd3b35ff05

SHA1
b4e4615a72ea5ed511932f467cf97f7794abd10a

SHA256
36240f5ea214215bf503b30beeb68197aa90ca402a51bb7f61f5ba7117c910ef

SHA512
e69b3cfb038180c781e34488e315bf1850fe7322d914d49be31d06f306d91c73d67754c90fa7ec2f60b548c30521925e6e13b5643f118fd733ec1072915192db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2139.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat

Filesize
198B

MD5
7467eaba0739411d53f2afe988769c54

SHA1
b22b0bbb452e7c7ff7b22c660bf6210f34694f48

SHA256
8d279a257dca7375fd087ef21c2e96deabba201cf8adaf9c7738a0ee664881a0

SHA512
8723baf56164c3e4e1896d212ff74730ec98ab5cecbe055422772d21424b930e2e38bdd068157c00ee2b1b9acd53d2469fff886efd0f7139da855b5e5bdaaebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat

Filesize
198B

MD5
b143b0780790ebb32f1d85922cb61dd0

SHA1
8abcbbbf880d3e9abacb7c4b6df413b4c87f3097

SHA256
42fa55e5a79b20bf13bbd610d740c2f25a04341f15081e9aed57e4e6a7285865

SHA512
ad353b3aba04e71238e6bd9610654695b484a3b969de0a66ef395653e539933ba36891a1eb7b02fb1e59164d67f88706cc9145f828dfbc6f8ac46914fa6c021e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar214B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat

Filesize
198B

MD5
ccc1275de15bff982c6fc94029c3516c

SHA1
89d5b7dbb254a419520f169c075faa8c5f10ae66

SHA256
3e2286d37cd933c9cfad94a9b47a8b98741fdee5b85b5570c12eecf5a50051db

SHA512
473e67537f422850eb9b0a22e36cee11c1ea500d63e0497db449d6c7ca2677a1b81f4a7a099fbc7957d6c11651142166effa32f7bb23e674043ba379b555082b

Download Submit
C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat

Filesize
198B

MD5
764f806fa1a719ea4fdb5ed97f93d7a8

SHA1
c8e7e79b4f82d8a210c331289bc448fe8b42d8a6

SHA256
5bd913806a2590b0ce5075a712adc40b417a6e5414f4919470bded30f29f7a23

SHA512
55a22362c53f7ab3bb8b3cf19b16e1485c0aac91edf4b225d73252583b290a185b4e3e57a5eaa0410de2a462042376c41b8098e6a179ea9c3e3c45d4b2964b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat

Filesize
198B

MD5
32f2580ed636c2b0944bde15d2bcf01c

SHA1
33c5ebf21d3c2a28ab91679dc316d67bb5f1f324

SHA256
2877c01ff7ba4e81a36e761b38b8689b777cb0dfa0d9631487ec8160bc46b9ac

SHA512
a7235da114ea5124281b92378bc0a623175423568d6e85fc7bf3b128a5aaab8a25c97012931d600d3dd9ad75015bb561a1dbff36854fdaddd7f019fe9a131f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat

Filesize
198B

MD5
52b5f8438c67ba9a4e4087a2c9a36a42

SHA1
75bd1fb82e55a12c06f0c6bf28e0046f55cab2c7

SHA256
090c0942f6943258d4ab5c27577f00aa5539fa5dc46704a6773decad014958ee

SHA512
54e701a54948e6b00bbda1e5c3d5765c6052177c4da26a01d43bf51578720a4961de67a8f9c5b2b1fa67e67e9ca1e14b4652bb7dc2b91d624b914b360701cd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat

Filesize
198B

MD5
85b88955b841ae5299d2949adaf660fe

SHA1
1fc305e0fff536e743f767d7f32d6cb590f9cb12

SHA256
0a8b305c6e67d9f9576bced7b0928e1dda068000bb32770a7412125ad9ff9b1a

SHA512
60755fd6b97254c7a83074507c185b316634fe2b675f326a9b4456947bee8608520878e5f7497ed5506053566a790435f7262ea7b153f7e96c85b7e12fae39f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgGS4hucr4.bat

Filesize
198B

MD5
bc1fe9a3d65fd5302d3b49e1d92920b5

SHA1
dcd4977b0482416176cbeb10382860df1b67bbcd

SHA256
840f684e7cf659050e39a010924a60549e1c4870563c43afa3b7ef2126839ee4

SHA512
a67fbc290cfbce5f90ca5f6408e9d1bd48fb5722f280a0fb0e4f13c8da357058626ab2d03acbc626c9a5cf11f183c835736b6b3c8f677ae6b5c1f05809deda88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dcc9c4118f7438057b447781265bf386

SHA1
114139d19867a453e469bf4131ed1f137a654f00

SHA256
d062f5241d795beb9350eca2f75b85fcbeaebc70da932c555b6bb6b86e89344a

SHA512
77bfd68938547f913da2c708bf65272c1ef63903cc3bcb91182839b2df6769935c54d193047917b9b1eac67f40ccb1b48bf4955bdd8e38b986ae0fde580f6d57

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/560-148-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/560-147-0x0000000000F60000-0x0000000001070000-memory.dmp

Filesize
1.1MB

Download
memory/1056-16-0x00000000020D0000-0x00000000020DC000-memory.dmp

Filesize
48KB

Download
memory/1056-15-0x000000001A7D0000-0x000000001A7DC000-memory.dmp

Filesize
48KB

Download
memory/1056-14-0x00000000007E0000-0x00000000007F2000-memory.dmp

Filesize
72KB

Download
memory/1056-17-0x000000001A7E0000-0x000000001A7EC000-memory.dmp

Filesize
48KB

Download
memory/1056-13-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/1244-447-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/1792-207-0x0000000001340000-0x0000000001450000-memory.dmp

Filesize
1.1MB

Download
memory/1960-387-0x00000000012E0000-0x00000000013F0000-memory.dmp

Filesize
1.1MB

Download
memory/2136-327-0x00000000012B0000-0x00000000013C0000-memory.dmp

Filesize
1.1MB

Download
memory/2320-68-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download
memory/2320-66-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2656-627-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/2948-267-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/2952-567-0x00000000008C0000-0x00000000009D0000-memory.dmp

Filesize
1.1MB

Download
memory/3020-687-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/3036-507-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download