dcrat | e78d0a531ef269480522818b3b675c0f79ff33ecd4b0e81c9a587759b876597a

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e78d0a531ef269480522818b3b675c0f79ff33ecd4b0e81c9a587759b876597a.exe
Size

1.3MB
MD5

4ed68b334afc22d30fe5d38ef5063f66
SHA1

ee00a59e2737b38cbdcfd689cb5d35345af5ed94
SHA256

e78d0a531ef269480522818b3b675c0f79ff33ecd4b0e81c9a587759b876597a
SHA512

f8e73e890b96f181208d74b158151ee8dd2644eeb575bd72dd379811739b9e3c3c409a863f2c43cd1b223e929b3bff2d04cb14f487eab8c71fb6b8d244fbca31
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2404	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000019570-9.dat	dcrat
behavioral1/memory/2912-13-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/2940-101-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/2012-244-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/1876-423-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/2592-484-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/memory/2788-604-0x0000000001140000-0x0000000001250000-memory.dmp	dcrat
behavioral1/memory/2916-782-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1028	powershell.exe
336	powershell.exe
1016	powershell.exe
2504	powershell.exe
964	powershell.exe
908	powershell.exe
912	powershell.exe
1616	powershell.exe
708	powershell.exe
2304	powershell.exe
2996	powershell.exe
3044	powershell.exe
3028	powershell.exe
1444	powershell.exe
1380	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2912	DllCommonsvc.exe
2940	services.exe
2776	services.exe
2012	services.exe
2640	services.exe
1520	services.exe
1876	services.exe
2592	services.exe
2716	services.exe
2788	services.exe
2572	services.exe
868	services.exe
2916	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2736	cmd.exe
2736	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
25	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com
39	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
22	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\f3b6ecef712a24	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\it-IT\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\3082\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\3082\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\Logs\DPX\services.exe	DllCommonsvc.exe
File created	C:\Windows\Logs\DPX\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\it-IT\spoolsv.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e78d0a531ef269480522818b3b675c0f79ff33ecd4b0e81c9a587759b876597a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2340	schtasks.exe
2440	schtasks.exe
2952	schtasks.exe
2148	schtasks.exe
1340	schtasks.exe
1892	schtasks.exe
2332	schtasks.exe
2468	schtasks.exe
1700	schtasks.exe
1752	schtasks.exe
108	schtasks.exe
1696	schtasks.exe
2452	schtasks.exe
3024	schtasks.exe
2348	schtasks.exe
1648	schtasks.exe
1724	schtasks.exe
288	schtasks.exe
684	schtasks.exe
1424	schtasks.exe
696	schtasks.exe
2532	schtasks.exe
1704	schtasks.exe
2480	schtasks.exe
2636	schtasks.exe
2820	schtasks.exe
2232	schtasks.exe
2904	schtasks.exe
1996	schtasks.exe
1916	schtasks.exe
2032	schtasks.exe
1756	schtasks.exe
2224	schtasks.exe
1808	schtasks.exe
1800	schtasks.exe
2872	schtasks.exe
1920	schtasks.exe
784	schtasks.exe
2292	schtasks.exe
1748	schtasks.exe
600	schtasks.exe
2456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2912	DllCommonsvc.exe
2912	DllCommonsvc.exe
2912	DllCommonsvc.exe
964	powershell.exe
1380	powershell.exe
1016	powershell.exe
3028	powershell.exe
1444	powershell.exe
3044	powershell.exe
2304	powershell.exe
1616	powershell.exe
708	powershell.exe
1028	powershell.exe
912	powershell.exe
2996	powershell.exe
908	powershell.exe
336	powershell.exe
2504	powershell.exe
2940	services.exe
2776	services.exe
2012	services.exe
2640	services.exe
1520	services.exe
1876	services.exe
2592	services.exe
2716	services.exe
2788	services.exe
2572	services.exe
868	services.exe
2916	services.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	DllCommonsvc.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	2940	services.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2776	services.exe
Token: SeDebugPrivilege	2012	services.exe
Token: SeDebugPrivilege	2640	services.exe
Token: SeDebugPrivilege	1520	services.exe
Token: SeDebugPrivilege	1876	services.exe
Token: SeDebugPrivilege	2592	services.exe
Token: SeDebugPrivilege	2716	services.exe
Token: SeDebugPrivilege	2788	services.exe
Token: SeDebugPrivilege	2572	services.exe
Token: SeDebugPrivilege	868	services.exe
Token: SeDebugPrivilege	2916	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2944	2184	JaffaCakes118_e78d0a531ef269480522818b3b675c0f79ff33ecd4b0e81c9a587759b876597a.exe	30
PID 2184 wrote to memory of 2944	2184	JaffaCakes118_e78d0a531ef269480522818b3b675c0f79ff33ecd4b0e81c9a587759b876597a.exe	30
PID 2184 wrote to memory of 2944	2184	JaffaCakes118_e78d0a531ef269480522818b3b675c0f79ff33ecd4b0e81c9a587759b876597a.exe	30
PID 2184 wrote to memory of 2944	2184	JaffaCakes118_e78d0a531ef269480522818b3b675c0f79ff33ecd4b0e81c9a587759b876597a.exe	30
PID 2944 wrote to memory of 2736	2944	WScript.exe	31
PID 2944 wrote to memory of 2736	2944	WScript.exe	31
PID 2944 wrote to memory of 2736	2944	WScript.exe	31
PID 2944 wrote to memory of 2736	2944	WScript.exe	31
PID 2736 wrote to memory of 2912	2736	cmd.exe	33
PID 2736 wrote to memory of 2912	2736	cmd.exe	33
PID 2736 wrote to memory of 2912	2736	cmd.exe	33
PID 2736 wrote to memory of 2912	2736	cmd.exe	33
PID 2912 wrote to memory of 1380	2912	DllCommonsvc.exe	77
PID 2912 wrote to memory of 1380	2912	DllCommonsvc.exe	77
PID 2912 wrote to memory of 1380	2912	DllCommonsvc.exe	77
PID 2912 wrote to memory of 3028	2912	DllCommonsvc.exe	78
PID 2912 wrote to memory of 3028	2912	DllCommonsvc.exe	78
PID 2912 wrote to memory of 3028	2912	DllCommonsvc.exe	78
PID 2912 wrote to memory of 708	2912	DllCommonsvc.exe	80
PID 2912 wrote to memory of 708	2912	DllCommonsvc.exe	80
PID 2912 wrote to memory of 708	2912	DllCommonsvc.exe	80
PID 2912 wrote to memory of 1616	2912	DllCommonsvc.exe	81
PID 2912 wrote to memory of 1616	2912	DllCommonsvc.exe	81
PID 2912 wrote to memory of 1616	2912	DllCommonsvc.exe	81
PID 2912 wrote to memory of 2504	2912	DllCommonsvc.exe	83
PID 2912 wrote to memory of 2504	2912	DllCommonsvc.exe	83
PID 2912 wrote to memory of 2504	2912	DllCommonsvc.exe	83
PID 2912 wrote to memory of 1016	2912	DllCommonsvc.exe	85
PID 2912 wrote to memory of 1016	2912	DllCommonsvc.exe	85
PID 2912 wrote to memory of 1016	2912	DllCommonsvc.exe	85
PID 2912 wrote to memory of 1028	2912	DllCommonsvc.exe	86
PID 2912 wrote to memory of 1028	2912	DllCommonsvc.exe	86
PID 2912 wrote to memory of 1028	2912	DllCommonsvc.exe	86
PID 2912 wrote to memory of 336	2912	DllCommonsvc.exe	87
PID 2912 wrote to memory of 336	2912	DllCommonsvc.exe	87
PID 2912 wrote to memory of 336	2912	DllCommonsvc.exe	87
PID 2912 wrote to memory of 964	2912	DllCommonsvc.exe	88
PID 2912 wrote to memory of 964	2912	DllCommonsvc.exe	88
PID 2912 wrote to memory of 964	2912	DllCommonsvc.exe	88
PID 2912 wrote to memory of 1444	2912	DllCommonsvc.exe	89
PID 2912 wrote to memory of 1444	2912	DllCommonsvc.exe	89
PID 2912 wrote to memory of 1444	2912	DllCommonsvc.exe	89
PID 2912 wrote to memory of 912	2912	DllCommonsvc.exe	90
PID 2912 wrote to memory of 912	2912	DllCommonsvc.exe	90
PID 2912 wrote to memory of 912	2912	DllCommonsvc.exe	90
PID 2912 wrote to memory of 908	2912	DllCommonsvc.exe	91
PID 2912 wrote to memory of 908	2912	DllCommonsvc.exe	91
PID 2912 wrote to memory of 908	2912	DllCommonsvc.exe	91
PID 2912 wrote to memory of 2304	2912	DllCommonsvc.exe	92
PID 2912 wrote to memory of 2304	2912	DllCommonsvc.exe	92
PID 2912 wrote to memory of 2304	2912	DllCommonsvc.exe	92
PID 2912 wrote to memory of 3044	2912	DllCommonsvc.exe	93
PID 2912 wrote to memory of 3044	2912	DllCommonsvc.exe	93
PID 2912 wrote to memory of 3044	2912	DllCommonsvc.exe	93
PID 2912 wrote to memory of 2996	2912	DllCommonsvc.exe	94
PID 2912 wrote to memory of 2996	2912	DllCommonsvc.exe	94
PID 2912 wrote to memory of 2996	2912	DllCommonsvc.exe	94
PID 2912 wrote to memory of 2940	2912	DllCommonsvc.exe	107
PID 2912 wrote to memory of 2940	2912	DllCommonsvc.exe	107
PID 2912 wrote to memory of 2940	2912	DllCommonsvc.exe	107
PID 2940 wrote to memory of 108	2940	services.exe	108
PID 2940 wrote to memory of 108	2940	services.exe	108
PID 2940 wrote to memory of 108	2940	services.exe	108
PID 108 wrote to memory of 1996	108	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e78d0a531ef269480522818b3b675c0f79ff33ecd4b0e81c9a587759b876597a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e78d0a531ef269480522818b3b675c0f79ff33ecd4b0e81c9a587759b876597a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v3.5\3082\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\DPX\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
    - - C:\Windows\Logs\DPX\services.exe
        
        "C:\Windows\Logs\DPX\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1996
        
        C:\Windows\Logs\DPX\services.exe
        
        "C:\Windows\Logs\DPX\services.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"
        8⤵
        
        PID:2156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:600
        
        C:\Windows\Logs\DPX\services.exe
        
        "C:\Windows\Logs\DPX\services.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat"
        10⤵
        
        PID:1892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:540
        
        C:\Windows\Logs\DPX\services.exe
        
        "C:\Windows\Logs\DPX\services.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat"
        12⤵
        
        PID:1944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2500
        
        C:\Windows\Logs\DPX\services.exe
        
        "C:\Windows\Logs\DPX\services.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat"
        14⤵
        
        PID:2992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2808
        
        C:\Windows\Logs\DPX\services.exe
        
        "C:\Windows\Logs\DPX\services.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat"
        16⤵
        
        PID:1496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2468
        
        C:\Windows\Logs\DPX\services.exe
        
        "C:\Windows\Logs\DPX\services.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat"
        18⤵
        
        PID:2504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2912
        
        C:\Windows\Logs\DPX\services.exe
        
        "C:\Windows\Logs\DPX\services.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"
        20⤵
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2680
        
        C:\Windows\Logs\DPX\services.exe
        
        "C:\Windows\Logs\DPX\services.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat"
        22⤵
        
        PID:2820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2568
        
        C:\Windows\Logs\DPX\services.exe
        
        "C:\Windows\Logs\DPX\services.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"
        24⤵
        
        PID:2336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:808
        
        C:\Windows\Logs\DPX\services.exe
        
        "C:\Windows\Logs\DPX\services.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"
        26⤵
        
        PID:2320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1688
        
        C:\Windows\Logs\DPX\services.exe
        
        "C:\Windows\Logs\DPX\services.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\Framework\v3.5\3082\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\v3.5\3082\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\Framework\v3.5\3082\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Application Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\DPX\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\DPX\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ded91cef38d9cb28cd86eaa8aeea6f4d

SHA1
579bb81e85592705afefb15d5841125f0734e400

SHA256
6fb743d5e69c6fbb9f5838c5b5bdb2f5707fa794f31287095fa4940f145d9e51

SHA512
5e588343a0176b24d3b0bbdb3ec13b6a63afe30e77ffc79e3ea9634e5cf59ef77c56a396b65d62adc4452553bc549a5b96a0135ead1cdb2ff15334626f02d43e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae6e845b6387b1ab0678a0356877e23c

SHA1
9ed503e012d1bbcf75a7bcf934f976016ba16a43

SHA256
ef2b5af1db297ea9ceee73fb5069b2d713215148ff8db975b726fad817e4c08a

SHA512
19bb80d489f2c11378081ea5887f2a53bbc7a85d7537b976d2882f0b6c176bf13d4f22fec9bdeedc470cd8fd45ff50b8f5ee421ac938afff7a0afe98dd629e0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be5167ba79f4ae237ee3dbc5b340b7ac

SHA1
0ad1f3b3801fcd9f0cb9b53dd836bd8c987dc559

SHA256
31bd0ec74f1ca3b98f06f911ca54c7f97d536560cf227940dfa183d87b350ca8

SHA512
12667843b16804b6307dda497008f0bbf51e7a8a3618bf2414336d59efbfeac6eb2481482baec849acfc4b791b52e86b42abeb050e159b08aee962bab3784217

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f958486da82346bf388df2f54d45fc6d

SHA1
c9720fa167ea79a0cbd64fb79d6110a0d674633d

SHA256
24b0aee6b3821e0b5c1bd4ccc48de36a4e323ee456365380548838e085ac6063

SHA512
e420ba62f56d4b2d71d4d4a125b27aba0a15ea392ba929d2fe612d70e3f4e7eb2441f1d40568cfddf362cb8ab199d41451e8ce24ac2be5b3dd78e8fcd22b9a36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35792a41274419792e92b47d38a3c6fd

SHA1
1fd9ccafd9b92de5955d9bd66cda0e9146c650d9

SHA256
9ef90102e3f91b1bed2e688d84949aec597af9c3570b9069a10e516de3f38168

SHA512
3503fb61725641e4bbb7c72827f33e1747be5ed4fa5ef01f5835b0cf67a9d34040e29ae9c8d5a5eb90a4e10e1ca431fe035f4b9e6c63bc9190d3e3ec16ba6219

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ba3063c84d7d4681b72482fe54b68f5

SHA1
3d9be9fd7dbf13b28df56517f0e491eebdcec1f1

SHA256
29aa687c5a9345168bb9e22a87c77b4cbe4b17111c540855ff6c1b1c57a6a775

SHA512
4f3e32cef55c95a9c5667c5430959f369b8ba4b654fdd9123955def65f18039814dd9f02ef651b5c7aa70bbb6e5988d3b2e5949503bcaf4f385378ad31d60dc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71b2fc30a685b2ccddefa8b4081f896a

SHA1
2a44990ccb9fbb4eb919feb138ad157942b63047

SHA256
a0cc5885768eaa4d25e0c1d4e57575cd5ee3be1a197ae1e32aade5cba63e7b42

SHA512
bfc5f5576b6427e78ea6ebe6adb9c76eae6462dbf3602d01f1996e86cd992d1a94b58e9207989af4e6c9282e417ecefc9382ebfc184e21ea0ffde7e0ce582cc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19ae67ba150a590c37e1797aaaad6676

SHA1
830cba85a28e25d9fed7106b4944e307c778b74a

SHA256
7cb129f9996877da86083052498583916aea81bc4ff6ec7bbab74213cf4e6f1f

SHA512
fbe817ba183314c1e240fd01fefa39c12526fd8e6651cf5f47bb76a27aadb4d7d777e5a592dfdbba82b02e2fcf693bc55919be21650cb3ad369ae917db354da5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43487a189ff04bf7b5afc82925d1a629

SHA1
2d20f66b4ca481c0ba0afdfeb1de5a7a3eaaeced

SHA256
b6f7eb1479cd355d7b7213ab673869934cd5a74a23ce0d2a009f3ff89c157d1a

SHA512
8ada8a4727004ffb8497a3d8d293781c546aaee246788e48c4d5f9ad3b61c20d55466d275c28cb936432b146051f9679accf14833e138ff4edbe721d62f15a42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
321f962e9eb45f78f71013dfa75ec7de

SHA1
a55ac80a470d5cd9e760bc37284f2a4d8a9bd767

SHA256
604747fd36befc384e73d7df9b0dfd07334ba94ab8e465ac9353649adec875b8

SHA512
645afb5106e462ae240b879fe50e5745076cf81f9b03bd9677a38f07ce336e5456f7191b8889e0d30f7444432ccaf90ce8d406e8676ca445f28f33c1d58e3b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat

Filesize
197B

MD5
94976b5ed498a065dfdd558bc7e5ae4e

SHA1
fc9775644ff3501f5145391408fc40869a82effc

SHA256
e35db3b272e2d61b0120a676f300aca1000e40757948f1f3428e9d261c129cb8

SHA512
0201b9a0aac1e6e0799b4d71ddda375300a7b602a3faa59a0ca245d14b83a18c322457c78bf27392040fbb27ac598e409d9f6d557a3ccc3e63b56987d9035d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat

Filesize
197B

MD5
7a067f6cf86fdb06c83d2dd3c6e8357d

SHA1
d9e25e243e3f07cd5230f3908c32591f56d44789

SHA256
a3ab8dfdaffa3f7f9a3f50c4a1225d576d9e36b810dfb1ec13e5124490277a30

SHA512
c615a88af76bc05b326c70d7f3c911bccbec351c434ea52f115ae99a676efe55d2058fecaac077e5704bab7724c6fd5eaeb4bbdc6eb67d940e9dc379a5dcb8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab68A4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat

Filesize
197B

MD5
ad06768c5cd923cbc4ae34e9e9635fee

SHA1
f34d72708086c66e54541da0e21a1f9e8f6a8428

SHA256
b2b7b5c24e0299f08de9eb075da6a96041345a3a173a3730ba02cf9993961fea

SHA512
bc42b84f622351870781dd525f4cf6b6a8160a0663332a2b453d24f597d08abb0cfeabfd6bffc212da2ce1c39301919b62bebb913bc0accccb8ae69c2058b94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat

Filesize
197B

MD5
9213fd2b7729c7ca0e32cc49802af6c6

SHA1
40c91a1c382215298212d5f2293a995e5d7f5eca

SHA256
3c65148b33d505464b40b787e86300f89a1f27aa80de7b94f6fc2ee6e97ce849

SHA512
134f62d04c0b6e2b91252e4bfcc32bed6b48d295e910de1cf54dc21cf875dc95bcb1794b7f07972dc41d2ae4405da5a30ae9a551ce0ace95993d031bf9115df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat

Filesize
197B

MD5
19dfeacb8dc272aacacedbf847b98e90

SHA1
0bd2af3294248b61c743b294bf381827b148f7d8

SHA256
32a2fa590f6496bb82148bed71faded4c39dcadb21ffef61582c611ad62cc0e0

SHA512
29db0129748521a03d76eb0ebd1917cd816000ae5584a385585a9001d00f832ed6895070adbefaab764703af002684c1136b2c568348fdad87f4727f75fd6792

Download Submit
C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat

Filesize
197B

MD5
90bb4ad061c962625b63166687cbb3e6

SHA1
e82330520356cd09f454ec62e6768fc8a807fe62

SHA256
b8619d9d68cbace7b3fc8145ea064f0d3c94a2dfa1fcab2a644040cef48b85fe

SHA512
0845ca1385beb207636087277e7c0401a7cfc8efab76db39165e23bca9a4fd26b98fc3be1ca8fdb8d79570aa837db58b4dc3f36e67066066863f225999bed423

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat

Filesize
197B

MD5
7a8014d351680c4aa406a94b1ec7e962

SHA1
2898c3422ea64f37d83bdd4845b7596140202d1d

SHA256
fdb049077b38561d5ec629db6151e90c114287edade9c2815c645d27ae7a1806

SHA512
ff6f36d609ea7911fbd1697cfc9ba43cdd345d8832d16db0c90d6841bfc373830d34c174b36bde6363b44514beebfb128eb7ea45da72b0e2eb9a99c8873b34ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar68B7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat

Filesize
197B

MD5
474cc17363c32359004fa1a4647db508

SHA1
1608d6ca77d9e94bb849f4c1ef88b7836c9ea6aa

SHA256
85f9dbdb698f1c83001d1ba35138671fca33f09070a80fab4c7752c4aed14524

SHA512
f66e9e91bb483c520e1d5fe98a21b1f4217ca29f93c7a4399e6821dd741221376e9125aaccf83f7873ca5d212a52663ea4f67e5879829fd0f9dcb2e31152dfa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat

Filesize
197B

MD5
858e5061531a2567c2fe2f12661ba676

SHA1
d6be7471d490fcff5b3778c953d7c47dda9cf381

SHA256
751974134477020b1556e1f76b6fa63096870e40879fbde743a15a2f845cabe8

SHA512
8c0a23df2cea65c3341d5b53ab9f5446381d338576b696943e256b4c20f067280260b77bf9e676d7e2dbd5fc2fb089ba553662efefab64e4b2e7a0aa3b62545a

Download Submit
C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat

Filesize
197B

MD5
1a0259982a10135ae4a9ff7b06f76fa0

SHA1
3360b88a74b8fc29403171c08a40783a7cd6b7a6

SHA256
70594a16c0938baafd400017b380e0ad0f518a3e70dfe53573893a0c8e5c6fd5

SHA512
fe20104bf764a42366704797e8fd885693605fc192d5fc574ec49388e440627a25a23d7b2648026466f381919ba0cdc2041266747e53adbcb9cf14085d736fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat

Filesize
197B

MD5
0a2cc719b7fcd5cfefc8e32db02aaa08

SHA1
372eb21b9c03d96d2089f065e4a85903bd9847b5

SHA256
f58a26d14798ac18d3125c389937571957e71a452b9283e46596879cffb5f976

SHA512
c11bb0e28a468b84fe19a7465dd7d2abd2c3b7b32ce7798069cd45f04cba4448ca8584fa524e9205a8d80722d23b3c6645116bd04188ef3de2e70a79efdcb680

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b6e983dd11b0a1571d5b7fb9dd419cc4

SHA1
74b32a6e022d9800e98075695b198688c10f11ee

SHA256
48e77500c4b304e75dba6ac8a175b80fce1999eac880b7ea7b9bf5fb844f4d3f

SHA512
b10842abb712e2f8c9c342b2ccc302419647b69ecdd1ae35dca2d452e3b881ef97d79ee53b7500d54c41d81880e7c5c360fd8ae1ff11ec88e24cc5d5f4bc0ab8

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/964-83-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/964-56-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/1876-424-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1876-423-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/2012-244-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/2592-484-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download
memory/2592-485-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/2640-304-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2776-184-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2788-604-0x0000000001140000-0x0000000001250000-memory.dmp

Filesize
1.1MB

Download
memory/2912-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2912-13-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/2912-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2912-17-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2912-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2916-782-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/2940-101-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download