dcrat | c19b9204a229ee649dfe8d139a3bfbc280720044187c399faecf64b7a2b22ca9

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c19b9204a229ee649dfe8d139a3bfbc280720044187c399faecf64b7a2b22ca9.exe
Size

1.3MB
MD5

6a8a4d9d832c5f14f3ff2004eba42033
SHA1

656f4a86980fedc5749895929460d9ce517ee80e
SHA256

c19b9204a229ee649dfe8d139a3bfbc280720044187c399faecf64b7a2b22ca9
SHA512

3573a9b8c7558a2b9927faea5ab5fcbd47538501835912eac98c4675133c7d57de730564c3caae3448afe716e05b5f0140397eb87bda13a5869b554b0d96ce2c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2696	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2696	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019214-12.dat	dcrat
behavioral1/memory/2736-13-0x0000000000B80000-0x0000000000C90000-memory.dmp	dcrat
behavioral1/memory/860-136-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/memory/2228-373-0x0000000000250000-0x0000000000360000-memory.dmp	dcrat
behavioral1/memory/2160-434-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/1608-494-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat
behavioral1/memory/2276-614-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/2304-674-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
536	powershell.exe
2400	powershell.exe
2492	powershell.exe
3044	powershell.exe
2216	powershell.exe
2096	powershell.exe
1604	powershell.exe
2984	powershell.exe
1516	powershell.exe
2636	powershell.exe
2352	powershell.exe
2108	powershell.exe
1612	powershell.exe
2204	powershell.exe
1944	powershell.exe
2916	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2736	DllCommonsvc.exe
860	explorer.exe
1148	explorer.exe
1500	explorer.exe
3040	explorer.exe
2228	explorer.exe
2160	explorer.exe
1608	explorer.exe
1096	explorer.exe
2276	explorer.exe
2304	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2336	cmd.exe
2336	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
18	raw.githubusercontent.com
25	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Globalization\Sorting\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\it-IT\System.exe	DllCommonsvc.exe
File created	C:\Windows\it-IT\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\Globalization\Sorting\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c19b9204a229ee649dfe8d139a3bfbc280720044187c399faecf64b7a2b22ca9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2416	schtasks.exe
2924	schtasks.exe
2248	schtasks.exe
1332	schtasks.exe
1128	schtasks.exe
1028	schtasks.exe
1232	schtasks.exe
1928	schtasks.exe
1876	schtasks.exe
2892	schtasks.exe
2420	schtasks.exe
1632	schtasks.exe
2228	schtasks.exe
1376	schtasks.exe
1764	schtasks.exe
2552	schtasks.exe
2596	schtasks.exe
1568	schtasks.exe
1488	schtasks.exe
2852	schtasks.exe
2224	schtasks.exe
3012	schtasks.exe
2664	schtasks.exe
848	schtasks.exe
576	schtasks.exe
1484	schtasks.exe
1736	schtasks.exe
2804	schtasks.exe
2128	schtasks.exe
1492	schtasks.exe
1700	schtasks.exe
1556	schtasks.exe
1808	schtasks.exe
1812	schtasks.exe
1380	schtasks.exe
2876	schtasks.exe
1768	schtasks.exe
2312	schtasks.exe
2000	schtasks.exe
2824	schtasks.exe
1596	schtasks.exe
1496	schtasks.exe
2024	schtasks.exe
1144	schtasks.exe
2468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2736	DllCommonsvc.exe
2736	DllCommonsvc.exe
2736	DllCommonsvc.exe
2216	powershell.exe
2916	powershell.exe
2108	powershell.exe
2096	powershell.exe
536	powershell.exe
1944	powershell.exe
2984	powershell.exe
1516	powershell.exe
1604	powershell.exe
3044	powershell.exe
1612	powershell.exe
2400	powershell.exe
2492	powershell.exe
2352	powershell.exe
2204	powershell.exe
2636	powershell.exe
860	explorer.exe
1148	explorer.exe
1500	explorer.exe
3040	explorer.exe
2228	explorer.exe
2160	explorer.exe
1608	explorer.exe
1096	explorer.exe
2276	explorer.exe
2304	explorer.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	DllCommonsvc.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	860	explorer.exe
Token: SeDebugPrivilege	1148	explorer.exe
Token: SeDebugPrivilege	1500	explorer.exe
Token: SeDebugPrivilege	3040	explorer.exe
Token: SeDebugPrivilege	2228	explorer.exe
Token: SeDebugPrivilege	2160	explorer.exe
Token: SeDebugPrivilege	1608	explorer.exe
Token: SeDebugPrivilege	1096	explorer.exe
Token: SeDebugPrivilege	2276	explorer.exe
Token: SeDebugPrivilege	2304	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 1972	2976	JaffaCakes118_c19b9204a229ee649dfe8d139a3bfbc280720044187c399faecf64b7a2b22ca9.exe	30
PID 2976 wrote to memory of 1972	2976	JaffaCakes118_c19b9204a229ee649dfe8d139a3bfbc280720044187c399faecf64b7a2b22ca9.exe	30
PID 2976 wrote to memory of 1972	2976	JaffaCakes118_c19b9204a229ee649dfe8d139a3bfbc280720044187c399faecf64b7a2b22ca9.exe	30
PID 2976 wrote to memory of 1972	2976	JaffaCakes118_c19b9204a229ee649dfe8d139a3bfbc280720044187c399faecf64b7a2b22ca9.exe	30
PID 1972 wrote to memory of 2336	1972	WScript.exe	32
PID 1972 wrote to memory of 2336	1972	WScript.exe	32
PID 1972 wrote to memory of 2336	1972	WScript.exe	32
PID 1972 wrote to memory of 2336	1972	WScript.exe	32
PID 2336 wrote to memory of 2736	2336	cmd.exe	34
PID 2336 wrote to memory of 2736	2336	cmd.exe	34
PID 2336 wrote to memory of 2736	2336	cmd.exe	34
PID 2336 wrote to memory of 2736	2336	cmd.exe	34
PID 2736 wrote to memory of 1516	2736	DllCommonsvc.exe	81
PID 2736 wrote to memory of 1516	2736	DllCommonsvc.exe	81
PID 2736 wrote to memory of 1516	2736	DllCommonsvc.exe	81
PID 2736 wrote to memory of 2096	2736	DllCommonsvc.exe	82
PID 2736 wrote to memory of 2096	2736	DllCommonsvc.exe	82
PID 2736 wrote to memory of 2096	2736	DllCommonsvc.exe	82
PID 2736 wrote to memory of 2216	2736	DllCommonsvc.exe	83
PID 2736 wrote to memory of 2216	2736	DllCommonsvc.exe	83
PID 2736 wrote to memory of 2216	2736	DllCommonsvc.exe	83
PID 2736 wrote to memory of 2204	2736	DllCommonsvc.exe	84
PID 2736 wrote to memory of 2204	2736	DllCommonsvc.exe	84
PID 2736 wrote to memory of 2204	2736	DllCommonsvc.exe	84
PID 2736 wrote to memory of 2400	2736	DllCommonsvc.exe	85
PID 2736 wrote to memory of 2400	2736	DllCommonsvc.exe	85
PID 2736 wrote to memory of 2400	2736	DllCommonsvc.exe	85
PID 2736 wrote to memory of 536	2736	DllCommonsvc.exe	86
PID 2736 wrote to memory of 536	2736	DllCommonsvc.exe	86
PID 2736 wrote to memory of 536	2736	DllCommonsvc.exe	86
PID 2736 wrote to memory of 1604	2736	DllCommonsvc.exe	87
PID 2736 wrote to memory of 1604	2736	DllCommonsvc.exe	87
PID 2736 wrote to memory of 1604	2736	DllCommonsvc.exe	87
PID 2736 wrote to memory of 1612	2736	DllCommonsvc.exe	88
PID 2736 wrote to memory of 1612	2736	DllCommonsvc.exe	88
PID 2736 wrote to memory of 1612	2736	DllCommonsvc.exe	88
PID 2736 wrote to memory of 2108	2736	DllCommonsvc.exe	90
PID 2736 wrote to memory of 2108	2736	DllCommonsvc.exe	90
PID 2736 wrote to memory of 2108	2736	DllCommonsvc.exe	90
PID 2736 wrote to memory of 3044	2736	DllCommonsvc.exe	91
PID 2736 wrote to memory of 3044	2736	DllCommonsvc.exe	91
PID 2736 wrote to memory of 3044	2736	DllCommonsvc.exe	91
PID 2736 wrote to memory of 2352	2736	DllCommonsvc.exe	93
PID 2736 wrote to memory of 2352	2736	DllCommonsvc.exe	93
PID 2736 wrote to memory of 2352	2736	DllCommonsvc.exe	93
PID 2736 wrote to memory of 2916	2736	DllCommonsvc.exe	94
PID 2736 wrote to memory of 2916	2736	DllCommonsvc.exe	94
PID 2736 wrote to memory of 2916	2736	DllCommonsvc.exe	94
PID 2736 wrote to memory of 1944	2736	DllCommonsvc.exe	96
PID 2736 wrote to memory of 1944	2736	DllCommonsvc.exe	96
PID 2736 wrote to memory of 1944	2736	DllCommonsvc.exe	96
PID 2736 wrote to memory of 2984	2736	DllCommonsvc.exe	97
PID 2736 wrote to memory of 2984	2736	DllCommonsvc.exe	97
PID 2736 wrote to memory of 2984	2736	DllCommonsvc.exe	97
PID 2736 wrote to memory of 2636	2736	DllCommonsvc.exe	98
PID 2736 wrote to memory of 2636	2736	DllCommonsvc.exe	98
PID 2736 wrote to memory of 2636	2736	DllCommonsvc.exe	98
PID 2736 wrote to memory of 2492	2736	DllCommonsvc.exe	100
PID 2736 wrote to memory of 2492	2736	DllCommonsvc.exe	100
PID 2736 wrote to memory of 2492	2736	DllCommonsvc.exe	100
PID 2736 wrote to memory of 3032	2736	DllCommonsvc.exe	113
PID 2736 wrote to memory of 3032	2736	DllCommonsvc.exe	113
PID 2736 wrote to memory of 3032	2736	DllCommonsvc.exe	113
PID 3032 wrote to memory of 948	3032	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c19b9204a229ee649dfe8d139a3bfbc280720044187c399faecf64b7a2b22ca9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c19b9204a229ee649dfe8d139a3bfbc280720044187c399faecf64b7a2b22ca9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\it-IT\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\Sorting\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wwu99TxJR.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:948
      - C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QVLs15dYuc.bat"
        7⤵
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2360
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"
        9⤵
        
        PID:1824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1604
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat"
        11⤵
        
        PID:2332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1568
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"
        13⤵
        
        PID:1080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3004
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat"
        15⤵
        
        PID:1144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1816
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"
        17⤵
        
        PID:2984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2196
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat"
        19⤵
        
        PID:1948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3004
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"
        21⤵
        
        PID:2128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1876
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat"
        23⤵
        
        PID:1732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3028
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat"
        25⤵
        
        PID:1376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\Sorting\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Globalization\Sorting\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68ada5c2094771191b3a318200ed8f97

SHA1
613875cc9196d547475c167001346f3a0c33d687

SHA256
7917068d9682b53145e1f0b2cfae96b625d3229d84a3de06fb374b8a18ece4bc

SHA512
ecfa9d0ee844456e77d39975b4aa38b640af00077cd031330ed5f4557bcfc2751c2cc73d101329bdd9851808a309e28c0791cb75f09ce81d76699e3e23b52a47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
422d0e01581db9d74da941f812ccd644

SHA1
982d133673c441b238b3b80767fffa48c1feff63

SHA256
6931e4ecc3d19b7b55d6edc226bbd421d4ebe6579a31f75d238a49720ca4e519

SHA512
f8d3b6deb712b5afb7c71f60cde4014ee03b6d8b6b45fb9bab72c4b240787f42dcca58d63214823605e76f01321b4a9792c4d4b53623f8f45f04c24ac84eb881

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
460bc5f85418c821a2dcfd39c9273348

SHA1
1d7f4a44ead0d4074ab47db87cfa701483e72133

SHA256
e8995b6c25817f4e27f1a639454eb22c25d3b5666b770be4944e89905427767a

SHA512
1e5d45b118640b3afe96d50d77b54004c2aa72e4bbcd686c28c26ec8376b2b872695adb37a40f5ba51761b2c7ce5d6e53f0c0ca535a5926546897ddd65fe248f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e45475b3744455000455f7a7d1baa69

SHA1
133acbf943101a48b7e38a338c9c95980e8de2d2

SHA256
b9836f9be49ffc9b58189785e7c49f8fce808cd25bbd20e7e4067c311c76a9c8

SHA512
4f4f38a182c1f37c6a01cbfcbded087e62ba429348cff10e31c6767f1fca6268f477472d1e05d7658cefe4a4194cf203f867bf1f6242777b1783346fcc679e11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0332cde95cd1a6009166eaf0b819ce64

SHA1
6c0740a4fdfcea6e0ca62d28b05b9b298b535eea

SHA256
554ae8d9ff377b1dd9351a48e916c6f9ebfa9e182704371993c246af9029936b

SHA512
8933cfd0b781effd59548c7bc35e2d672e0f1f047f57cb42993ebb291518a0586a52c91ceb3df8f76d3cf51d7f62a8b2ddb59fc62dc7d61c8cddd185bef85844

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8db2a1d34e83a2f48a66e55fac2d01ef

SHA1
015cea65d90f45279cd645f438df7f9ddeb0484a

SHA256
57971c30aa8b9b5abfd831d3ca51eb96aac9508dc1389b0a18a890a6bac86ec9

SHA512
830a79d5b52cc729a5a0a5b4ef3fd79887f317140d5ec7ee77bb7eec13b139ac45ad506c033346f77b23371143f3df778a7b2eda0c64d29deafd20464ae1cc74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0db68aa22d1a9221caf97e84154da3ab

SHA1
75b8605364af21848f0be056a1e65c0084f34742

SHA256
dbe12e3743f6e5521489cf024b9468625ea20229bf36a5aaa4ea909e326d8ca5

SHA512
25f281a256f0c1bcb5b1c3e53cacefac4386786513763d37082c31c99aa92640dd710990a76f33ddf125586b1189072cf305dd1a9c26e601a0afe0b6e250f050

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8fc2804589506dbe2a6432ab5446b16

SHA1
cefa0ecd28fd77a62d10b1f3421ca394a5885935

SHA256
64e3cb08ff0e7f513931d559e173433f0de8545e0a5267823bdb7de08dd7293b

SHA512
df98f3fc2e952dd7aca5af553fdcd5017f7654e9c4dedb0d9e2b69b67c1b77c44a217f112227162506aa5f8b367f5fcf843b7bd33d8843f274c7ef730586104f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e01d039213c7f3bbb110dccf4b5f4ff

SHA1
2250fa936617e48b1e545f001dadf87eb4c45459

SHA256
838a27a86085b9b9d7895bb0e455fdca195281ea6ca53041c2d4a8f160540e33

SHA512
731bb9837f41a4e4e9b007e9e4251b2a4ca7aa7f51e033cedd243023317cd6ff15404aa1edba8c51e679d537dcdc6102a660bc2313a5a425f8977f38c28265c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wwu99TxJR.bat

Filesize
195B

MD5
e834e453d26db2ba40f2abe1a1fc5a90

SHA1
a4c00b53032c7c74c13d9af9ba129fbace9ea069

SHA256
fb50ebc17d93e459ce6d88831f3bb37365f013987de9bb1ca950dc81359d0390

SHA512
fd85aecef8f3b1a515acab61a654ada9ae27eae42b370fd832d7d7c3a975ab30df274a78463ac4d577a4e926e200418f11920e9f2d5e2191c5453a2bee474351

Download Submit
C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat

Filesize
195B

MD5
4a69f000072f5aeca711828197a81456

SHA1
7f8e424effcc63849d750c94116e346d47b896d4

SHA256
4a074d5233d489f6eb2f27ba3067aaae7e2877608023a43340b724a08b6f470f

SHA512
4308feba66cec521ebab9590c0159327cce0424ea6564c9267421521b6e9406c5e59475b1ff01a0671911ecd6e93849d798e02b3d743a53ab93fb8edb676b74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat

Filesize
195B

MD5
ffcdcbcb29efc1b208e99027820827a0

SHA1
7ababacd9ec373565b6e5181d87ddd31c4aa8814

SHA256
3fbb64c80735de855498cb69d5af3a35ff785194b0158de8bcfad984c6055886

SHA512
721e1dab3bc7e6f6e94f197628f74c7c5df521cb32bf3b482798b3f2cdd1cc007e6638056ad9b38517423a8ece05d4deba4868400eb2b6c30cecf7ce8615655a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat

Filesize
195B

MD5
17ab219827ba65609f591be1f5f8f39d

SHA1
117456d1dd8c6bb398a328d7fd4c81b41c4f0d8b

SHA256
58affbbb1b0bb4e255e1e4cb6322bcc0ec87de66e55da89bc97d0f37657fc5f7

SHA512
e3a0d78d21e05cce1317540cce3fd9227e923a7dd960ba1997b52803d268c7febb3369a7cc3a28b356da0686ca87e9df9ab3069ed002f7219f234875c2ebddea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1518.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat

Filesize
195B

MD5
d4194dd606470dc19bc4eb55e58a5b6b

SHA1
f457972fa9d54dae96d06c3fd9adddda972241d1

SHA256
e4e172b28b9a45d2c7c48bdbdfab79d30324ae4522e2e734e70344cd27d78fc1

SHA512
a30f0dfc2803a56571ce95c58181fdc79233f0c8a636dae552f64e79611cbd1c95e4255a06acd2979e06f93727fbb5e82123e98168f846e162b56aea99416332

Download Submit
C:\Users\Admin\AppData\Local\Temp\QVLs15dYuc.bat

Filesize
195B

MD5
7be054fee76b3cee04390e495e416df4

SHA1
bdecb2aa02d7dad57f057ed83c87f99181978f6d

SHA256
c26ce3a0372b039904664a27e265d033d89e11cac2e8d048ba84999675e09c5f

SHA512
3e33558cff1ce9055d3f9d2360bcc312a73b7fe8fc92d823b34a690f92e541512151bf35f2fa8c42b42b5ceab0bb0658a003f8b49b7ba716b5e0491bbcf206cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat

Filesize
195B

MD5
c465a748a26bf0f42700366d661e5951

SHA1
096bced7c57b0c33277629ea5c37b054c991d057

SHA256
29dd2a217990a928aa1f1eadf2fd6acd8a0624a9ee55e8f3d795d34ca23285f2

SHA512
ba811913b2824936ba7cc6f5e069a68997702331b1914adbb9bb4cbedbdb7efe4719a93a4966ae9a20ad1bd2c5e736abdcad24401285d2080c196ef96b88286b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar154A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat

Filesize
195B

MD5
33745f8c12001aee21e5b3f8ff50a451

SHA1
68e2d4b24cb92aa9a39b03e939c78fea91245e43

SHA256
efe98e7085e65a203bc9dce3b20486d91de69984e1f5b7f719498b11de3b4184

SHA512
792570d4818e6bb076a398e04340fa8c83bf2a23b278237bbb7cca0ad7624cb77a21928f06182a4c8b60bbdd32cebbab08c56f4d792248db65c1b64596066910

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat

Filesize
195B

MD5
ff070fac54d30f7d8d282d88b4174364

SHA1
cd49a06dfe8f421398b0f3fac6ebf947be1b62fc

SHA256
106c7def06a7db78046406ef6ce72c8c059d7af8755979eaf6ea0147ae65defa

SHA512
5124c7622206e2988d29f541ab921e0f7d547d08a9e170e656c3b2ae2fde2bb56bd8099daa57fac69ae5b38dba39afe4ef5414dbeb4a5d560a8233d724cd1590

Download Submit
C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat

Filesize
195B

MD5
a6b42d75bd1f334083fdbd95483cad72

SHA1
b089e86cc488cae3d2a3de5135aab92684b367bc

SHA256
ff55bb336f9dd5d925bb222f7f1a9cb753140faf927a2866af815a96b1be7199

SHA512
dbbe2548cfa5348312bc266cecf68d89ea804938f66af250032159d16005b1ec5c9edd30b72a9b09951f6500e3304cc6ff59bd051e32de32555809a2d4bdee94

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat

Filesize
195B

MD5
c416563d48765a6918fca7f856c6e0f5

SHA1
1ef5e6cc8ae9604f363adad3500b6930e47d2543

SHA256
40ada71ab911164e283af571e45d6b33b8f49ed1826f904721719e71c80c9e25

SHA512
b2bead82e2f648610d9f9fa7867f7fe6d08212c8584420be4009285bee4b95b77017cf7e4633225640258ed8d5c578e4237e603d6380f04d372326b3e1818dd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
79e75b673cc1b700f254790a0a25f90f

SHA1
c044b90e06b75a2f2f43845201f1bf655767e6a1

SHA256
83a80e6236bf8194b3e38956fa93beddd3b583a122d2b59d49955b03ba65c918

SHA512
2fcde443a1ae5bbfcbfcbee87374254c24aca403216a6732c84ca201fced0bf615038d09ca1d76411666429c4d8da064441373772fdeebbbe69ae0bfada3b7e8

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/860-137-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/860-136-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/1608-495-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1608-494-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/2160-434-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/2216-77-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2216-57-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2228-373-0x0000000000250000-0x0000000000360000-memory.dmp

Filesize
1.1MB

Download
memory/2228-374-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2276-614-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/2304-674-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/2736-15-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2736-13-0x0000000000B80000-0x0000000000C90000-memory.dmp

Filesize
1.1MB

Download
memory/2736-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2736-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2736-17-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download