dcrat | 0530ecc8508010c5e2609173a9d90eb39035325ce748fa2540fe362563b50a71

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0530ecc8508010c5e2609173a9d90eb39035325ce748fa2540fe362563b50a71.exe
Size

1.3MB
MD5

6a3c9298a7e39ebd4939ac63c559d17a
SHA1

5b09ca1cbf00764f60d4052539d368141fdb9a3a
SHA256

0530ecc8508010c5e2609173a9d90eb39035325ce748fa2540fe362563b50a71
SHA512

de64ee340288a78324bca1edd87b36d4ddab7af74197e7d27c7122b32661ca1b31002c3406af933e4a93f5380698399cd98cab57017be24e7eb86c59a6ebf65b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2728	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000160d5-11.dat	dcrat
behavioral1/memory/2748-13-0x0000000000A90000-0x0000000000BA0000-memory.dmp	dcrat
behavioral1/memory/2884-153-0x0000000000840000-0x0000000000950000-memory.dmp	dcrat
behavioral1/memory/2252-212-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2284-272-0x00000000010F0000-0x0000000001200000-memory.dmp	dcrat
behavioral1/memory/1624-451-0x0000000001180000-0x0000000001290000-memory.dmp	dcrat
behavioral1/memory/2368-511-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/2884-571-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/2116-631-0x0000000000970000-0x0000000000A80000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2744	powershell.exe
3044	powershell.exe
2380	powershell.exe
1172	powershell.exe
2820	powershell.exe
2872	powershell.exe
2784	powershell.exe
2604	powershell.exe
2736	powershell.exe
2628	powershell.exe
2444	powershell.exe
1252	powershell.exe
2396	powershell.exe
916	powershell.exe
108	powershell.exe
2836	powershell.exe
2612	powershell.exe
876	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2748	DllCommonsvc.exe
2884	sppsvc.exe
2252	sppsvc.exe
2284	sppsvc.exe
1836	sppsvc.exe
2092	sppsvc.exe
1624	sppsvc.exe
2368	sppsvc.exe
2884	sppsvc.exe
2116	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2332	cmd.exe
2332	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\it-IT\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\it-IT\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0530ecc8508010c5e2609173a9d90eb39035325ce748fa2540fe362563b50a71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
992	schtasks.exe
896	schtasks.exe
280	schtasks.exe
840	schtasks.exe
2752	schtasks.exe
1984	schtasks.exe
1084	schtasks.exe
1676	schtasks.exe
2220	schtasks.exe
2276	schtasks.exe
1708	schtasks.exe
2212	schtasks.exe
1032	schtasks.exe
1380	schtasks.exe
2056	schtasks.exe
960	schtasks.exe
2044	schtasks.exe
892	schtasks.exe
2724	schtasks.exe
2688	schtasks.exe
800	schtasks.exe
2484	schtasks.exe
1664	schtasks.exe
2280	schtasks.exe
1492	schtasks.exe
1804	schtasks.exe
1864	schtasks.exe
1236	schtasks.exe
1756	schtasks.exe
1292	schtasks.exe
1088	schtasks.exe
1376	schtasks.exe
2168	schtasks.exe
1848	schtasks.exe
2540	schtasks.exe
1360	schtasks.exe
2292	schtasks.exe
2236	schtasks.exe
2560	schtasks.exe
2632	schtasks.exe
2976	schtasks.exe
1716	schtasks.exe
1612	schtasks.exe
1308	schtasks.exe
2700	schtasks.exe
1992	schtasks.exe
1264	schtasks.exe
2640	schtasks.exe
3048	schtasks.exe
2024	schtasks.exe
1692	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 9 IoCs

pid	Process
2884	sppsvc.exe
2252	sppsvc.exe
2284	sppsvc.exe
1836	sppsvc.exe
2092	sppsvc.exe
1624	sppsvc.exe
2368	sppsvc.exe
2884	sppsvc.exe
2116	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
876	powershell.exe
2836	powershell.exe
108	powershell.exe
2604	powershell.exe
916	powershell.exe
1172	powershell.exe
2380	powershell.exe
2744	powershell.exe
2872	powershell.exe
2444	powershell.exe
2396	powershell.exe
2820	powershell.exe
2736	powershell.exe
2628	powershell.exe
1252	powershell.exe
3044	powershell.exe
2612	powershell.exe
2784	powershell.exe
2884	sppsvc.exe
2252	sppsvc.exe
2284	sppsvc.exe
1836	sppsvc.exe
2092	sppsvc.exe
1624	sppsvc.exe
2368	sppsvc.exe
2884	sppsvc.exe
2116	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	DllCommonsvc.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2884	sppsvc.exe
Token: SeDebugPrivilege	2252	sppsvc.exe
Token: SeDebugPrivilege	2284	sppsvc.exe
Token: SeDebugPrivilege	1836	sppsvc.exe
Token: SeDebugPrivilege	2092	sppsvc.exe
Token: SeDebugPrivilege	1624	sppsvc.exe
Token: SeDebugPrivilege	2368	sppsvc.exe
Token: SeDebugPrivilege	2884	sppsvc.exe
Token: SeDebugPrivilege	2116	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2916	2380	JaffaCakes118_0530ecc8508010c5e2609173a9d90eb39035325ce748fa2540fe362563b50a71.exe	30
PID 2380 wrote to memory of 2916	2380	JaffaCakes118_0530ecc8508010c5e2609173a9d90eb39035325ce748fa2540fe362563b50a71.exe	30
PID 2380 wrote to memory of 2916	2380	JaffaCakes118_0530ecc8508010c5e2609173a9d90eb39035325ce748fa2540fe362563b50a71.exe	30
PID 2380 wrote to memory of 2916	2380	JaffaCakes118_0530ecc8508010c5e2609173a9d90eb39035325ce748fa2540fe362563b50a71.exe	30
PID 2916 wrote to memory of 2332	2916	WScript.exe	31
PID 2916 wrote to memory of 2332	2916	WScript.exe	31
PID 2916 wrote to memory of 2332	2916	WScript.exe	31
PID 2916 wrote to memory of 2332	2916	WScript.exe	31
PID 2332 wrote to memory of 2748	2332	cmd.exe	33
PID 2332 wrote to memory of 2748	2332	cmd.exe	33
PID 2332 wrote to memory of 2748	2332	cmd.exe	33
PID 2332 wrote to memory of 2748	2332	cmd.exe	33
PID 2748 wrote to memory of 876	2748	DllCommonsvc.exe	86
PID 2748 wrote to memory of 876	2748	DllCommonsvc.exe	86
PID 2748 wrote to memory of 876	2748	DllCommonsvc.exe	86
PID 2748 wrote to memory of 108	2748	DllCommonsvc.exe	87
PID 2748 wrote to memory of 108	2748	DllCommonsvc.exe	87
PID 2748 wrote to memory of 108	2748	DllCommonsvc.exe	87
PID 2748 wrote to memory of 916	2748	DllCommonsvc.exe	88
PID 2748 wrote to memory of 916	2748	DllCommonsvc.exe	88
PID 2748 wrote to memory of 916	2748	DllCommonsvc.exe	88
PID 2748 wrote to memory of 2380	2748	DllCommonsvc.exe	90
PID 2748 wrote to memory of 2380	2748	DllCommonsvc.exe	90
PID 2748 wrote to memory of 2380	2748	DllCommonsvc.exe	90
PID 2748 wrote to memory of 2396	2748	DllCommonsvc.exe	91
PID 2748 wrote to memory of 2396	2748	DllCommonsvc.exe	91
PID 2748 wrote to memory of 2396	2748	DllCommonsvc.exe	91
PID 2748 wrote to memory of 2444	2748	DllCommonsvc.exe	95
PID 2748 wrote to memory of 2444	2748	DllCommonsvc.exe	95
PID 2748 wrote to memory of 2444	2748	DllCommonsvc.exe	95
PID 2748 wrote to memory of 1172	2748	DllCommonsvc.exe	96
PID 2748 wrote to memory of 1172	2748	DllCommonsvc.exe	96
PID 2748 wrote to memory of 1172	2748	DllCommonsvc.exe	96
PID 2748 wrote to memory of 2820	2748	DllCommonsvc.exe	97
PID 2748 wrote to memory of 2820	2748	DllCommonsvc.exe	97
PID 2748 wrote to memory of 2820	2748	DllCommonsvc.exe	97
PID 2748 wrote to memory of 2872	2748	DllCommonsvc.exe	99
PID 2748 wrote to memory of 2872	2748	DllCommonsvc.exe	99
PID 2748 wrote to memory of 2872	2748	DllCommonsvc.exe	99
PID 2748 wrote to memory of 2836	2748	DllCommonsvc.exe	100
PID 2748 wrote to memory of 2836	2748	DllCommonsvc.exe	100
PID 2748 wrote to memory of 2836	2748	DllCommonsvc.exe	100
PID 2748 wrote to memory of 2744	2748	DllCommonsvc.exe	101
PID 2748 wrote to memory of 2744	2748	DllCommonsvc.exe	101
PID 2748 wrote to memory of 2744	2748	DllCommonsvc.exe	101
PID 2748 wrote to memory of 2784	2748	DllCommonsvc.exe	103
PID 2748 wrote to memory of 2784	2748	DllCommonsvc.exe	103
PID 2748 wrote to memory of 2784	2748	DllCommonsvc.exe	103
PID 2748 wrote to memory of 2604	2748	DllCommonsvc.exe	104
PID 2748 wrote to memory of 2604	2748	DllCommonsvc.exe	104
PID 2748 wrote to memory of 2604	2748	DllCommonsvc.exe	104
PID 2748 wrote to memory of 2612	2748	DllCommonsvc.exe	105
PID 2748 wrote to memory of 2612	2748	DllCommonsvc.exe	105
PID 2748 wrote to memory of 2612	2748	DllCommonsvc.exe	105
PID 2748 wrote to memory of 3044	2748	DllCommonsvc.exe	107
PID 2748 wrote to memory of 3044	2748	DllCommonsvc.exe	107
PID 2748 wrote to memory of 3044	2748	DllCommonsvc.exe	107
PID 2748 wrote to memory of 2628	2748	DllCommonsvc.exe	108
PID 2748 wrote to memory of 2628	2748	DllCommonsvc.exe	108
PID 2748 wrote to memory of 2628	2748	DllCommonsvc.exe	108
PID 2748 wrote to memory of 2736	2748	DllCommonsvc.exe	110
PID 2748 wrote to memory of 2736	2748	DllCommonsvc.exe	110
PID 2748 wrote to memory of 2736	2748	DllCommonsvc.exe	110
PID 2748 wrote to memory of 1252	2748	DllCommonsvc.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0530ecc8508010c5e2609173a9d90eb39035325ce748fa2540fe362563b50a71.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0530ecc8508010c5e2609173a9d90eb39035325ce748fa2540fe362563b50a71.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\it-IT\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fF3ABNGU3.bat"
        5⤵
        
        PID:1868
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1916
      - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"
        7⤵
        
        PID:444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2520
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"
        9⤵
        
        PID:1760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3040
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"
        11⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:300
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat"
        13⤵
        
        PID:2520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1512
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PeSwWR6joe.bat"
        15⤵
        
        PID:928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1400
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat"
        17⤵
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:464
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"
        19⤵
        
        PID:1984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2488
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"
        21⤵
        
        PID:1172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1884
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\it-IT\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\it-IT\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f31cbe40b74cdc5b159a7ce6e06b6a43

SHA1
0682f15c33453d2c3d0a366c0584486b025d1f88

SHA256
53b9fceb9655f37f233502041edc6f1352f58c6f54e9e13323a6d3b44436529e

SHA512
619a5ed6769a63a0f47b72b5049da1ef7b48a53aba3ce44be2363219cd10abc32550eb2e50742ae51a331ec1a7951fdbe6e874cd8e815d59fa71212dae027fe2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
032a7d7de2c1e055cc81aab7b9e96e54

SHA1
fde5db188a58152373ea9e86632bb93bb0637f8a

SHA256
432a35c502b4f73608ce2bde9dfdc7ae38c2a2a04088a4bb0cfb584ec426d357

SHA512
e9b98a88d38f4ab842fa3b691b2df221223527ffb77251f5478f85d3dd9e40a0b9524bc8c4afc70f50c53c3e340581d75cdda2d7129f7581162065e7f07c6907

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bea029ad857751175490740295716fe

SHA1
0f7216e0bdf3011903528c722f92cacb021b5dd0

SHA256
beffa5b76bc86318ca67b939a7a6bed0b6d0a56c496d027eec02485d7095b639

SHA512
30b729bea5b93d0ee5490869a14583ea8ab19919326f2e7b374734c8b215f4309c7ad895c47435a7cc106b47f6c7c5965f09c4f6096f3759692e2716d2257502

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49b1465ec02418e1afc324d9f805e440

SHA1
8516388c9b2e093d6a8c28635bea6ef4246be76b

SHA256
2f1c6149f157215557d4c0f8a3676abeed16e4a2e75d5c0253e6d6f91536e0db

SHA512
1c268e7de1ae4baf9176fe78bbcd8ffb8519ede9d0bf4310c8d88e320f0ae404eddaba31436965cbb3279eaaf065930328970d1091fe9959f6faa6453be71118

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6a54fce2b85def98f1f8d6ae56a2393

SHA1
d56c0ad5d5c5a4047269da4d6e44685ec8d6a50b

SHA256
da6c32e009828b37a8565237a4086f3569941b5fe2f664eb6adfddbd05c11a62

SHA512
1041eb1c7fa764d94253c47f9d82145cab5189276a64a6f34d3580189e4d73fa3076a11a69fb70e703489f6f0fee9572a7114444bf47425e80a40e996286086e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
022e41996afe2bc17c4a6e13182a8d8a

SHA1
d338922b17d748514857403c66fc9fdbf5262e54

SHA256
3e61ebf16f785ca34ad4199ced42c561fd33dc8cc42538c16cc3636b6f011233

SHA512
eea054d099cdeaf258e4131b12fae9df5087d10f050507bf835a91508ac803ec1564e2f5542ca5fcfbd1a9d7d859acfc96128bcd6f1c2d97f1dad9da63a388ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52e5f573225d468e68740ead65bf4b73

SHA1
45a911e878bf77c5d551a18631c5267583a851f8

SHA256
a914cff459ae01dd405410344e561a001a0c07f47c0a1d52310a6a3694f72631

SHA512
b8062870fecf0aa3bbe3003226e067cdad9354c73131d8847b03925779e4ed3e4ed258680e3f0a3d17049741870f76c079b070b79f323913cdf52fccfdab9c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat

Filesize
224B

MD5
94f4ae7fe931a73ff5fab20954de0cbf

SHA1
bbc90dcff97e0593b26e0eef18c0295896f574a5

SHA256
93d49218da718562e7178362711ad1f6dd7be45e55c274c2a92661a07ad91271

SHA512
340b97baf0294e7e029b91dd1e3255b89fd23b857fa2f50ee42aeca1082362e42251739a31457f70838e84d559796c84cdcf5424b9ca0b86844b5a4b0eb980d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fF3ABNGU3.bat

Filesize
224B

MD5
69bd1e53af797ca69c0a8f873ece5350

SHA1
2eb4fed4f205dfb8e1ffaa1265d6addb943a38e6

SHA256
6d60f5dcd96e71679074869a94997266f4a6bd2036600924e5293d80c115a302

SHA512
7ea9381927a931a75ca3535c95553997a941386532d28e9432d98e68af545fe43a020ca595c34190ab33508a7804b7c453fa3e4e6e7fa0f6eb9827f7961b9be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7DBA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat

Filesize
224B

MD5
0c042db35123b6e16c6407bfe993b08d

SHA1
9592242ed49bd84087bff034eda831b4428645e9

SHA256
e1a69830142afe0609d3ff156b563ee45aade04db3384ac2f6daec4872fbfaaf

SHA512
889a18df2eec508b53e5855b4cfb6951b2b1fce869592931ea379e53d61aa56586f7f9a703691f5ecf5bc740e49faae6cea8389d8e4680581a9fa6939936cc8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PeSwWR6joe.bat

Filesize
224B

MD5
189464fa7a784365f19d4fdc0ceb1fbb

SHA1
554c985c597f24d2a3904917cc753d7955fa2844

SHA256
2aa1e9c0ecc18b6db09b72be4b2d79ed0a0a871dcfe75efc418618db83c3bddf

SHA512
83dfe1322a8bb983599f41fc57d3f02bac62657f8c331169657e5aae502d7771e451728479f9e552ae4e16c7ed1fc3aa7f9610f49ab631502abed94905997260

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7DCC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat

Filesize
224B

MD5
619cfd1165afa7b55ff2dba0b5a646de

SHA1
31eb427cecf3ff1de0c5cbb14310af80a9be7048

SHA256
e6f2080938d6fa76319acfc83ee899a007f7fdda3bf9f6849e5e9cb9d6c6cebe

SHA512
c1057f70261ba53000f9502b4e037a52bc43e418ea91035fe8f903a2d1d0c5341c3388c8c8b2b6862d5412637a604447fabb473fbc1727a1a6d060ab7ab1b7be

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat

Filesize
224B

MD5
c72e83a6dc0b0f2f56cf4ccb94b3d0ba

SHA1
bd83e6af43aa3bf8288af1876fd12851a9db9510

SHA256
a00042d51b245ff4503a8447305127be55249492608ac8ab097131a2f871afd6

SHA512
f90946668741bd8e07cfab103d8224b24d0749052e2b61ef0b2d887ed531534620f08165d65680fbb5ca00ce2abf301c4f2cb380b5e5fa93f7abebde0c75db54

Download Submit
C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat

Filesize
224B

MD5
644d2573bd840d6ac41d9d2866ae16c6

SHA1
837aa8dbbeb43b64d17c57803a985764a2a7188c

SHA256
bbfb5ed81be7fd62e54c08bf7a0f43127b0b5b93cbfc86117c10c181f951b63d

SHA512
507f859727dd690f002c0ba0eb01864274168bf9d4f91615f6888a68cdf20d3bd89a4eed7b9dfbf98b93ff3637aa362ce24611cc1ebc044270f4ba5624329631

Download Submit
C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat

Filesize
224B

MD5
fbbe5a0ce33e95616f79e96c594cde21

SHA1
13a916f04a38c492bd59d6e84ccc48f1ed1d54e3

SHA256
0aaf681a6b0ab5c402963d42fa1ffc6ebbc2e8be13185fde40550dcbe18c5f1a

SHA512
0eec4123bb0855b0ea8908d17e5b5e96d77800d6d40934a5d5ae32643df1441da7a66e0ea43ac39da4c1dc0fb06065150d7d76c3d214b4870b54ae50fab3427f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat

Filesize
224B

MD5
c288781613534effd1b80f276d0076c3

SHA1
670dc0bfa0020e97b7b11b9c58d4772b5f0da367

SHA256
b6d98787cb9c18296b4119fbe27c891f16d28ad83b253dded6f80b544d214259

SHA512
b021f1fd089b9c277b93f9560ab3d4f262525c5c82e0792889659f929121001d2f0bd3ee104bde779606a293d4bc61c989b6fdebfb9050ce33e5e2ddb39812fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2bc3ce4da8f68b77b45fe31770929786

SHA1
e528baa6eb5cb32506694904cc0fc701bf7232d9

SHA256
36c3e404a71c20480ccdc3f8d5e8cb2e8abbbe4b784159483a1d4346fcaa61ea

SHA512
671c0847b57b7d6541c8d946121efa7bbbc66a549c1a4b415e1ce726c58d4b5ce8fd326b17cf9197ecb9a350e5b3ceb129ec79f13a6483684702fe0710ead2cb

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/108-71-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/876-72-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/1624-451-0x0000000001180000-0x0000000001290000-memory.dmp

Filesize
1.1MB

Download
memory/2116-631-0x0000000000970000-0x0000000000A80000-memory.dmp

Filesize
1.1MB

Download
memory/2252-212-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2284-273-0x0000000000370000-0x0000000000382000-memory.dmp

Filesize
72KB

Download
memory/2284-272-0x00000000010F0000-0x0000000001200000-memory.dmp

Filesize
1.1MB

Download
memory/2368-511-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/2748-16-0x0000000000A50000-0x0000000000A5C000-memory.dmp

Filesize
48KB

Download
memory/2748-13-0x0000000000A90000-0x0000000000BA0000-memory.dmp

Filesize
1.1MB

Download
memory/2748-14-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2748-17-0x0000000000A60000-0x0000000000A6C000-memory.dmp

Filesize
48KB

Download
memory/2748-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2884-571-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/2884-153-0x0000000000840000-0x0000000000950000-memory.dmp

Filesize
1.1MB

Download