dcrat | 7386643d99fbe783380f85fa364cce332c31ff0bdf023b78de58d329990842ad

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Proverkabyxdwd.exe
Size

1.5MB
MD5

b6d84083a9a6d904f8fce712472503db
SHA1

be3cea644584be972eed12578bdcf3cd6ff4ecbb
SHA256

7386643d99fbe783380f85fa364cce332c31ff0bdf023b78de58d329990842ad
SHA512

0cca303cc79bd20a593e1d5a01cce8783c7daffa4c99cf1694dfdaa5c14b7e7be64a35f73e9b8f7063948a94b492c830d32870965ba7fd0f0d067d06b9806539
SSDEEP

24576:U2G/nvxW3Ww0tNAo6ME182LavUt3U27dLqYTZb0yJSogzbKRYSDxtXbkP0hNZnB:UbA30NAF8MIGfQ/Km6XoP05B

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	1620	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	1620	schtasks.exe	90

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0008000000023be2-10.dat	dcrat
behavioral2/memory/5044-13-0x0000000000880000-0x00000000009B2000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 27 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	driverSessionRuntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Proverkabyxdwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 26 IoCs

pid	Process
5044	driverSessionRuntime.exe
4304	csrss.exe
4380	csrss.exe
2696	csrss.exe
5056	csrss.exe
2224	csrss.exe
3828	csrss.exe
3496	csrss.exe
3244	csrss.exe
3948	csrss.exe
5052	csrss.exe
1196	csrss.exe
532	csrss.exe
4056	csrss.exe
2300	csrss.exe
2744	csrss.exe
3360	csrss.exe
2452	csrss.exe
4740	csrss.exe
4872	csrss.exe
2072	csrss.exe
748	csrss.exe
3548	csrss.exe
3868	csrss.exe
3120	csrss.exe
2080	csrss.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\csrss.exe	driverSessionRuntime.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\886983d96e3d3e	driverSessionRuntime.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe	driverSessionRuntime.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\ea9f0e6c9e2dcd	driverSessionRuntime.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\explorer.exe	driverSessionRuntime.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\7a0fd90576e088	driverSessionRuntime.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\sihost.exe	driverSessionRuntime.exe
File created	C:\Windows\Registration\CRMLog\66fc9ff0ee96c2	driverSessionRuntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Proverkabyxdwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Proverkabyxdwd.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	driverSessionRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3136	schtasks.exe
1448	schtasks.exe
5048	schtasks.exe
4484	schtasks.exe
1780	schtasks.exe
2208	schtasks.exe
2184	schtasks.exe
3060	schtasks.exe
408	schtasks.exe
532	schtasks.exe
3560	schtasks.exe
2160	schtasks.exe
2388	schtasks.exe
5116	schtasks.exe
3816	schtasks.exe
3004	schtasks.exe
1316	schtasks.exe
2360	schtasks.exe
3300	schtasks.exe
1864	schtasks.exe
2224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
5044	driverSessionRuntime.exe
4304	csrss.exe
4380	csrss.exe
2696	csrss.exe
5056	csrss.exe
2224	csrss.exe
3828	csrss.exe
3496	csrss.exe
3244	csrss.exe
3948	csrss.exe
5052	csrss.exe
1196	csrss.exe
532	csrss.exe
4056	csrss.exe
2300	csrss.exe
2744	csrss.exe
3360	csrss.exe
2452	csrss.exe
4740	csrss.exe
4872	csrss.exe
2072	csrss.exe
748	csrss.exe
3548	csrss.exe
3868	csrss.exe
3120	csrss.exe
2080	csrss.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	5044	driverSessionRuntime.exe
Token: SeDebugPrivilege	4304	csrss.exe
Token: SeDebugPrivilege	4380	csrss.exe
Token: SeDebugPrivilege	2696	csrss.exe
Token: SeDebugPrivilege	5056	csrss.exe
Token: SeDebugPrivilege	2224	csrss.exe
Token: SeDebugPrivilege	3828	csrss.exe
Token: SeDebugPrivilege	3496	csrss.exe
Token: SeDebugPrivilege	3244	csrss.exe
Token: SeDebugPrivilege	3948	csrss.exe
Token: SeDebugPrivilege	5052	csrss.exe
Token: SeDebugPrivilege	1196	csrss.exe
Token: SeDebugPrivilege	532	csrss.exe
Token: SeDebugPrivilege	4056	csrss.exe
Token: SeDebugPrivilege	2300	csrss.exe
Token: SeDebugPrivilege	2744	csrss.exe
Token: SeDebugPrivilege	3360	csrss.exe
Token: SeDebugPrivilege	2452	csrss.exe
Token: SeDebugPrivilege	4740	csrss.exe
Token: SeDebugPrivilege	4872	csrss.exe
Token: SeDebugPrivilege	2072	csrss.exe
Token: SeDebugPrivilege	748	csrss.exe
Token: SeDebugPrivilege	3548	csrss.exe
Token: SeDebugPrivilege	3868	csrss.exe
Token: SeDebugPrivilege	3120	csrss.exe
Token: SeDebugPrivilege	2080	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 1064	3932	Proverkabyxdwd.exe	83
PID 3932 wrote to memory of 1064	3932	Proverkabyxdwd.exe	83
PID 3932 wrote to memory of 1064	3932	Proverkabyxdwd.exe	83
PID 1064 wrote to memory of 3604	1064	WScript.exe	85
PID 1064 wrote to memory of 3604	1064	WScript.exe	85
PID 1064 wrote to memory of 3604	1064	WScript.exe	85
PID 3604 wrote to memory of 5044	3604	cmd.exe	87
PID 3604 wrote to memory of 5044	3604	cmd.exe	87
PID 5044 wrote to memory of 4432	5044	driverSessionRuntime.exe	113
PID 5044 wrote to memory of 4432	5044	driverSessionRuntime.exe	113
PID 4432 wrote to memory of 1976	4432	cmd.exe	115
PID 4432 wrote to memory of 1976	4432	cmd.exe	115
PID 4432 wrote to memory of 4304	4432	cmd.exe	121
PID 4432 wrote to memory of 4304	4432	cmd.exe	121
PID 4304 wrote to memory of 1612	4304	csrss.exe	122
PID 4304 wrote to memory of 1612	4304	csrss.exe	122
PID 1612 wrote to memory of 4008	1612	cmd.exe	124
PID 1612 wrote to memory of 4008	1612	cmd.exe	124
PID 1612 wrote to memory of 4380	1612	cmd.exe	130
PID 1612 wrote to memory of 4380	1612	cmd.exe	130
PID 4380 wrote to memory of 2324	4380	csrss.exe	131
PID 4380 wrote to memory of 2324	4380	csrss.exe	131
PID 2324 wrote to memory of 4148	2324	cmd.exe	133
PID 2324 wrote to memory of 4148	2324	cmd.exe	133
PID 2324 wrote to memory of 2696	2324	cmd.exe	135
PID 2324 wrote to memory of 2696	2324	cmd.exe	135
PID 2696 wrote to memory of 452	2696	csrss.exe	136
PID 2696 wrote to memory of 452	2696	csrss.exe	136
PID 452 wrote to memory of 3592	452	cmd.exe	138
PID 452 wrote to memory of 3592	452	cmd.exe	138
PID 452 wrote to memory of 5056	452	cmd.exe	140
PID 452 wrote to memory of 5056	452	cmd.exe	140
PID 5056 wrote to memory of 868	5056	csrss.exe	141
PID 5056 wrote to memory of 868	5056	csrss.exe	141
PID 868 wrote to memory of 4560	868	cmd.exe	143
PID 868 wrote to memory of 4560	868	cmd.exe	143
PID 868 wrote to memory of 2224	868	cmd.exe	147
PID 868 wrote to memory of 2224	868	cmd.exe	147
PID 2224 wrote to memory of 4616	2224	csrss.exe	148
PID 2224 wrote to memory of 4616	2224	csrss.exe	148
PID 4616 wrote to memory of 2072	4616	cmd.exe	150
PID 4616 wrote to memory of 2072	4616	cmd.exe	150
PID 4616 wrote to memory of 3828	4616	cmd.exe	153
PID 4616 wrote to memory of 3828	4616	cmd.exe	153
PID 3828 wrote to memory of 1396	3828	csrss.exe	154
PID 3828 wrote to memory of 1396	3828	csrss.exe	154
PID 1396 wrote to memory of 1596	1396	cmd.exe	156
PID 1396 wrote to memory of 1596	1396	cmd.exe	156
PID 1396 wrote to memory of 3496	1396	cmd.exe	158
PID 1396 wrote to memory of 3496	1396	cmd.exe	158
PID 3496 wrote to memory of 1404	3496	csrss.exe	159
PID 3496 wrote to memory of 1404	3496	csrss.exe	159
PID 1404 wrote to memory of 228	1404	cmd.exe	161
PID 1404 wrote to memory of 228	1404	cmd.exe	161
PID 1404 wrote to memory of 3244	1404	cmd.exe	163
PID 1404 wrote to memory of 3244	1404	cmd.exe	163
PID 3244 wrote to memory of 4328	3244	csrss.exe	164
PID 3244 wrote to memory of 4328	3244	csrss.exe	164
PID 4328 wrote to memory of 4816	4328	cmd.exe	166
PID 4328 wrote to memory of 4816	4328	cmd.exe	166
PID 4328 wrote to memory of 3948	4328	cmd.exe	168
PID 4328 wrote to memory of 3948	4328	cmd.exe	168
PID 3948 wrote to memory of 3956	3948	csrss.exe	169
PID 3948 wrote to memory of 3956	3948	csrss.exe	169

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Proverkabyxdwd.exe
"C:\Users\Admin\AppData\Local\Temp\Proverkabyxdwd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\chainWebIntoSession\qD91Bf2FR629.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\chainWebIntoSession\mutZScugJ38QpfoGeguI2l.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\chainWebIntoSession\driverSessionRuntime.exe
      "C:\chainWebIntoSession\driverSessionRuntime.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fwyRFtynII.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4432
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1976
      - C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4008
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4148
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3592
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4560
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2072
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1596
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:228
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4816
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"
        23⤵
        
        PID:3956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4876
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"
        25⤵
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2664
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat"
        27⤵
        
        PID:4892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:940
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"
        29⤵
        
        PID:1536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2396
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"
        31⤵
        
        PID:3860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:4680
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat"
        33⤵
        
        PID:1788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:2904
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat"
        35⤵
        
        PID:872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        36⤵
        
        PID:1852
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"
        37⤵
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        38⤵
        
        PID:4192
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat"
        39⤵
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        40⤵
        
        PID:452
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"
        41⤵
        
        PID:3804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        42⤵
        
        PID:5116
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"
        43⤵
        
        PID:4692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        44⤵
        
        PID:4936
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"
        45⤵
        
        PID:4964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        46⤵
        
        PID:4624
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"
        47⤵
        
        PID:4972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        48⤵
        
        PID:4528
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat"
        49⤵
        
        PID:4136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        50⤵
        
        PID:3308
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"
        51⤵
        
        PID:2012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        52⤵
        
        PID:3940
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"
        53⤵
        
        PID:1504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        54⤵
        
        PID:2492
        
        C:\Program Files\Windows Sidebar\Gadgets\csrss.exe
        
        "C:\Program Files\Windows Sidebar\Gadgets\csrss.exe"
        54⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\chainWebIntoSession\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\chainWebIntoSession\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\chainWebIntoSession\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\chainWebIntoSession\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\chainWebIntoSession\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\chainWebIntoSession\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat

Filesize
215B

MD5
417f2279b74e86197a78d87553f20c45

SHA1
8b9ef188bf9dc8d2fc0405aeb2442dc83e6cf6c9

SHA256
7f3a13a722c07bb94f3e659a156be1293d9fc3db34d32c021d240391b1aa8d7d

SHA512
9e3c28156fec2270e7c9af5fefdfca67968c9c35a7b59587a043f21f5b83578d7c423539912567abd60096e11f12bdf3fa412f2820016a8732e805bbd09dc86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat

Filesize
215B

MD5
7e8a7574b2dbaa986ace94e09a23035b

SHA1
e65f9138bf8d81ed02051b0b0a7c0f75fd279e7d

SHA256
3f37a8bd22c80cb0cb8b7556cdf8e0b11f31f903006a0e69287070e87edb313a

SHA512
ae7ec634adb79a63b735eb8d3d237e154982c9950ac79b84adbcca5db96539be8581e1820e387958d39e9b04d3cfcf9be85842bd1d7afda401826a6e7b88a52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat

Filesize
215B

MD5
78288600c044bb6cdbd680114fb16c4d

SHA1
4f2adc0ab1a60882f20bda01dd7a4eb3925eb140

SHA256
4602cbb2a87e60507a209dbb2a796b69473808be83b98bfad6055fd675d617ef

SHA512
5b96d521638f40a3ef9a6ae8507f80494f8ccde728c4edf02b1197dc326313e03228a27134d0b764e6255c995ea5967c2ef43011518354c9f108075a7de27435

Download Submit
C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat

Filesize
215B

MD5
1f20e9853f157d2b9b72406c0a9f85ed

SHA1
46b50021b8840203783e6fbb13b0e2f58a018baf

SHA256
4bb94b4e39a5ddd94ce47ef0ddd86d7e1e2cdccd9f267fd525895e6e70f977a2

SHA512
7745bf8a206b881566f8638610a4f41baf44ffa7fa05143fc1f3eb81a36946c7adfe3363de45b67f363e27a111b23315d52a5b23753545a9bdce875c156124dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat

Filesize
215B

MD5
85178370cb2050373b577d7963d788b5

SHA1
528e526497d5cff8b3fe58ff381f368d2ab2026f

SHA256
a6aa6849aeb83229e741b28a48c2df153c868a8b442aa8430bcfc57760333da6

SHA512
89e237753820470886facea1fb0e0988b8e9493bd6b39d6dfccfdae980cb9ee6f675e9137e9ea05dd499acd19f02a97b2be511c0df608de1565ca7d02989643c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat

Filesize
215B

MD5
c74ad1b23209fe5bfdfd18fe338ba335

SHA1
4f5392ab213102fd08f7a0668d6205f408624e19

SHA256
5098f4705330cd85b25741a6a0ab3672453cf32996ecaaa3a81a192a1b614cf1

SHA512
eabadfc8016ebbabb5ccedca895ed33215683b53b38addf941716d036b9a699572b91e0dd26cd31910f92ff82eb3d11015c075ab46ed721b688917d557e1003a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

Filesize
215B

MD5
135626b2da9bf682e492f713b8faeef7

SHA1
2cbe911053175d9136ff6be34f363064e00d8ed3

SHA256
9beb9898752f0c2c2c2d3edcb604a3ad02cce4c3705358abc21baa7dfcc3ad97

SHA512
e9d16b61fa3c327e56ff4e0268bc61df060f782a25a1abb7cd3f90700e947bf067e2a12af45f7cf4957d11abccdbbced8bca45287c156e1dce291d35af9d33d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat

Filesize
215B

MD5
3b92b4b19205764246a461baeadac9cf

SHA1
e1024e14d1893b51772a3c118aae5db1f08da480

SHA256
c0fb9bb0fc67c6ec5408196a93468d1dd3ebae4e967aeae5eca5cdfdcd9d10ab

SHA512
4de8b95d5b2ebaff65e531cf4df8cd4ff950ddfc797c62d854bd68d7aced03f6e9bf0b0edc0435e9954e534a350ab48bb02d9bebb08a4637efb10100b4774284

Download Submit
C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat

Filesize
215B

MD5
c5499022cab79e16c4d00f4dd7fcd360

SHA1
d177ad5a7b085b379a6ae35cc0be2e515f9e0a8c

SHA256
d321c5a098f7857a5e7a66a57b1671682bd6992ebb6fa080762677ba60c02810

SHA512
c448997fe1e0172ab411a54ab02e947368597a60dd18ea343f59ea8eceb97f44bb561619437c5246739ada2c03e833dc1d16fd8586d5ba08a550df8cddc64cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat

Filesize
215B

MD5
9852570d51945ee603fba6efefca2b02

SHA1
e5972dc338dead1bbb172ca92372295a3200a383

SHA256
befa74f780c930932f95ad404d8317ad99d3f2d443368700a78e313b5edcf442

SHA512
e6b125bf7f9f6e74a8a74757e5929650b3cf7517d0dfafe7cc1e52290f080b1f50926b3593fddc34afe9942182e0571714561e7eec7929c7e6512d8ea32e6f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat

Filesize
215B

MD5
1f2df43355acc4307f928916cf5e7fba

SHA1
9167f982682b12c2097c6fd71cee56a44bbd73df

SHA256
0f86e625f2931064a393b7f1ed163f75129aec99d29bec49064bcb8473ad8d56

SHA512
b2c6b05058dbb7dc4f9d6cd0c1d81c820a6a8fa488b5a17028cd9be118cadd7f9e8862cf7a513fae16be016a24e900b27d3b4a0d431718886ca74c41da1b748f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat

Filesize
215B

MD5
c29dd69a475e0062d45475f4993b5669

SHA1
e7ce944c15c047077a164e17a8f9d14fd247a84b

SHA256
901d80c17b9ab76062a7f3a36536b7fe5ab4e7797083b28ebb7e640e7d6a98c3

SHA512
f48b7b11d1c2589abfd3473e5016a61c164b0fe1fa0a84f86c2e89873be782e593e124562dbfa6105c418b908913b4a8312d6f9086f4d8b1d544fba425e15e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat

Filesize
215B

MD5
5ba39d744f6c0e01b2aac55126f77880

SHA1
9467cfc79feb8b773356b78188efcb48246f1cf3

SHA256
501b0f6a78aae53456042332c9b8a5943269ebe76b6cd77b70ca9e6af692b2d5

SHA512
914e4c8aadc80f4016d5fb8bf89909f701219523c5991173b469f3ea31b05a6931db1832efee00f849ac7a3476a15e96f20bdf5bbf86424563ce61b068b014d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat

Filesize
215B

MD5
81616d774708be4cbd205c0f3d8b9036

SHA1
e0ce0ae2f9a95e96b0e9763b0a36c5bfae1c0ba1

SHA256
66f164be386fe8674556e67762c11b4ffbed266eaaadbd6352c57ad812ff1822

SHA512
e519719a92d8c627692fbc717b56a4774bb0918653790c04bd90de860ce543c3bdfe99bdccf187dd7b978d78376274589329e1f2e006b3163d95ca786daf6028

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwyRFtynII.bat

Filesize
215B

MD5
fd6438b52e49f39b377830105a3b42ee

SHA1
0c2a83f4c2a6d1cdf0cb69984f20101edf679d7a

SHA256
8bc0e7d96b913b46629bfcb3eb13fbdb25f88b15fa025d21888d5d0d63cc1875

SHA512
a2401bba1c16fe15a821fb7f1ef62e09e43cdb9786aa51c818f699759b2645fee90a57b117c35771450786c9c2a25a5d9dc77b2a8af0492e34bc9f612a3e530f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat

Filesize
215B

MD5
4f8b240c9e52fd0f8f3ba9607b274654

SHA1
5640e00f1dedbc148925030e8396cefd7f8e296d

SHA256
5529047de67d38fa630db4027419638ff890a976fa42b965af10c11697b61b52

SHA512
5756c088a075ff95e336602610fc8e49fe0e78027465fd150f012f8f4f65ac5bd5881aeecdcf3caa1f47474b87e9ec867aff72d64795f76fb12ef3587add66be

Download Submit
C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat

Filesize
215B

MD5
f5837245914a52c0508a72ef7c638c5a

SHA1
20b784a501e70f309756d531c444c9992ea05c62

SHA256
2f8e87e6225b89823ed8ee5309a7e682ade2c144d8bdf5a3902140ec06d2da60

SHA512
8ae180a529be0368488f66a2d843ea05cf52f41a2dd3e9bf8b8e8913712e0d2f29e8ab88c9c48ed56f96257c67ad277eb87b144bb5578bc971c57a0322111416

Download Submit
C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat

Filesize
215B

MD5
0bd8a8b562f96c8db164439cb48961ca

SHA1
9c835cfa9a18b055acfcfbc019121e603bcaf446

SHA256
b71194e8b0c9b6c3292a50d6a20833eb51cafa8417fd04bae3d82e3015c87333

SHA512
3c0523d02831568bd1ab7e731ae339b6c7d2dd3d88ae41d841c831a3438690b3703c23d23ec6a901c2813f99a4bffb7b7766c4337d4ab54909fbca32b6c91e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat

Filesize
215B

MD5
e68ba8f203d93cd31d913a4b84c46e83

SHA1
f6bc02d800f21596aaf6f97a9edf474fae855c2f

SHA256
6da54ef38380795706d74e943f7cc91b0feb4ab1e7ab22a8cf53190283d67076

SHA512
12e36f76edbf50aca65c0e75d6c1c86f53a1b821a26a178af564d78cd6cfa7ec08b33a67ff5a8d4d7434f4ce95ce52933628bc0051ff2abb9bc84aa3c3c48d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat

Filesize
215B

MD5
02690d79da6651cc03c6050e90f97baa

SHA1
fd4898d0a6c90e5dc2a558bb6f16cfa2fa9d632b

SHA256
fe126378e5d24600486c070ebc945273f565356b3983b36465c9c0d63a56b1f1

SHA512
be770c1f65370c05ae56eb34ff339524e0ba83ee2393615240e28b171631760029dab863185d1ad41e559d803b16dba35a0ac80f9a36d344a027f6e124ecefaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat

Filesize
215B

MD5
b2772fe3003fd53c978b2946d808a6df

SHA1
9db3664f683dbf48fae490697eee2b52aa3dcdf6

SHA256
9ae9de408e8101e0a29d497fdacff2796574ce9eb0eea869524e541c225b26d6

SHA512
a6869b44c76137fc438e2f341574b4801d218a794eb7817f2879a304074d11a71844de00f3c18a5d0c806763e76dc4d197571763958327889b67b2511f022ca7

Download Submit
C:\chainWebIntoSession\driverSessionRuntime.exe

Filesize
1.2MB

MD5
6fa9d3afd6e7a33f230d630effcdcd68

SHA1
e36e510d35918147c19da9c2e4d153dd16acda56

SHA256
34067e70cf580aa3b0503f80c0944cc261f7b511988bb37cbc8d810a16e27229

SHA512
5466923061a3c3799a88a6947839c8d3e47f4aa08abe396adf4137bf9b2db38e9285f2a62d7c2ccd3c942f6199525cf47d33a2dd277a840bed0ed951a4ad50fc

Download Submit
C:\chainWebIntoSession\mutZScugJ38QpfoGeguI2l.bat

Filesize
49B

MD5
6000af83a4ec5ba337a3199e02ef3adc

SHA1
6d3e75d8513f156d5a0cdaca7c04754207897763

SHA256
cff888ba6c207a854350f2a5bfa943e933229e0f4b577c57e5e8d9c73fa678d6

SHA512
8181a8fa8d67c7aabc5d439c4338d7a5b92023992f148b498dbf6937bdcfe8c91b5961b06a1d745b46fe8a23aac857e3b5f88d19b6d10f2ade791b889185e4c3

Download Submit
C:\chainWebIntoSession\qD91Bf2FR629.vbe

Filesize
218B

MD5
e376bec17fcd43091d7e796e1990822e

SHA1
905ea05ef90ac3f2686443c8bc44e1b81c061a6a

SHA256
cb1d5eab7477bb30819023038a740abd7c5366f8ebe57b14e8339d4f79cfab3d

SHA512
c7e36f65a1da9681355a77e200a5d06fe2a6270d20a00b191f5c3b484ca52b16574058134a97f5008826f4b4e1f2153936e50d93f125a18c1019c306a97bb4ce

Download Submit
memory/5044-15-0x0000000002A40000-0x0000000002A90000-memory.dmp

Filesize
320KB

Download
memory/5044-13-0x0000000000880000-0x00000000009B2000-memory.dmp

Filesize
1.2MB

Download
memory/5044-12-0x00007FFE22CA3000-0x00007FFE22CA5000-memory.dmp

Filesize
8KB

Download
memory/5044-14-0x00000000029C0000-0x00000000029DC000-memory.dmp

Filesize
112KB

Download
memory/5044-16-0x00000000029E0000-0x00000000029F6000-memory.dmp

Filesize
88KB

Download
memory/5044-17-0x0000000002A00000-0x0000000002A0C000-memory.dmp

Filesize
48KB

Download