dcrat | 9cd19cf01e1d8c64caa0dffcd07dfb3304fc7257a1c468c0f3d4df1ad696319f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.19.exe
Size

3.1MB
MD5

c9d720a4200df5064f655adc3656056f
SHA1

0dc179cfc3cf564ea1e9c85e012ac9bda3b40464
SHA256

9cd19cf01e1d8c64caa0dffcd07dfb3304fc7257a1c468c0f3d4df1ad696319f
SHA512

f0628313d0bccdd94795d649f1f6eda194b97fe991fb1755d9525cf944b310569a6dc0a155caf17dc4e49fda4c5eaf42063443bb67abc19a079f934570136852
SSDEEP

49152:ivotkNjg/lhqZvGyBJa+U5kzXDFrO0iTb0bzveEX99h:i5ZvGko+U8XBgseE5

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	3220	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	3220	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	3220	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	3220	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3220	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	3220	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	3220	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	3220	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	3220	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	3220	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	3220	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	3220	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	3220	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	3220	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	3220	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	3220	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	3220	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	3220	schtasks.exe	87

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2464	powershell.exe
3644	powershell.exe
3460	powershell.exe
4768	powershell.exe
2004	powershell.exe
2332	powershell.exe
1712	powershell.exe
2472	powershell.exe
4988	powershell.exe
836	powershell.exe
2980	powershell.exe
3924	powershell.exe
4880	powershell.exe
4468	powershell.exe
4696	powershell.exe
3516	powershell.exe
628	powershell.exe

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	BootstrapperV1.19.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	PerfNET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	TrustedInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	TrustedInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	TrustedInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	TrustedInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Solaraexecutor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	TrustedInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	TrustedInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	TrustedInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	TrustedInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	TrustedInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	TrustedInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	TrustedInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	TrustedInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	TrustedInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	TrustedInstaller.exe

Executes dropped EXE 16 IoCs

pid	Process
1744	Solaraexecutor.exe
1920	PerfNET.exe
5496	TrustedInstaller.exe
5768	TrustedInstaller.exe
6000	TrustedInstaller.exe
3172	TrustedInstaller.exe
3660	TrustedInstaller.exe
4936	TrustedInstaller.exe
5312	TrustedInstaller.exe
3564	TrustedInstaller.exe
5056	TrustedInstaller.exe
1156	TrustedInstaller.exe
5108	TrustedInstaller.exe
4492	TrustedInstaller.exe
5824	TrustedInstaller.exe
6044	TrustedInstaller.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\RuntimeBroker.exe	PerfNET.exe
File created	C:\Program Files (x86)\Adobe\9e8d7a4ca61bd9	PerfNET.exe
File created	C:\Program Files\Microsoft Office\System.exe	PerfNET.exe
File created	C:\Program Files\Microsoft Office\27d1bcfc3c54e0	PerfNET.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\LanguageOverlayCache\csrss.exe	PerfNET.exe
File created	C:\Windows\ImmersiveControlPanel\en-US\RuntimeBroker.exe	PerfNET.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV1.19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solaraexecutor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2292	PING.EXE
5408	PING.EXE
3324	PING.EXE
5716	PING.EXE
5944	PING.EXE
2916	PING.EXE

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	TrustedInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	TrustedInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	Solaraexecutor.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	TrustedInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	TrustedInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	TrustedInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	TrustedInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	TrustedInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	TrustedInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	TrustedInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	TrustedInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	TrustedInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	PerfNET.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	TrustedInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	TrustedInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	TrustedInstaller.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
5716	PING.EXE
5944	PING.EXE
2916	PING.EXE
2292	PING.EXE
5408	PING.EXE
3324	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3252	schtasks.exe
64	schtasks.exe
2384	schtasks.exe
4124	schtasks.exe
1968	schtasks.exe
4060	schtasks.exe
5084	schtasks.exe
1168	schtasks.exe
3680	schtasks.exe
4244	schtasks.exe
1960	schtasks.exe
4980	schtasks.exe
4336	schtasks.exe
4796	schtasks.exe
4932	schtasks.exe
3308	schtasks.exe
4236	schtasks.exe
3008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
1920	PerfNET.exe
4768	powershell.exe
4768	powershell.exe
3516	powershell.exe
3516	powershell.exe
2464	powershell.exe
2464	powershell.exe
628	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	PerfNET.exe
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	5496	TrustedInstaller.exe
Token: SeDebugPrivilege	5768	TrustedInstaller.exe
Token: SeDebugPrivilege	6000	TrustedInstaller.exe
Token: SeDebugPrivilege	3172	TrustedInstaller.exe
Token: SeDebugPrivilege	3660	TrustedInstaller.exe
Token: SeDebugPrivilege	4936	TrustedInstaller.exe
Token: SeDebugPrivilege	5312	TrustedInstaller.exe
Token: SeDebugPrivilege	3564	TrustedInstaller.exe
Token: SeDebugPrivilege	5056	TrustedInstaller.exe
Token: SeDebugPrivilege	1156	TrustedInstaller.exe
Token: SeDebugPrivilege	5108	TrustedInstaller.exe
Token: SeDebugPrivilege	4492	TrustedInstaller.exe
Token: SeDebugPrivilege	5824	TrustedInstaller.exe
Token: SeDebugPrivilege	6044	TrustedInstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 1744	3948	BootstrapperV1.19.exe	82
PID 3948 wrote to memory of 1744	3948	BootstrapperV1.19.exe	82
PID 3948 wrote to memory of 1744	3948	BootstrapperV1.19.exe	82
PID 1744 wrote to memory of 4612	1744	Solaraexecutor.exe	83
PID 1744 wrote to memory of 4612	1744	Solaraexecutor.exe	83
PID 1744 wrote to memory of 4612	1744	Solaraexecutor.exe	83
PID 4612 wrote to memory of 4360	4612	WScript.exe	91
PID 4612 wrote to memory of 4360	4612	WScript.exe	91
PID 4612 wrote to memory of 4360	4612	WScript.exe	91
PID 4360 wrote to memory of 1920	4360	cmd.exe	93
PID 4360 wrote to memory of 1920	4360	cmd.exe	93
PID 1920 wrote to memory of 2332	1920	PerfNET.exe	113
PID 1920 wrote to memory of 2332	1920	PerfNET.exe	113
PID 1920 wrote to memory of 3516	1920	PerfNET.exe	114
PID 1920 wrote to memory of 3516	1920	PerfNET.exe	114
PID 1920 wrote to memory of 3644	1920	PerfNET.exe	115
PID 1920 wrote to memory of 3644	1920	PerfNET.exe	115
PID 1920 wrote to memory of 4880	1920	PerfNET.exe	116
PID 1920 wrote to memory of 4880	1920	PerfNET.exe	116
PID 1920 wrote to memory of 3460	1920	PerfNET.exe	117
PID 1920 wrote to memory of 3460	1920	PerfNET.exe	117
PID 1920 wrote to memory of 1712	1920	PerfNET.exe	118
PID 1920 wrote to memory of 1712	1920	PerfNET.exe	118
PID 1920 wrote to memory of 4468	1920	PerfNET.exe	119
PID 1920 wrote to memory of 4468	1920	PerfNET.exe	119
PID 1920 wrote to memory of 2472	1920	PerfNET.exe	120
PID 1920 wrote to memory of 2472	1920	PerfNET.exe	120
PID 1920 wrote to memory of 4988	1920	PerfNET.exe	121
PID 1920 wrote to memory of 4988	1920	PerfNET.exe	121
PID 1920 wrote to memory of 628	1920	PerfNET.exe	122
PID 1920 wrote to memory of 628	1920	PerfNET.exe	122
PID 1920 wrote to memory of 836	1920	PerfNET.exe	123
PID 1920 wrote to memory of 836	1920	PerfNET.exe	123
PID 1920 wrote to memory of 2980	1920	PerfNET.exe	124
PID 1920 wrote to memory of 2980	1920	PerfNET.exe	124
PID 1920 wrote to memory of 3924	1920	PerfNET.exe	125
PID 1920 wrote to memory of 3924	1920	PerfNET.exe	125
PID 1920 wrote to memory of 4696	1920	PerfNET.exe	126
PID 1920 wrote to memory of 4696	1920	PerfNET.exe	126
PID 1920 wrote to memory of 4768	1920	PerfNET.exe	127
PID 1920 wrote to memory of 4768	1920	PerfNET.exe	127
PID 1920 wrote to memory of 2464	1920	PerfNET.exe	128
PID 1920 wrote to memory of 2464	1920	PerfNET.exe	128
PID 1920 wrote to memory of 2004	1920	PerfNET.exe	129
PID 1920 wrote to memory of 2004	1920	PerfNET.exe	129
PID 1920 wrote to memory of 2232	1920	PerfNET.exe	146
PID 1920 wrote to memory of 2232	1920	PerfNET.exe	146
PID 2232 wrote to memory of 624	2232	cmd.exe	149
PID 2232 wrote to memory of 624	2232	cmd.exe	149
PID 2232 wrote to memory of 5244	2232	cmd.exe	150
PID 2232 wrote to memory of 5244	2232	cmd.exe	150
PID 2232 wrote to memory of 5496	2232	cmd.exe	152
PID 2232 wrote to memory of 5496	2232	cmd.exe	152
PID 5496 wrote to memory of 5636	5496	TrustedInstaller.exe	153
PID 5496 wrote to memory of 5636	5496	TrustedInstaller.exe	153
PID 5636 wrote to memory of 5700	5636	cmd.exe	155
PID 5636 wrote to memory of 5700	5636	cmd.exe	155
PID 5636 wrote to memory of 5716	5636	cmd.exe	156
PID 5636 wrote to memory of 5716	5636	cmd.exe	156
PID 5636 wrote to memory of 5768	5636	cmd.exe	157
PID 5636 wrote to memory of 5768	5636	cmd.exe	157
PID 5768 wrote to memory of 5868	5768	TrustedInstaller.exe	158
PID 5768 wrote to memory of 5868	5768	TrustedInstaller.exe	158
PID 5868 wrote to memory of 5928	5868	cmd.exe	160

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.19.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.19.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Users\Admin\AppData\Local\Temp\Solaraexecutor.exe
  "C:\Users\Admin\AppData\Local\Temp\Solaraexecutor.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet/PerfNET.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\setup\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TrustedInstaller.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xXxtRkiiGR.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5244
        
        C:\Recovery\WindowsRE\TrustedInstaller.exe
        
        "C:\Recovery\WindowsRE\TrustedInstaller.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5716
        
        C:\Recovery\WindowsRE\TrustedInstaller.exe
        
        "C:\Recovery\WindowsRE\TrustedInstaller.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7p8ySQy6iH.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5944
        
        C:\Recovery\WindowsRE\TrustedInstaller.exe
        
        "C:\Recovery\WindowsRE\TrustedInstaller.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4h6CQ3Ghzc.bat"
        12⤵
        
        PID:6096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2792
        
        C:\Recovery\WindowsRE\TrustedInstaller.exe
        
        "C:\Recovery\WindowsRE\TrustedInstaller.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M7ZRnUVt3i.bat"
        14⤵
        
        PID:5044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2836
        
        C:\Recovery\WindowsRE\TrustedInstaller.exe
        
        "C:\Recovery\WindowsRE\TrustedInstaller.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KduBpxWBgt.bat"
        16⤵
        
        PID:528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2916
        
        C:\Recovery\WindowsRE\TrustedInstaller.exe
        
        "C:\Recovery\WindowsRE\TrustedInstaller.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddp3dI2Wa5.bat"
        18⤵
        
        PID:624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:5124
        
        C:\Recovery\WindowsRE\TrustedInstaller.exe
        
        "C:\Recovery\WindowsRE\TrustedInstaller.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pQfj5ziueB.bat"
        20⤵
        
        PID:2612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2292
        
        C:\Recovery\WindowsRE\TrustedInstaller.exe
        
        "C:\Recovery\WindowsRE\TrustedInstaller.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OLOaIFVkFd.bat"
        22⤵
        
        PID:4880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3400
        
        C:\Recovery\WindowsRE\TrustedInstaller.exe
        
        "C:\Recovery\WindowsRE\TrustedInstaller.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pQfj5ziueB.bat"
        24⤵
        
        PID:116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5408
        
        C:\Recovery\WindowsRE\TrustedInstaller.exe
        
        "C:\Recovery\WindowsRE\TrustedInstaller.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddp3dI2Wa5.bat"
        26⤵
        
        PID:3504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1356
        
        C:\Recovery\WindowsRE\TrustedInstaller.exe
        
        "C:\Recovery\WindowsRE\TrustedInstaller.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RUQLKbDAyI.bat"
        28⤵
        
        PID:5432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3324
        
        C:\Recovery\WindowsRE\TrustedInstaller.exe
        
        "C:\Recovery\WindowsRE\TrustedInstaller.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ege7x4f51h.bat"
        30⤵
        
        PID:5704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:5732
        
        C:\Recovery\WindowsRE\TrustedInstaller.exe
        
        "C:\Recovery\WindowsRE\TrustedInstaller.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jcydu7dUmM.bat"
        32⤵
        
        PID:5968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:5944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:5912
        
        C:\Recovery\WindowsRE\TrustedInstaller.exe
        
        "C:\Recovery\WindowsRE\TrustedInstaller.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OLOaIFVkFd.bat"
        34⤵
        
        PID:6128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNET" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TrustedInstaller.exe.log

Filesize
1KB

MD5
f8b2fca3a50771154571c11f1c53887b

SHA1
2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

SHA256
0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

SHA512
b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9c172d22fbbdafe12dfc5c909edea107

SHA1
9961cfc5a51f1d375186fc64bf98214bdc0cf2df

SHA256
315439a1131019ecb316a0344395624965a961baff563be19221620e6e3dc18d

SHA512
d459ca5a3abd05b5bff39056065e786eec0260cb83b03c774ab0b98f07dfc8ef7dd5db5f37c569ac0d531ebd640c6dc0aaefc407d357280e07b011e982b91e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4h6CQ3Ghzc.bat

Filesize
218B

MD5
7f85ea0cb07262faabfe6fb030ec139d

SHA1
1e457837e6488e0984f1f065e218623e16a6d7bd

SHA256
a8f6c24457219315861b7b392d165eb51a0f53b212431876a97f78048506c380

SHA512
387294774798c4a7fb1834134321365444657034d1dd969861c8797585e5df43e5747e7afeec8fb81ee2df0b15a3f0c3c299c879461561d5666d30e478c9bee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7p8ySQy6iH.bat

Filesize
170B

MD5
d0cc8ce4ea8e8d148f69c1f40a8cfd86

SHA1
c05e83d33d5f8ceed74d44fbbdb1a1289631d58b

SHA256
aa4b8b6d477dc5514c28edb2122b61f2fc5bbd756461cf1abbe4ed9942a61ef4

SHA512
395e1ea2655233d91af5585fdaf3a20eccda168a3eb190e6b181ec136366dcbb78b9b427a69748ace4d23792ed05de5b83779907869021be885297e8aa69e52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ege7x4f51h.bat

Filesize
218B

MD5
e1c3ca53f7b63a12ae83510f4077990b

SHA1
001405191451214b4a2f31646dab7deaa6a7b83b

SHA256
38888d78a0c944f9dc12d1d71f50012d796a6c0b69293146afda826982ef8b71

SHA512
a8a54383e7ebb1ca80b0c4415723fec198711c70dc6ee580549568c49c08ddedbfd8a784ac5d175ffa9699e4eaf3da49eeda2343969173f67694344fbf8ccdd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jcydu7dUmM.bat

Filesize
218B

MD5
22f70cb0a4acc28829c6c62addac2336

SHA1
ce9ac2d83161444f6bc445e84a48d54ab589e774

SHA256
95928594a5c6eb73df21a1ee68dad395c49c5d6a32fe491439344a37eab94caf

SHA512
e82db274cf9097ed0cd1f53cc1e4d5fd0779be27a3aa88743e3c04adfe7889214613a80d2116884fd156f78b9e3991faf8f945f1f19a189adb895a67c61f653e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KduBpxWBgt.bat

Filesize
170B

MD5
bc43beff4de9e25eaa8703222aadd70e

SHA1
66d117ce9855590965289e6981e1b56812591594

SHA256
9b7f669afa23cb186d8cda072a16e26a8e7fe3ddded73970b869a49b81327420

SHA512
cab853a7ea5518c89181ff41957b2c8a7c136b0d69a1f345dbe80d95323a54da5aca13856ea74a1372fc11e95e0e82eeb1ba2c11e2d291d5937095487fc067b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\M7ZRnUVt3i.bat

Filesize
218B

MD5
da9f3c9b6ee24ae70815b34ed0f25f1d

SHA1
da847ae3aa9975367e444d607bc0639685bf678d

SHA256
10deb5de744d6a2a2fb7d849c3503406ca699d35321dcab68f64cdf3891eec27

SHA512
d381d2d7560b62f4c95aae882c285c1dd6764a5a3e63f8a11c3ef98d487aa3389bec23d36ee2550377f4205e24e05a2be2a547f301f1160dc2d837a1f3e5cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OLOaIFVkFd.bat

Filesize
218B

MD5
ac03828410ed60597eefa267de859ab1

SHA1
493d231491a7eb840811df80ece7bddb627d84d1

SHA256
8ff54e8f993e1f9316ca3fa763407c3d8d2f9f7eda0d483d87b3c05e6c6d975b

SHA512
6f80a214a77558238be503228dfc229ae4de4d2e86dc8e8addb880cac47ad9622e7e6e12b5ba528b7666cb12465bb896bc5214a6555dd64dfee083e03c9e449c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUQLKbDAyI.bat

Filesize
170B

MD5
55d7df2a552dd85de61e59481d218398

SHA1
97f35d59e889cb14d5dd393a149ba7ad27fbca1c

SHA256
02844a97ae42acf3e8b82a216134a013fcaf45cbc4232eaf12cba757d0c017f7

SHA512
405d17a72656533c992cd02326abfb86efe4c66cd58d2acfa83d1026dd239a9575b3ac2ed859063a6941af1c5789e78ad7b26528131771c82010b7f8a1b5a49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solaraexecutor.exe

Filesize
2.1MB

MD5
b444fec863c995ec2c4810fc308f08c2

SHA1
f8f8cb40daf8054a00fb7b3895babd68c6429161

SHA256
e7cccbe17462fba64687eddc141d99920ac3e890ed1464d17b6110fdca6be7de

SHA512
1472d2a9e95c949a67734af6849f827122a178df799c7c29252cc0221437fb8573bcff0a30e8f1d0e6ab1c39c8fe72c597f863bc192133a10cd6178becc17127

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nlhd2v40.ygt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe

Filesize
211B

MD5
e30ec43c2cef82698f68268735844cc5

SHA1
2ad9967dd2d1087fbe3dc96d79c49f08a17d38f9

SHA256
f6e612f2aa1d27d9c070ea07a69c4c0c9bed6e308198857ee7a1335ad7aef48b

SHA512
94ec05a7ed4f1dc0a59c12e394c651290e31b12b37a0ea80e73c362c8d1aad6bfebb2c6a87790ee9e59164ef3a16f8282695ccf94effa6d4570989621e1caec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat

Filesize
82B

MD5
e76af187b94b636b1c61ac0419e5b8a8

SHA1
03a8761def6fab98121efc99256fef93b3391781

SHA256
ca364ab0bdcea783a389667f2b41ce4ff5ca304172422d398e947d5d6a4e5b20

SHA512
f2beaa0d4472eca942519f56aac4c0da1da13d7e9ced01493adec053b9abc4802fad8a60b7ca2627e2349f16e6f19ca034137c3322ca7167a126856cce1dacec

Download Submit
C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe

Filesize
1.8MB

MD5
3c3b7d5864e9f151a77b33d4b9d15e3c

SHA1
d8a0c81c551da2c1e500eb2b56562a2ac0be2c81

SHA256
de07619885cbd439fa402a13cedf8edf1d67b2ae4fb078f8dc18ae7a662a7d23

SHA512
5204b39f1008093e95221b9a7ea14be6bba59a5a47d0447cfdc503c524fef9aa4001785ac0cd333f19817b6d428e2034772f6134bc84493a74f47cca2672d642

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddp3dI2Wa5.bat

Filesize
218B

MD5
e02b94656e255cf58f2bc62051f2d5a7

SHA1
a29af4cb00df9a4117bcd5d8e75e4f5e848b1c34

SHA256
95c08aec3d8ea2505a4b430997f6a94480ae0656af6b5677741e7a032b30abcd

SHA512
f4d3a0c50be15c9c51a481b7007007a27cb5536735aa5389b0ed4744950a2c5710af6156639e7dc74436fdf4d3e650030ba5ce00d71e25ba6f224d63eb302c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat

Filesize
170B

MD5
55016af7ce135a6fbe48792d742be565

SHA1
c4d3fd7531c20cc354a250868846595ba2ff924e

SHA256
2950f2a4aa4daecc5d21433f129e4048c022cda8001fc68d98254d93f95a1b43

SHA512
9460e6c42ecaa11c78e70be7217a8a61d7bf46d8d445b50a21ca9db7a223e070913ae8536e301297a0d41602d0ba4b56048c5aa9fe7a72b18eccf678c86d24c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQfj5ziueB.bat

Filesize
170B

MD5
09d1d4d27e58a773a74af49bac3ddd18

SHA1
9ecb7742fe0e8a9f399571eaef504d99fa15bd74

SHA256
9b9911a4f5d96c9d5127255bf1b428f16b88e81fb91290dc1a96c028dbbb9c0a

SHA512
8636b2ad4fc9ed7343d940dd8dc5f3e9a4607961019c138ea6e4815fa6fbef6e208a60d4e6ac8096dbf9f7410a7c3723bb982f6ac3e4022806e7bcd22075123c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xXxtRkiiGR.bat

Filesize
218B

MD5
6de4784a19fa4a6104810d0ae4a2c6ae

SHA1
e1dccba1af7e53346254bdceea026769460d0323

SHA256
f29bc050e2b56ca0dc5fb95e36c81d548c51bfab9ef5a2c78bdcbb23db593864

SHA512
f7c3dbc7d701ec6532fa360b8f08bf7cc00a668eddd6dfc39adfd1539623a1d3e5f506c64c6abc78f474d00c463694f196d351122a11d3c1f98276cf7432cfa2

Download Submit
memory/1156-358-0x000000001B9C0000-0x000000001BA8D000-memory.dmp

Filesize
820KB

Download
memory/1156-357-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

Filesize
32KB

Download
memory/1920-26-0x000000001BF10000-0x000000001BF60000-memory.dmp

Filesize
320KB

Download
memory/1920-21-0x0000000000D80000-0x0000000000F5C000-memory.dmp

Filesize
1.9MB

Download
memory/1920-23-0x000000001BA60000-0x000000001BA6E000-memory.dmp

Filesize
56KB

Download
memory/1920-25-0x000000001BEA0000-0x000000001BEBC000-memory.dmp

Filesize
112KB

Download
memory/1920-28-0x000000001BEC0000-0x000000001BED8000-memory.dmp

Filesize
96KB

Download
memory/1920-30-0x000000001BA70000-0x000000001BA7C000-memory.dmp

Filesize
48KB

Download
memory/1920-47-0x000000001C060000-0x000000001C12D000-memory.dmp

Filesize
820KB

Download
memory/3172-285-0x0000000001040000-0x0000000001048000-memory.dmp

Filesize
32KB

Download
memory/3172-286-0x000000001BDA0000-0x000000001BE6D000-memory.dmp

Filesize
820KB

Download
memory/3564-334-0x000000001C4A0000-0x000000001C56D000-memory.dmp

Filesize
820KB

Download
memory/3564-333-0x0000000002FC0000-0x0000000002FC8000-memory.dmp

Filesize
32KB

Download
memory/3660-297-0x0000000002A30000-0x0000000002A38000-memory.dmp

Filesize
32KB

Download
memory/3660-298-0x000000001C000000-0x000000001C0CD000-memory.dmp

Filesize
820KB

Download
memory/3948-7-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/4492-381-0x000000001ACF0000-0x000000001ACF8000-memory.dmp

Filesize
32KB

Download
memory/4492-382-0x000000001B9B0000-0x000000001BA7D000-memory.dmp

Filesize
820KB

Download
memory/4768-53-0x000001FC263A0000-0x000001FC263C2000-memory.dmp

Filesize
136KB

Download
memory/4936-309-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/4936-310-0x000000001B9D0000-0x000000001BA9D000-memory.dmp

Filesize
820KB

Download
memory/5056-346-0x000000001C1E0000-0x000000001C2AD000-memory.dmp

Filesize
820KB

Download
memory/5056-345-0x0000000002C00000-0x0000000002C08000-memory.dmp

Filesize
32KB

Download
memory/5108-369-0x0000000002D10000-0x0000000002D18000-memory.dmp

Filesize
32KB

Download
memory/5108-370-0x000000001C360000-0x000000001C42D000-memory.dmp

Filesize
820KB

Download
memory/5312-321-0x0000000001370000-0x0000000001378000-memory.dmp

Filesize
32KB

Download
memory/5312-322-0x000000001C0F0000-0x000000001C1BD000-memory.dmp

Filesize
820KB

Download
memory/5496-249-0x000000001C450000-0x000000001C51D000-memory.dmp

Filesize
820KB

Download
memory/5496-248-0x0000000002EA0000-0x0000000002EA8000-memory.dmp

Filesize
32KB

Download
memory/5768-261-0x000000001B6F0000-0x000000001B6F8000-memory.dmp

Filesize
32KB

Download
memory/5768-262-0x000000001C290000-0x000000001C35D000-memory.dmp

Filesize
820KB

Download
memory/5824-394-0x000000001BA50000-0x000000001BB1D000-memory.dmp

Filesize
820KB

Download
memory/5824-393-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/6000-274-0x000000001C320000-0x000000001C3ED000-memory.dmp

Filesize
820KB

Download
memory/6000-273-0x0000000002D20000-0x0000000002D28000-memory.dmp

Filesize
32KB

Download
memory/6044-406-0x000000001BE90000-0x000000001BF5D000-memory.dmp

Filesize
820KB

Download
memory/6044-405-0x00000000010D0000-0x00000000010D8000-memory.dmp

Filesize
32KB

Download