dcrat | b73c2420eddbc96bb318a64a92cb2d6432b14a8c6d87f05472b63a0bf4a38af0

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b73c2420eddbc96bb318a64a92cb2d6432b14a8c6d87f05472b63a0bf4a38af0.exe
Size

1.3MB
MD5

ca9504db716094fe01cab86895776d8a
SHA1

4aab7df9e5f108343db98f63b691ea3ad3d5ab70
SHA256

b73c2420eddbc96bb318a64a92cb2d6432b14a8c6d87f05472b63a0bf4a38af0
SHA512

53fc127866af095ce9f9abcd56460ce6baf4134e5378bd7ab405d8972d3a57f1ca0b611c1153ce69ec99e98b4acac6bbc10c38e8c3237c0a1a42366d6b7fedc0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2756	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000192f0-9.dat	dcrat
behavioral1/memory/1712-13-0x0000000000A00000-0x0000000000B10000-memory.dmp	dcrat
behavioral1/memory/2856-129-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/1684-188-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/552-249-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/2720-309-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/1856-369-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/540-429-0x0000000000F10000-0x0000000001020000-memory.dmp	dcrat
behavioral1/memory/756-608-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/1712-668-0x00000000009B0000-0x0000000000AC0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1608	powershell.exe
1928	powershell.exe
2076	powershell.exe
1564	powershell.exe
2308	powershell.exe
328	powershell.exe
2236	powershell.exe
1624	powershell.exe
2188	powershell.exe
3060	powershell.exe
272	powershell.exe
3064	powershell.exe
1632	powershell.exe
352	powershell.exe
2448	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1712	DllCommonsvc.exe
2856	csrss.exe
1684	csrss.exe
552	csrss.exe
2720	csrss.exe
1856	csrss.exe
540	csrss.exe
2800	csrss.exe
680	csrss.exe
756	csrss.exe
1712	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
1952	cmd.exe
1952	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
19	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Google\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\24dbde2999530e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b73c2420eddbc96bb318a64a92cb2d6432b14a8c6d87f05472b63a0bf4a38af0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1664	schtasks.exe
2480	schtasks.exe
2072	schtasks.exe
2300	schtasks.exe
1652	schtasks.exe
2892	schtasks.exe
968	schtasks.exe
1924	schtasks.exe
2636	schtasks.exe
1792	schtasks.exe
1416	schtasks.exe
2168	schtasks.exe
1856	schtasks.exe
732	schtasks.exe
816	schtasks.exe
2708	schtasks.exe
2420	schtasks.exe
376	schtasks.exe
1812	schtasks.exe
440	schtasks.exe
880	schtasks.exe
2592	schtasks.exe
1972	schtasks.exe
552	schtasks.exe
2944	schtasks.exe
2432	schtasks.exe
396	schtasks.exe
2180	schtasks.exe
2056	schtasks.exe
528	schtasks.exe
2144	schtasks.exe
2968	schtasks.exe
1288	schtasks.exe
1324	schtasks.exe
1380	schtasks.exe
1248	schtasks.exe
2316	schtasks.exe
2956	schtasks.exe
2660	schtasks.exe
2252	schtasks.exe
1480	schtasks.exe
536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1712	DllCommonsvc.exe
1712	DllCommonsvc.exe
1712	DllCommonsvc.exe
1632	powershell.exe
1608	powershell.exe
328	powershell.exe
2448	powershell.exe
3064	powershell.exe
1928	powershell.exe
272	powershell.exe
2076	powershell.exe
3060	powershell.exe
352	powershell.exe
1564	powershell.exe
2308	powershell.exe
2188	powershell.exe
1624	powershell.exe
2236	powershell.exe
2856	csrss.exe
1684	csrss.exe
552	csrss.exe
2720	csrss.exe
1856	csrss.exe
540	csrss.exe
2800	csrss.exe
680	csrss.exe
756	csrss.exe
1712	csrss.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	DllCommonsvc.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	272	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2856	csrss.exe
Token: SeDebugPrivilege	1684	csrss.exe
Token: SeDebugPrivilege	552	csrss.exe
Token: SeDebugPrivilege	2720	csrss.exe
Token: SeDebugPrivilege	1856	csrss.exe
Token: SeDebugPrivilege	540	csrss.exe
Token: SeDebugPrivilege	2800	csrss.exe
Token: SeDebugPrivilege	680	csrss.exe
Token: SeDebugPrivilege	756	csrss.exe
Token: SeDebugPrivilege	1712	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2348	2524	b73c2420eddbc96bb318a64a92cb2d6432b14a8c6d87f05472b63a0bf4a38af0.exe	30
PID 2524 wrote to memory of 2348	2524	b73c2420eddbc96bb318a64a92cb2d6432b14a8c6d87f05472b63a0bf4a38af0.exe	30
PID 2524 wrote to memory of 2348	2524	b73c2420eddbc96bb318a64a92cb2d6432b14a8c6d87f05472b63a0bf4a38af0.exe	30
PID 2524 wrote to memory of 2348	2524	b73c2420eddbc96bb318a64a92cb2d6432b14a8c6d87f05472b63a0bf4a38af0.exe	30
PID 2348 wrote to memory of 1952	2348	WScript.exe	31
PID 2348 wrote to memory of 1952	2348	WScript.exe	31
PID 2348 wrote to memory of 1952	2348	WScript.exe	31
PID 2348 wrote to memory of 1952	2348	WScript.exe	31
PID 1952 wrote to memory of 1712	1952	cmd.exe	33
PID 1952 wrote to memory of 1712	1952	cmd.exe	33
PID 1952 wrote to memory of 1712	1952	cmd.exe	33
PID 1952 wrote to memory of 1712	1952	cmd.exe	33
PID 1712 wrote to memory of 2308	1712	DllCommonsvc.exe	77
PID 1712 wrote to memory of 2308	1712	DllCommonsvc.exe	77
PID 1712 wrote to memory of 2308	1712	DllCommonsvc.exe	77
PID 1712 wrote to memory of 3060	1712	DllCommonsvc.exe	78
PID 1712 wrote to memory of 3060	1712	DllCommonsvc.exe	78
PID 1712 wrote to memory of 3060	1712	DllCommonsvc.exe	78
PID 1712 wrote to memory of 3064	1712	DllCommonsvc.exe	79
PID 1712 wrote to memory of 3064	1712	DllCommonsvc.exe	79
PID 1712 wrote to memory of 3064	1712	DllCommonsvc.exe	79
PID 1712 wrote to memory of 1608	1712	DllCommonsvc.exe	80
PID 1712 wrote to memory of 1608	1712	DllCommonsvc.exe	80
PID 1712 wrote to memory of 1608	1712	DllCommonsvc.exe	80
PID 1712 wrote to memory of 328	1712	DllCommonsvc.exe	81
PID 1712 wrote to memory of 328	1712	DllCommonsvc.exe	81
PID 1712 wrote to memory of 328	1712	DllCommonsvc.exe	81
PID 1712 wrote to memory of 2236	1712	DllCommonsvc.exe	82
PID 1712 wrote to memory of 2236	1712	DllCommonsvc.exe	82
PID 1712 wrote to memory of 2236	1712	DllCommonsvc.exe	82
PID 1712 wrote to memory of 1928	1712	DllCommonsvc.exe	83
PID 1712 wrote to memory of 1928	1712	DllCommonsvc.exe	83
PID 1712 wrote to memory of 1928	1712	DllCommonsvc.exe	83
PID 1712 wrote to memory of 2448	1712	DllCommonsvc.exe	84
PID 1712 wrote to memory of 2448	1712	DllCommonsvc.exe	84
PID 1712 wrote to memory of 2448	1712	DllCommonsvc.exe	84
PID 1712 wrote to memory of 2076	1712	DllCommonsvc.exe	85
PID 1712 wrote to memory of 2076	1712	DllCommonsvc.exe	85
PID 1712 wrote to memory of 2076	1712	DllCommonsvc.exe	85
PID 1712 wrote to memory of 1624	1712	DllCommonsvc.exe	86
PID 1712 wrote to memory of 1624	1712	DllCommonsvc.exe	86
PID 1712 wrote to memory of 1624	1712	DllCommonsvc.exe	86
PID 1712 wrote to memory of 1632	1712	DllCommonsvc.exe	87
PID 1712 wrote to memory of 1632	1712	DllCommonsvc.exe	87
PID 1712 wrote to memory of 1632	1712	DllCommonsvc.exe	87
PID 1712 wrote to memory of 2188	1712	DllCommonsvc.exe	88
PID 1712 wrote to memory of 2188	1712	DllCommonsvc.exe	88
PID 1712 wrote to memory of 2188	1712	DllCommonsvc.exe	88
PID 1712 wrote to memory of 1564	1712	DllCommonsvc.exe	89
PID 1712 wrote to memory of 1564	1712	DllCommonsvc.exe	89
PID 1712 wrote to memory of 1564	1712	DllCommonsvc.exe	89
PID 1712 wrote to memory of 352	1712	DllCommonsvc.exe	90
PID 1712 wrote to memory of 352	1712	DllCommonsvc.exe	90
PID 1712 wrote to memory of 352	1712	DllCommonsvc.exe	90
PID 1712 wrote to memory of 272	1712	DllCommonsvc.exe	91
PID 1712 wrote to memory of 272	1712	DllCommonsvc.exe	91
PID 1712 wrote to memory of 272	1712	DllCommonsvc.exe	91
PID 1712 wrote to memory of 1964	1712	DllCommonsvc.exe	106
PID 1712 wrote to memory of 1964	1712	DllCommonsvc.exe	106
PID 1712 wrote to memory of 1964	1712	DllCommonsvc.exe	106
PID 1964 wrote to memory of 2784	1964	cmd.exe	109
PID 1964 wrote to memory of 2784	1964	cmd.exe	109
PID 1964 wrote to memory of 2784	1964	cmd.exe	109
PID 1964 wrote to memory of 2856	1964	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b73c2420eddbc96bb318a64a92cb2d6432b14a8c6d87f05472b63a0bf4a38af0.exe
"C:\Users\Admin\AppData\Local\Temp\b73c2420eddbc96bb318a64a92cb2d6432b14a8c6d87f05472b63a0bf4a38af0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:272
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dYd4652RFG.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2784
      - C:\Users\Default\Music\csrss.exe
        
        "C:\Users\Default\Music\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
        7⤵
        
        PID:1648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:324
        
        C:\Users\Default\Music\csrss.exe
        
        "C:\Users\Default\Music\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"
        9⤵
        
        PID:1036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2400
        
        C:\Users\Default\Music\csrss.exe
        
        "C:\Users\Default\Music\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"
        11⤵
        
        PID:1416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2628
        
        C:\Users\Default\Music\csrss.exe
        
        "C:\Users\Default\Music\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"
        13⤵
        
        PID:2220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1984
        
        C:\Users\Default\Music\csrss.exe
        
        "C:\Users\Default\Music\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat"
        15⤵
        
        PID:2436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2876
        
        C:\Users\Default\Music\csrss.exe
        
        "C:\Users\Default\Music\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat"
        17⤵
        
        PID:2772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1680
        
        C:\Users\Default\Music\csrss.exe
        
        "C:\Users\Default\Music\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
        19⤵
        
        PID:880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2888
        
        C:\Users\Default\Music\csrss.exe
        
        "C:\Users\Default\Music\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
        21⤵
        
        PID:1572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1564
        
        C:\Users\Default\Music\csrss.exe
        
        "C:\Users\Default\Music\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"
        23⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:576
        
        C:\Users\Default\Music\csrss.exe
        
        "C:\Users\Default\Music\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Google\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Music\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82233ee7aa3fb2979286b3c12c9a4d38

SHA1
316c6560bca76e3f6aee4e1eeda01edf456d098e

SHA256
78a347a2a298902f6e6bee62f3ed5b463e10fa69ea320c12fabf7f42f1ae35d0

SHA512
f2ba483a9592fb6e207dc7688611d1afa98ab01417a2d6dcf9b9a4da3dc1388a4876c13642b3ca586e1d7256f107276a455f0ba3de4acf343cfa39c0f6be04c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d09360d66b790f0b175571bb7037654

SHA1
ba31d2d0e2284db6190ad02efd5e6333b5fb7162

SHA256
4fa872046de2cc41485f3fc50d401b29b39e3d4d9f4cfb81bbf2167c472d4827

SHA512
bf057c6ab23631bbaeddbb16a1e260f80db89fe31053254a096aa7c90959b9e26c2e96c9cffad0012aa0fe1f245d5dc635a0132eed78b4f8c1edd8a38bcef60a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
848e45677e3a3d4191cbeba5da8b7275

SHA1
944404f8e40047f5ed71a6739d9064e984aa2813

SHA256
fcab6c418f140e8b84351fc8bb7abea6f8b77de4e98cc1ae7706060590fa4614

SHA512
06b8a2b110ef37200051a6018b56153fbb4c39514d61b5f32690f56d9929c9cec6b6bb33a3fac2f46846ad5707bc469b555b0e59fdfb11196bcd01822d249d7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50fe3ba46e8aa2d29e328ad3aaa7f794

SHA1
bd561e662db89f96d82d9b27bc01f8286b7b930f

SHA256
c90a56ee75c97859d8a7d1c3e7d1e2c4f293c5b023419a3b5db1a8ed0fc498c1

SHA512
d6adc1cb3ac96c9e65a8962693e7ec9625e8c4e6aa9965fdb2b8fbd4e7e031c19f37d5b2301f8a34b21d8bdaf0bc4b45d32077dca1524f30a38ad1598de350cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4cab8231a6a311f3809f15851a189a1f

SHA1
fad6268d45156674aa924834bb13b0239544d0d2

SHA256
9f6645803f7c985e1720cf5e393df84072cd9ca60afabd9def98e7caaa50eaa3

SHA512
b7da1b8702fb501c0024dddaecb6f1751c043667214bd4e5dcfdd4f21258f50dca9310113c7534436b7d683f1aa9a8824ecfd59e623d970cb30463783e06f406

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4497665b56db81452800190f2c46c85e

SHA1
fc4a8ff18976ddc778030b87f3c00b753411e14c

SHA256
b21823144344219c0f7559a33b9c192d775873c556aaccf44d9ef66fee70714a

SHA512
daa76872ee0f99e641488f3274e38f0cf4edced61402a38064d74ed7d4b84866751267965c58e157f8f295219cebd5eef2f12daceb0410a7b301129da0d3b7bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
764ba3749024358f2259b6e23e86ec73

SHA1
56d9c5486f5227e46a7f1a47fbd16d49b5c711af

SHA256
46e7516cf1ca8f308787584e799d75839838e2add0729273cb88a1c848321902

SHA512
595d4048c6712e84662b0904e3071e239de628a0e48d49439398054cc5b1f31397f26073b2e3b814304aa80c61570a67c6ab53ea395ea20c1d3f2aa1ed40e52b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21102b584e4faf042b937eb4288cfb0f

SHA1
2917982f688bc089056079d82c4cfae2afff3c4c

SHA256
5078924eccd30c9075c01c77958770aef786c53f7f10bbb4ec78638f0c8d580f

SHA512
4654d4afb86b491502a043ae76f1e94290743ad53fd49013512a343d46aed2ad84de1b912190b1683bbda11569e1de258bf434a54f07c587ddb0f1ce41d85807

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47596c933130f191681d5c4ced1ee21b

SHA1
7384757066c6bb58079aab843cf7388be00a41a0

SHA256
540950e3be62a5ccd212db19c672b2d953bf2c4153ef0dce88bb2e572b4d2488

SHA512
96eadca1161d5c310fe75dad0eeaf9d17cd9d158dc5c5ae735a61d05833455accfebd6442187c9981e0300867136683a64f42386c1d47585c6f79ee923a9d6f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat

Filesize
197B

MD5
19470dbf309728a92923150b534127e0

SHA1
6e526ab4a26328c372375461104954b1ed4fc19f

SHA256
7f9b4cbed64f59fe40aae422090854ccf0e1daf528b6dc0e0002845f6e03054a

SHA512
1e6e46811a183ed6e38506ea1e92be0b85a2934b9089c46db4441d4a3f375b51348065e598d7afe146a6f8f1360197fa9618f89cc730897da1feaa68161c029b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat

Filesize
197B

MD5
de781fbeeb88caeb86fc13f761e48205

SHA1
50dd81d16dd0da50a7145bfcf3ec0f4df0b68e61

SHA256
c582cf8a71fe6c943c7bbfd04c540c78a001a778bde776690a69c157825e9b40

SHA512
2527fd24db168e8ae7a50879d851632b58c81d7cee565ac1ae5f77d5259b8f143faef0e6ad2deb63e3bb409613941cab0e625bad297f1ff7e1a27af4eb288692

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEFCD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat

Filesize
197B

MD5
a58cf489b3c1d9cd654874713a9af3a4

SHA1
178e7b19214d373f83d058756d070ff580250a71

SHA256
a4842578292330d86ed25a06122cad6a8dfe4f858f0353b25f2e8e621f65f4a7

SHA512
be39cd5bed4ce477ebda0c3a1594a6173a9fba79f39e54d6a7903730a238940b8e36ad8221108b38aa408586f11743c2572dac1995332839537d5f1b6a09b460

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat

Filesize
197B

MD5
fbc58f5af474416a2e6e732438eb77af

SHA1
d017978dc0db279f44d84b962b1c2f183de5f96e

SHA256
2f3614e9a4b19ea4aed754f31bac6ce1bac115519defbd8d731c91bfa3b5bb51

SHA512
f2d05cff8bd86963def2335b27d7eed2e37d750f5024e6182a313173ea1089a834672b718891df9faa1c8aee79bc64a4763e169818025b39653c48fd7cdc4297

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat

Filesize
197B

MD5
5f00856c7e33909455150b0281d2a51c

SHA1
fca5de9250817c5e0dd4fcbadd77abd0af26640e

SHA256
f095be005f3b756b8509b30f7bb6c0fadfb606a8ba6f4b34369ee18efa9f0976

SHA512
e5b41bce9437b8044e5bfb1e2e042ccc550b54adcd0b3d0c9b42f23cfc596dfea5c55dda36255d3c04d1477eda75a7ad052ff89bb7c520c1ddf3d9012c22d92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

Filesize
197B

MD5
8a11506d6d371fca59656e8e84a558ce

SHA1
264e2355a1eba821a25731945c19c2f1b7154475

SHA256
c618b044bc5f37b13f55061dd4e276628ca15c732817cb5fb65d44ea455244f5

SHA512
2fce81cb81e439bc95a4eda9e50c90b2ed9f28219d41c09bcdace8b9c0c45eb1733bcdbac66fa5350e77363b59ae471ea991e5f745f6e52d78b46a5d084390e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEFEF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

Filesize
197B

MD5
a7560740ad73996e4a62f8d07b8c77a5

SHA1
dbe7b407e331b9f9fa9ee0aa4135f0fd2bda30f8

SHA256
a42157e9cbd89f8c4654e3017346c8c46bcc136172e4cd116c9bb281f489bdd0

SHA512
b215870aee40be7dd76cc18c01ac5443e02f0a76fab27d26bcd6e85a980ab3254b9a40b98338e60e398328d6a8cf1076238f45344960cd1e6cbff352fdeae9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYd4652RFG.bat

Filesize
197B

MD5
96e82f6ffc2a161a46d6173a060ebc0c

SHA1
6e8dd72293f0387d2a80562040c32eb7206b9c97

SHA256
7687ddb51da8dc439032673b7eec4c393500d533c4418a87a92c6c6376312d72

SHA512
4b19c8b4a4ad9fa02f46faea2c0124540e133d9f2a1cdca53b647eb9477cf2ed23dd671a00b334d6bb5175419212747111e084559cadbf6a5fb36a46422ed6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat

Filesize
197B

MD5
aa430a162304ab01b5e49909113e685a

SHA1
0c6ad44e811e6236cf797089d8c80d7bd12fc819

SHA256
12c33161231d38f9a9f5aefe33fb7c326a9a2e4eac15254df35713480e334bc1

SHA512
43bb2d159358fe82e2a67f27cf3d48757c5d3485e389f6242d8135cb81e331c5ba091f576d951a9379f4234b47408b35f2c47a0545260b67ac6aee64036a5a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat

Filesize
197B

MD5
a1727174a82efd58eff7e5046060451b

SHA1
86695b6da8aa6c5806bd769e9cfc0818894eae91

SHA256
6a841602debaad8fe525e7d6077688f86b722c50679d50185e229e10b2dd6c45

SHA512
fd0e0e77386ba7517e2828f1e8cc8a370aa3a1f6a50525a60b771837779732c947315fdab5af612e5db98d31e8bb7c5650aeb5c67f4859fc2d63f36a4ed59623

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4560fdf9085fc3d9e12a363d3b5cb8d5

SHA1
93decfa883b2a8f7b735a8b3b5ad6e8901ce4a72

SHA256
f0011abed6adf44b9041f0b1e69b8d87e4f567d18fbf4be752f23a2213040f3a

SHA512
71a19b0e7b756946b1dc4a0afccfd6f7cd03dc86ab70e5133495ce8ab6c28e91976f092d2cea3be9fa40feff77379b8cc2809ba4486a77b06527ab11da8b2f53

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/540-429-0x0000000000F10000-0x0000000001020000-memory.dmp

Filesize
1.1MB

Download
memory/552-249-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/680-548-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/756-608-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/1632-60-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/1632-61-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1684-188-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/1684-189-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1712-17-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/1712-16-0x00000000002A0000-0x00000000002AC000-memory.dmp

Filesize
48KB

Download
memory/1712-15-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/1712-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1712-668-0x00000000009B0000-0x0000000000AC0000-memory.dmp

Filesize
1.1MB

Download
memory/1712-13-0x0000000000A00000-0x0000000000B10000-memory.dmp

Filesize
1.1MB

Download
memory/1856-369-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/2720-309-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/2856-129-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download