dcrat | 43dd3ea9d558395804af6d217d83062cef627a9867a37dc707372be27f4a0042

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_43dd3ea9d558395804af6d217d83062cef627a9867a37dc707372be27f4a0042.exe
Size

1.3MB
MD5

bfc6b5cc8e374433b2902835bf1e2e31
SHA1

7bebcd9f7bae8965f7f4ed38ab17a468ae760168
SHA256

43dd3ea9d558395804af6d217d83062cef627a9867a37dc707372be27f4a0042
SHA512

b536e3d1c740907740ee3ef914e73797d8d95c92ee3e8bfe6931bbc47a6a74abee72e8c2d50d934e99876ecd9ff3e4907f6d620ad213b0302693ee2adc69d5f4
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	508	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1792	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b7b-9.dat	dcrat
behavioral2/memory/4228-13-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4200	powershell.exe
1800	powershell.exe
4952	powershell.exe
4532	powershell.exe
4748	powershell.exe
3280	powershell.exe
920	powershell.exe
2772	powershell.exe
1516	powershell.exe
3856	powershell.exe
4752	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_43dd3ea9d558395804af6d217d83062cef627a9867a37dc707372be27f4a0042.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 14 IoCs

pid	Process
4228	DllCommonsvc.exe
1584	dllhost.exe
3672	dllhost.exe
1692	dllhost.exe
2248	dllhost.exe
2576	dllhost.exe
4580	dllhost.exe
1740	dllhost.exe
4344	dllhost.exe
4752	dllhost.exe
2712	dllhost.exe
1688	dllhost.exe
4588	dllhost.exe
2492	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
51	raw.githubusercontent.com
52	raw.githubusercontent.com
16	raw.githubusercontent.com
17	raw.githubusercontent.com
37	raw.githubusercontent.com
49	raw.githubusercontent.com
43	raw.githubusercontent.com
48	raw.githubusercontent.com
50	raw.githubusercontent.com
29	raw.githubusercontent.com
38	raw.githubusercontent.com
41	raw.githubusercontent.com
42	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\22eafd247d37c3	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\TextInputHost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Mail\TextInputHost.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\DataStore\38384e6a620884	DllCommonsvc.exe
File created	C:\Windows\TAPI\services.exe	DllCommonsvc.exe
File created	C:\Windows\TAPI\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\ShellComponents\StartMenuExperienceHost.exe	DllCommonsvc.exe
File created	C:\Windows\ShellComponents\55b276f4edf653	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\SearchApp.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_43dd3ea9d558395804af6d217d83062cef627a9867a37dc707372be27f4a0042.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	JaffaCakes118_43dd3ea9d558395804af6d217d83062cef627a9867a37dc707372be27f4a0042.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3700	schtasks.exe
3092	schtasks.exe
1756	schtasks.exe
3376	schtasks.exe
864	schtasks.exe
3008	schtasks.exe
3084	schtasks.exe
4512	schtasks.exe
4808	schtasks.exe
2628	schtasks.exe
1596	schtasks.exe
4928	schtasks.exe
2748	schtasks.exe
3416	schtasks.exe
4072	schtasks.exe
2216	schtasks.exe
3428	schtasks.exe
1000	schtasks.exe
1196	schtasks.exe
220	schtasks.exe
2760	schtasks.exe
4556	schtasks.exe
1628	schtasks.exe
4632	schtasks.exe
2408	schtasks.exe
3308	schtasks.exe
3628	schtasks.exe
3952	schtasks.exe
1064	schtasks.exe
508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
4228	DllCommonsvc.exe
4228	DllCommonsvc.exe
4228	DllCommonsvc.exe
4228	DllCommonsvc.exe
4228	DllCommonsvc.exe
4228	DllCommonsvc.exe
4228	DllCommonsvc.exe
4228	DllCommonsvc.exe
4228	DllCommonsvc.exe
4228	DllCommonsvc.exe
4228	DllCommonsvc.exe
4952	powershell.exe
4952	powershell.exe
920	powershell.exe
920	powershell.exe
3856	powershell.exe
3856	powershell.exe
4752	powershell.exe
4752	powershell.exe
2772	powershell.exe
2772	powershell.exe
4200	powershell.exe
4200	powershell.exe
1516	powershell.exe
1516	powershell.exe
1800	powershell.exe
1800	powershell.exe
3280	powershell.exe
3280	powershell.exe
4532	powershell.exe
4532	powershell.exe
4748	powershell.exe
4748	powershell.exe
4200	powershell.exe
3856	powershell.exe
1516	powershell.exe
920	powershell.exe
4952	powershell.exe
4532	powershell.exe
4752	powershell.exe
2772	powershell.exe
1800	powershell.exe
3280	powershell.exe
4748	powershell.exe
1584	dllhost.exe
3672	dllhost.exe
1692	dllhost.exe
2248	dllhost.exe
2576	dllhost.exe
4580	dllhost.exe
1740	dllhost.exe
4344	dllhost.exe
4752	dllhost.exe
2712	dllhost.exe
1688	dllhost.exe
4588	dllhost.exe
2492	dllhost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	DllCommonsvc.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	1584	dllhost.exe
Token: SeDebugPrivilege	3672	dllhost.exe
Token: SeDebugPrivilege	1692	dllhost.exe
Token: SeDebugPrivilege	2248	dllhost.exe
Token: SeDebugPrivilege	2576	dllhost.exe
Token: SeDebugPrivilege	4580	dllhost.exe
Token: SeDebugPrivilege	1740	dllhost.exe
Token: SeDebugPrivilege	4344	dllhost.exe
Token: SeDebugPrivilege	4752	dllhost.exe
Token: SeDebugPrivilege	2712	dllhost.exe
Token: SeDebugPrivilege	1688	dllhost.exe
Token: SeDebugPrivilege	4588	dllhost.exe
Token: SeDebugPrivilege	2492	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 2236	3292	JaffaCakes118_43dd3ea9d558395804af6d217d83062cef627a9867a37dc707372be27f4a0042.exe	83
PID 3292 wrote to memory of 2236	3292	JaffaCakes118_43dd3ea9d558395804af6d217d83062cef627a9867a37dc707372be27f4a0042.exe	83
PID 3292 wrote to memory of 2236	3292	JaffaCakes118_43dd3ea9d558395804af6d217d83062cef627a9867a37dc707372be27f4a0042.exe	83
PID 2236 wrote to memory of 4980	2236	WScript.exe	85
PID 2236 wrote to memory of 4980	2236	WScript.exe	85
PID 2236 wrote to memory of 4980	2236	WScript.exe	85
PID 4980 wrote to memory of 4228	4980	cmd.exe	87
PID 4980 wrote to memory of 4228	4980	cmd.exe	87
PID 4228 wrote to memory of 3280	4228	DllCommonsvc.exe	120
PID 4228 wrote to memory of 3280	4228	DllCommonsvc.exe	120
PID 4228 wrote to memory of 920	4228	DllCommonsvc.exe	121
PID 4228 wrote to memory of 920	4228	DllCommonsvc.exe	121
PID 4228 wrote to memory of 2772	4228	DllCommonsvc.exe	122
PID 4228 wrote to memory of 2772	4228	DllCommonsvc.exe	122
PID 4228 wrote to memory of 4952	4228	DllCommonsvc.exe	123
PID 4228 wrote to memory of 4952	4228	DllCommonsvc.exe	123
PID 4228 wrote to memory of 1800	4228	DllCommonsvc.exe	124
PID 4228 wrote to memory of 1800	4228	DllCommonsvc.exe	124
PID 4228 wrote to memory of 4748	4228	DllCommonsvc.exe	125
PID 4228 wrote to memory of 4748	4228	DllCommonsvc.exe	125
PID 4228 wrote to memory of 4532	4228	DllCommonsvc.exe	126
PID 4228 wrote to memory of 4532	4228	DllCommonsvc.exe	126
PID 4228 wrote to memory of 4200	4228	DllCommonsvc.exe	127
PID 4228 wrote to memory of 4200	4228	DllCommonsvc.exe	127
PID 4228 wrote to memory of 4752	4228	DllCommonsvc.exe	128
PID 4228 wrote to memory of 4752	4228	DllCommonsvc.exe	128
PID 4228 wrote to memory of 3856	4228	DllCommonsvc.exe	129
PID 4228 wrote to memory of 3856	4228	DllCommonsvc.exe	129
PID 4228 wrote to memory of 1516	4228	DllCommonsvc.exe	130
PID 4228 wrote to memory of 1516	4228	DllCommonsvc.exe	130
PID 4228 wrote to memory of 4444	4228	DllCommonsvc.exe	142
PID 4228 wrote to memory of 4444	4228	DllCommonsvc.exe	142
PID 4444 wrote to memory of 2040	4444	cmd.exe	144
PID 4444 wrote to memory of 2040	4444	cmd.exe	144
PID 4444 wrote to memory of 1584	4444	cmd.exe	145
PID 4444 wrote to memory of 1584	4444	cmd.exe	145
PID 1584 wrote to memory of 4248	1584	dllhost.exe	153
PID 1584 wrote to memory of 4248	1584	dllhost.exe	153
PID 4248 wrote to memory of 1392	4248	cmd.exe	155
PID 4248 wrote to memory of 1392	4248	cmd.exe	155
PID 4248 wrote to memory of 3672	4248	cmd.exe	161
PID 4248 wrote to memory of 3672	4248	cmd.exe	161
PID 3672 wrote to memory of 544	3672	dllhost.exe	165
PID 3672 wrote to memory of 544	3672	dllhost.exe	165
PID 544 wrote to memory of 3392	544	cmd.exe	167
PID 544 wrote to memory of 3392	544	cmd.exe	167
PID 544 wrote to memory of 1692	544	cmd.exe	170
PID 544 wrote to memory of 1692	544	cmd.exe	170
PID 1692 wrote to memory of 4752	1692	dllhost.exe	172
PID 1692 wrote to memory of 4752	1692	dllhost.exe	172
PID 4752 wrote to memory of 1508	4752	cmd.exe	174
PID 4752 wrote to memory of 1508	4752	cmd.exe	174
PID 4752 wrote to memory of 2248	4752	cmd.exe	176
PID 4752 wrote to memory of 2248	4752	cmd.exe	176
PID 2248 wrote to memory of 4412	2248	dllhost.exe	178
PID 2248 wrote to memory of 4412	2248	dllhost.exe	178
PID 4412 wrote to memory of 2896	4412	cmd.exe	180
PID 4412 wrote to memory of 2896	4412	cmd.exe	180
PID 4412 wrote to memory of 2576	4412	cmd.exe	182
PID 4412 wrote to memory of 2576	4412	cmd.exe	182
PID 2576 wrote to memory of 2728	2576	dllhost.exe	184
PID 2576 wrote to memory of 2728	2576	dllhost.exe	184
PID 2728 wrote to memory of 2624	2728	cmd.exe	186
PID 2728 wrote to memory of 2624	2728	cmd.exe	186

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43dd3ea9d558395804af6d217d83062cef627a9867a37dc707372be27f4a0042.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43dd3ea9d558395804af6d217d83062cef627a9867a37dc707372be27f4a0042.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Vault\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellComponents\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ORy3RfYgYW.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4444
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2040
      - C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1392
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3392
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1508
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2896
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RIE4o2SCx.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2624
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"
        17⤵
        
        PID:2360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2688
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"
        19⤵
        
        PID:2228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4912
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat"
        21⤵
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2132
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
        23⤵
        
        PID:1632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3884
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat"
        25⤵
        
        PID:4948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4168
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"
        27⤵
        
        PID:3188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2448
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"
        29⤵
        
        PID:3384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:3316
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        30⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\Vault\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Vault\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\Vault\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\ShellComponents\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat

Filesize
198B

MD5
2d72ce53961e81c82e02aa37186e2e4d

SHA1
4c813da5daed8218dfe453c760a71f786b73cf61

SHA256
96f8cb495acdde9be62b8eeb8f4a94e3ff6c04732f8a2f7c1a5fcb9339d806c7

SHA512
b0e1cb1a017749b9c6ca404e2f1b69137e7194f94a125e90e324dcfb366f65f322e714c14c0997d875f23ef9cda0268bdc2d4956002a019757fb51ad218563b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8RIE4o2SCx.bat

Filesize
198B

MD5
362dea4d63b2df9fe1df8e9cc0d28f02

SHA1
85746a30c6b9d14de63385af683b02277b2ad8cc

SHA256
fb598db9014865b2b71e59a3f36322cfd1ee43d06b053f18c3606ab9edd472fd

SHA512
7c0faa6dd6b1192306f89358afeb41a55285e67ce5b2d3a4d946ca67c040f0eb125b63b17572fcd9607cdc54610d063bb19091b7ff570f998ac352af36d99850

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat

Filesize
198B

MD5
a01c44988cec497555972a4ca3a0e5fc

SHA1
9aeebe11b2bf50d0cadc4c9e6102b302637d6f11

SHA256
18cf7720b67f22ab8fa4f3d6bd68df51edfd857e65de0eb852684b9cfe4ba509

SHA512
7932fed5a9818dbdd60b74e7f3cc79c368cda0619e2289d3ac377b4c36a80e0f2d2f02d7549ae4b2c7c01d88e336bcceddb743d44856af28ef7573709a666b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat

Filesize
198B

MD5
f3f729bb44aaef6f205ccc42bc77753a

SHA1
674292c88b1c2cc1770dd66ac23264f7bb3c4d41

SHA256
1665332036e2b2a1d3012971dddd3f01a50d81f11383b5e4a1672588716fcde9

SHA512
7c1cd3530f51cae9dd62b248b104806c511042dc2c37bc46fb06e0452916277e1ade745601de96a42495852db60094a0b8abbeb3dd47c39e52877f41ac9499c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat

Filesize
198B

MD5
037e71a9a72291db7733b45bba4aec58

SHA1
0aa91e19ba6fa93f871cdc14d3b070e32adac851

SHA256
1149cc5b2c27c69d1dad43a8f83adb49d22deb5b89cf3d97fa9a23b68979ca38

SHA512
df4a2dd29d6fa6df187d69dcad538990dfb7c195b9d77b4319f42476efd4b688e246abaaf3a7d5e975a2d1bc8f3c7c9f671e534ff17aa7b0eb68d96f55b774e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ORy3RfYgYW.bat

Filesize
198B

MD5
d1fca04f64ca190d84f4337b63845227

SHA1
a5e922731fbdc88031c1264de27cdb61414b6e9a

SHA256
64f01a7434d630a740e5ca53d26e304f99130a86cd3d7196f55370655a65f35e

SHA512
d50af0a5e9648ecf6a75399f74cb58a75e88da4215bb069ec348ce42863aeb847519c0f8711c960404bee21e10fd6db703e4c52d90f0685e6b07cc2d14ff32d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat

Filesize
198B

MD5
faca9fdce7a97e2959756cc116a0b43d

SHA1
ca1cc1c38ffda082df841badb2e99154352bff5b

SHA256
22a03f7e43331526011a199d42192bb1bd86fdf2470d0216ef37f172fd480803

SHA512
8094fb5abaf53002f4023bf77a700b6b90e096d7274f4c9913ff877886b8ce4276bc3076abd9fbc9facaf6485d3bd2beff26b46da6f3780e461b6973bc1635f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

Filesize
198B

MD5
01c7324ed06549df623d8d662ff5fecf

SHA1
9e28df632353b543df41ca71c2a4255682d3d533

SHA256
62bd23d01f46107d6b9d70b8a6df4b37339ff9f48850ecd24dc6da02526ca367

SHA512
63b16e2c876b6e520c9d3f1a54b140864db21591462a4fba0d33803d0542a77288f6f5a1cfccc2ad8762e67213a80633482332bab4794233d44a64c736539575

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j1f5h3tf.z5x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat

Filesize
198B

MD5
925cae752113fe2a5821cb3ba733aed8

SHA1
b80ecb6e744fcbce0515254656ebca23eb098880

SHA256
fcd2b0f89b62bf7e24d2b2b458c8aca97bc396a5eca253a4db6cfd9adb8d0b0f

SHA512
5cf13fe85b23980274b5d131228b001fd2831ffb428edc91f8b294e01e370b0a9d05346292d8106bd362d6ece17cf64839703e0ecbce55e8afdc3ecb1a4a2832

Download Submit
C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat

Filesize
198B

MD5
43f0b1514415d23657aa1847fb37abe4

SHA1
40fee1b5b315fae84e465e02036a15ec65ac2665

SHA256
401af0594e0b9689ca0c1ed592ff53530029889af6d8598ef1c1605828907b8f

SHA512
c2d9add08aed175403a3c071fea3e979cbd2ab028bfd394ec9cd781200cb2bf0307c7ddad2954cc9f43c867d55dc543b519f514e8becbdb65b35a2ad7b4027d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat

Filesize
198B

MD5
d281755ae211af7e7b733e4bf552c023

SHA1
c8e0f9b1fcc7d55338ebd79e44a43d8cec51e10d

SHA256
a51e7c3459786120c2a8b86bf3d48e308a3b289648d19b0e52a41b7f5fbc0cce

SHA512
dcad6e5e74c4185fe1dd4781665f237659f2409f514f0e6a5f97eec7d81c616b9f435b849ea7455cfeb4d47610592132e0d27773ffe8d1a7118025757e3a74c3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1584-170-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/1692-186-0x0000000002AE0000-0x0000000002AF2000-memory.dmp

Filesize
72KB

Download
memory/2576-199-0x0000000002AD0000-0x0000000002AE2000-memory.dmp

Filesize
72KB

Download
memory/3672-183-0x000000001BE60000-0x000000001C009000-memory.dmp

Filesize
1.7MB

Download
memory/4228-16-0x000000001AC90000-0x000000001AC9C000-memory.dmp

Filesize
48KB

Download
memory/4228-15-0x000000001AC80000-0x000000001AC8C000-memory.dmp

Filesize
48KB

Download
memory/4228-14-0x00000000021E0000-0x00000000021F2000-memory.dmp

Filesize
72KB

Download
memory/4228-13-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/4228-12-0x00007FF91E663000-0x00007FF91E665000-memory.dmp

Filesize
8KB

Download
memory/4228-17-0x000000001ACA0000-0x000000001ACAC000-memory.dmp

Filesize
48KB

Download
memory/4588-242-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/4952-52-0x0000019C67550000-0x0000019C67572000-memory.dmp

Filesize
136KB

Download