dcrat | 4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a.exe
Size

1.3MB
MD5

708dd81195aa21dab187893af9951b3d
SHA1

72f5126c70acbdb45127e61e95ef857446bef02e
SHA256

4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a
SHA512

29905786477ba9a05af2f25fe272c4e7f74273e502055ba599bac16d39d6327c13cac82837468c29a2f378ebe195d22661453a0405ce66f0baabeea11a142c12
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	1436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	1436	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c82-10.dat	dcrat
behavioral2/memory/2484-13-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2856	powershell.exe
5100	powershell.exe
4220	powershell.exe
2440	powershell.exe
2876	powershell.exe
984	powershell.exe
4980	powershell.exe
1464	powershell.exe
404	powershell.exe
1424	powershell.exe
2352	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 14 IoCs

pid	Process
2484	DllCommonsvc.exe
1360	csrss.exe
2208	csrss.exe
3628	csrss.exe
3976	csrss.exe
880	csrss.exe
2208	csrss.exe
2372	csrss.exe
2920	csrss.exe
2532	csrss.exe
5052	csrss.exe
4256	csrss.exe
4780	csrss.exe
4184	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
58	raw.githubusercontent.com
44	raw.githubusercontent.com
57	raw.githubusercontent.com
59	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com
29	raw.githubusercontent.com
38	raw.githubusercontent.com
18	raw.githubusercontent.com
49	raw.githubusercontent.com
61	raw.githubusercontent.com
48	raw.githubusercontent.com
53	raw.githubusercontent.com
60	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\55b276f4edf653	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\LanguageOverlayCache\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\de-DE\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\de-DE\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\Cursors\services.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	JaffaCakes118_4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
220	schtasks.exe
4548	schtasks.exe
2424	schtasks.exe
3040	schtasks.exe
4244	schtasks.exe
5084	schtasks.exe
2532	schtasks.exe
3604	schtasks.exe
3516	schtasks.exe
4796	schtasks.exe
4492	schtasks.exe
3676	schtasks.exe
3480	schtasks.exe
4444	schtasks.exe
552	schtasks.exe
4396	schtasks.exe
468	schtasks.exe
116	schtasks.exe
4700	schtasks.exe
1004	schtasks.exe
3104	schtasks.exe
2448	schtasks.exe
2296	schtasks.exe
2120	schtasks.exe
4892	schtasks.exe
3968	schtasks.exe
1560	schtasks.exe
4900	schtasks.exe
2576	schtasks.exe
2548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2484	DllCommonsvc.exe
2484	DllCommonsvc.exe
2484	DllCommonsvc.exe
2484	DllCommonsvc.exe
2484	DllCommonsvc.exe
2484	DllCommonsvc.exe
2484	DllCommonsvc.exe
2484	DllCommonsvc.exe
2484	DllCommonsvc.exe
2484	DllCommonsvc.exe
2484	DllCommonsvc.exe
4220	powershell.exe
4220	powershell.exe
2856	powershell.exe
2856	powershell.exe
2876	powershell.exe
2876	powershell.exe
1464	powershell.exe
1464	powershell.exe
5100	powershell.exe
5100	powershell.exe
1424	powershell.exe
1424	powershell.exe
404	powershell.exe
404	powershell.exe
2352	powershell.exe
2352	powershell.exe
4980	powershell.exe
4980	powershell.exe
2440	powershell.exe
2440	powershell.exe
2876	powershell.exe
984	powershell.exe
984	powershell.exe
1464	powershell.exe
1360	csrss.exe
1360	csrss.exe
4220	powershell.exe
4980	powershell.exe
2856	powershell.exe
5100	powershell.exe
1424	powershell.exe
2440	powershell.exe
2352	powershell.exe
404	powershell.exe
984	powershell.exe
2208	csrss.exe
3628	csrss.exe
3976	csrss.exe
880	csrss.exe
2208	csrss.exe
2372	csrss.exe
2920	csrss.exe
2532	csrss.exe
5052	csrss.exe
4256	csrss.exe
4780	csrss.exe
4184	csrss.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	DllCommonsvc.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	1360	csrss.exe
Token: SeDebugPrivilege	2208	csrss.exe
Token: SeDebugPrivilege	3628	csrss.exe
Token: SeDebugPrivilege	3976	csrss.exe
Token: SeDebugPrivilege	880	csrss.exe
Token: SeDebugPrivilege	2208	csrss.exe
Token: SeDebugPrivilege	2372	csrss.exe
Token: SeDebugPrivilege	2920	csrss.exe
Token: SeDebugPrivilege	2532	csrss.exe
Token: SeDebugPrivilege	5052	csrss.exe
Token: SeDebugPrivilege	4256	csrss.exe
Token: SeDebugPrivilege	4780	csrss.exe
Token: SeDebugPrivilege	4184	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 2272	4836	JaffaCakes118_4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a.exe	83
PID 4836 wrote to memory of 2272	4836	JaffaCakes118_4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a.exe	83
PID 4836 wrote to memory of 2272	4836	JaffaCakes118_4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a.exe	83
PID 2272 wrote to memory of 2368	2272	WScript.exe	85
PID 2272 wrote to memory of 2368	2272	WScript.exe	85
PID 2272 wrote to memory of 2368	2272	WScript.exe	85
PID 2368 wrote to memory of 2484	2368	cmd.exe	87
PID 2368 wrote to memory of 2484	2368	cmd.exe	87
PID 2484 wrote to memory of 984	2484	DllCommonsvc.exe	120
PID 2484 wrote to memory of 984	2484	DllCommonsvc.exe	120
PID 2484 wrote to memory of 2856	2484	DllCommonsvc.exe	121
PID 2484 wrote to memory of 2856	2484	DllCommonsvc.exe	121
PID 2484 wrote to memory of 4980	2484	DllCommonsvc.exe	122
PID 2484 wrote to memory of 4980	2484	DllCommonsvc.exe	122
PID 2484 wrote to memory of 1464	2484	DllCommonsvc.exe	123
PID 2484 wrote to memory of 1464	2484	DllCommonsvc.exe	123
PID 2484 wrote to memory of 404	2484	DllCommonsvc.exe	124
PID 2484 wrote to memory of 404	2484	DllCommonsvc.exe	124
PID 2484 wrote to memory of 2440	2484	DllCommonsvc.exe	125
PID 2484 wrote to memory of 2440	2484	DllCommonsvc.exe	125
PID 2484 wrote to memory of 4220	2484	DllCommonsvc.exe	126
PID 2484 wrote to memory of 4220	2484	DllCommonsvc.exe	126
PID 2484 wrote to memory of 2876	2484	DllCommonsvc.exe	127
PID 2484 wrote to memory of 2876	2484	DllCommonsvc.exe	127
PID 2484 wrote to memory of 2352	2484	DllCommonsvc.exe	128
PID 2484 wrote to memory of 2352	2484	DllCommonsvc.exe	128
PID 2484 wrote to memory of 1424	2484	DllCommonsvc.exe	129
PID 2484 wrote to memory of 1424	2484	DllCommonsvc.exe	129
PID 2484 wrote to memory of 5100	2484	DllCommonsvc.exe	131
PID 2484 wrote to memory of 5100	2484	DllCommonsvc.exe	131
PID 2484 wrote to memory of 1360	2484	DllCommonsvc.exe	141
PID 2484 wrote to memory of 1360	2484	DllCommonsvc.exe	141
PID 1360 wrote to memory of 952	1360	csrss.exe	144
PID 1360 wrote to memory of 952	1360	csrss.exe	144
PID 952 wrote to memory of 768	952	cmd.exe	146
PID 952 wrote to memory of 768	952	cmd.exe	146
PID 952 wrote to memory of 2208	952	cmd.exe	148
PID 952 wrote to memory of 2208	952	cmd.exe	148
PID 2208 wrote to memory of 3840	2208	csrss.exe	150
PID 2208 wrote to memory of 3840	2208	csrss.exe	150
PID 3840 wrote to memory of 3804	3840	cmd.exe	152
PID 3840 wrote to memory of 3804	3840	cmd.exe	152
PID 3840 wrote to memory of 3628	3840	cmd.exe	154
PID 3840 wrote to memory of 3628	3840	cmd.exe	154
PID 3628 wrote to memory of 920	3628	csrss.exe	158
PID 3628 wrote to memory of 920	3628	csrss.exe	158
PID 920 wrote to memory of 2920	920	cmd.exe	160
PID 920 wrote to memory of 2920	920	cmd.exe	160
PID 920 wrote to memory of 3976	920	cmd.exe	167
PID 920 wrote to memory of 3976	920	cmd.exe	167
PID 3976 wrote to memory of 3620	3976	csrss.exe	175
PID 3976 wrote to memory of 3620	3976	csrss.exe	175
PID 3620 wrote to memory of 1716	3620	cmd.exe	177
PID 3620 wrote to memory of 1716	3620	cmd.exe	177
PID 3620 wrote to memory of 880	3620	cmd.exe	179
PID 3620 wrote to memory of 880	3620	cmd.exe	179
PID 880 wrote to memory of 4820	880	csrss.exe	181
PID 880 wrote to memory of 4820	880	csrss.exe	181
PID 4820 wrote to memory of 2620	4820	cmd.exe	183
PID 4820 wrote to memory of 2620	4820	cmd.exe	183
PID 4820 wrote to memory of 2208	4820	cmd.exe	186
PID 4820 wrote to memory of 2208	4820	cmd.exe	186
PID 2208 wrote to memory of 3140	2208	csrss.exe	188
PID 2208 wrote to memory of 3140	2208	csrss.exe	188

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a7f68e1d5c445646276b453a73303209f6aa3d141eb97ca96a03ada12f1864a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\de-DE\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
    - - C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:768
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3804
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2920
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1716
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2620
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"
        16⤵
        
        PID:3140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:536
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"
        18⤵
        
        PID:3388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:928
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat"
        20⤵
        
        PID:2016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4812
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"
        22⤵
        
        PID:2104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3008
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
        24⤵
        
        PID:2224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:948
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"
        26⤵
        
        PID:2260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2112
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"
        28⤵
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3928
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat"
        30⤵
        
        PID:3712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\de-DE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\de-DE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Cursors\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat

Filesize
196B

MD5
c221b1aade7e3e2843793b069dc85921

SHA1
de8801d3817c468f28c9f4b9c2b8e56e0ca7371b

SHA256
f70ccca31a861730b6a0bf9ed972a5190eff7d8409d4d2b6257fecbc3cb69855

SHA512
b2d758654e1c4c78f3cd04ef9380351dd22bab4eb55d1a4a5044676f9d562f1173777f08f570e3c7c0a3b10758213aa3c3feaf0a48b7621fdfabaee423bd0d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat

Filesize
196B

MD5
b03fc34a5326729ae03d89694490e944

SHA1
95841468106e3c3263c2079682d91ba74f11c4b4

SHA256
ba4c374e0e53ef70fdd52bbf982ee696e5acbca1e0bc6e31989137a51e6ad49e

SHA512
84f7486ea5ca8d8dd2e1a7c3f2f333a5c8ef9673911a5addc3a480e978b4eab7c5b11b1e14458bf28eb1e758c56283f9e9201a3e546bb0d7f1c5dfc295c3533a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat

Filesize
196B

MD5
ed91c83325560622e015f794f6f34637

SHA1
e6b353b322d00e90790496eed0233279a1fd7ab3

SHA256
e443bb7c63a5cda35a4cb0edc36e58c7554105e88ff675586a6f42f27c799bbc

SHA512
4bac82fd6297e023109b03743b266564ebfaa20106424ee782617a35c440d10cb094a4290e3b032dbf82c1c083f67224e199b05a1d67b1c8ad1c58680063fc5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat

Filesize
196B

MD5
31a5e3e0ca4c1a51224a41ea8b5e2191

SHA1
e3109a2e83ae91a94175720667c43b56011af549

SHA256
3f413ed66915aae98901cefc3208c7c634f6ab0d8c7ae19c7a4979d16dca38af

SHA512
0b907f8d6ecf42d5ab6155ff4387d0d517e87d15c2ae82e46739fd6820c46a68c222674443a4dd5d24b20845cd8a8e556ee1c9462d195590f84433045edb6069

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat

Filesize
196B

MD5
f5c45452ad12fdeb44124b6ec9c94c54

SHA1
7b015c1685fe3b9d48622159ba0f18e6f1f3ff16

SHA256
ef5412d39d4ea07af4da6206ca8bb7428f93cc245c4f0dd6aaebbb0257245812

SHA512
1c253c727aa540093c2b9b2a3f072cedf5fc4af2025a6755f9a2084a508b48a757122536c6eec050841e3d7064310aae226af2b3ad9a9072cbb0f43908559233

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat

Filesize
196B

MD5
d45e1ef9fd875218d3bd5f4036de9ffa

SHA1
c14eafc326e300a876cc8c1a02b554a398880687

SHA256
2a8775aa294c34d2c9e65e1a56bdd8a7615715d27c84e5a3c4e31fb6be0bf84b

SHA512
68b1e22e29d0d5c21325213c08f82ca7aa5bfb0bdd622b2a5896f4cce92c98a134c2196a1f15630db9dcd195b0eb8f47bc68c5a982224b24f5f06c8be75a20b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x40fmbew.0ux.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat

Filesize
196B

MD5
aeedb26c462e82e614317f98fe15550d

SHA1
fc65efd532e3293fc9ca70a0a5cb01d6e769f0fe

SHA256
56a77e05bcb7e19159b5f621b3475e27ca868c7410833aaba1f5d8fa347592b5

SHA512
bdd3f1cd1d9b0d480545ca115756cf633387981bf56f99c3bb645bd72f61983501a60424663fe4dd1385f2ca30292bc3005359520709128380ec40e31d3bd88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat

Filesize
196B

MD5
395619de2302f4575c7b7f83644e98fd

SHA1
8a28fe9c25d42bff6beadd2ed82ecea8090fee19

SHA256
208b042707cf2deb575a75b3a7f0bf6202eb00093c11e4ce44f7a747fc85dd3f

SHA512
996cf413876eca8178ad06105035e95ce1109a6c0b376fb23c3a4359f34ab22ebcdfc0f035783f5f1d807c2e0f8c06cf1c84ad2d0494c6639ddaf87e2ea771c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat

Filesize
196B

MD5
4243c4fa2891e064fb3653f428067217

SHA1
eb6974a2af7237874e3aeb3986c2e49e1eee3608

SHA256
3a7417362e5e74a7e6f16539a6e0de372b5a11907a076a7a9d85a37b27160211

SHA512
624bd63fd21df7be6c65d78a6a3d23c883cee18c91628473ab8e64df3fdbe64bb439db5c3f77caf7dfa97883c6ef36a2e6550a53809a547290a8c3738a4c8019

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat

Filesize
196B

MD5
7c3c0636f6200e572f33d09b6cce6582

SHA1
100753a10b5d0635e4dfbcb8f8c16bb1d73c6577

SHA256
81f6226a440884e29faebde1f915eccf2d4ccf10c7600621645cdfbe3ede64e5

SHA512
c36b4f33f4ace3931fac0df737949a9f86aaa0038553ab11436bfa105e05caefa3d9e2c32ac38fda029c00a7a9963b2edb4f699e5b2eb415a376a169a2465fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat

Filesize
196B

MD5
3cfccacdbd47f424c03b9458fd5a8dc4

SHA1
900618def89287d108602402de5b8ff853c939d2

SHA256
1f42b459674d776fa03fcef4f8e6ca1aaacbbf80fc83d1708879d30ec5c17da4

SHA512
ee2404114a56414ae6471c1661c8657750fd464e7a3f73a6460b515c8876801d2295069a886ecfacca1555135229589e7845570ec7f687a269274503deeb4916

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat

Filesize
196B

MD5
e0b7560f0cbf09fc4e62966b6f5e259f

SHA1
d04f0f7b92869adbe3d2ec0cb1c783ffa055593c

SHA256
f4ab9c4458da3b5ddb3a7308253ce3691bfc208d56cc991f2737847d9a91f426

SHA512
bdbff065296a01375b72ec744a94511125016db90982750bcfefe296fde424af7d1b3984317c03a5663ce374a9bf6efc5359d85b3aa3c406168f11ae7983fd07

Download Submit
C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat

Filesize
196B

MD5
5799a58e21f19f1a6098a9538a78da6c

SHA1
7321a686d93596fa85b49f1c8dd1dd134248c40b

SHA256
a1933bc8fa428d25ebe28967290cb2bedb0c95375b61c1ed504b532f6e2e056b

SHA512
1ebfde03266639f31bcc1347cefef031bb4fb4fc9c36e18aaf82efe0aab4596a62905b57a76f90e9120df88bfdc5ae5181b9a5ad7dcb5fc881dee38455bf20fa

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1360-149-0x000000001C550000-0x000000001C562000-memory.dmp

Filesize
72KB

Download
memory/2372-211-0x000000001B7F0000-0x000000001B802000-memory.dmp

Filesize
72KB

Download
memory/2484-17-0x000000001B740000-0x000000001B74C000-memory.dmp

Filesize
48KB

Download
memory/2484-16-0x000000001AFD0000-0x000000001AFDC000-memory.dmp

Filesize
48KB

Download
memory/2484-15-0x000000001AFC0000-0x000000001AFCC000-memory.dmp

Filesize
48KB

Download
memory/2484-14-0x0000000000C20000-0x0000000000C32000-memory.dmp

Filesize
72KB

Download
memory/2484-13-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/2484-12-0x00007FFB75A53000-0x00007FFB75A55000-memory.dmp

Filesize
8KB

Download
memory/2532-224-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download
memory/4184-250-0x000000001B5F0000-0x000000001B602000-memory.dmp

Filesize
72KB

Download
memory/4220-54-0x0000023569CA0000-0x0000023569CC2000-memory.dmp

Filesize
136KB

Download
memory/4256-237-0x000000001B5F0000-0x000000001B602000-memory.dmp

Filesize
72KB

Download