dcrat | e1c89ab7e7ecf7e81e8f15c1b67c45faa8ee7e7b464c01377c3e4e37151e1792

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e1c89ab7e7ecf7e81e8f15c1b67c45faa8ee7e7b464c01377c3e4e37151e1792.exe
Size

1.3MB
MD5

a936cdd9e83bd405c19db9ace56916df
SHA1

c0a5fa8b3d88b1c91d3f3e2aa8446a0aa07cd239
SHA256

e1c89ab7e7ecf7e81e8f15c1b67c45faa8ee7e7b464c01377c3e4e37151e1792
SHA512

a2e12ede28d69595c436f7642c8024a907cfe9aa9e8a8ad8116469088cdfb2e2ca328f1f50e090e5a877447ea9c20297c38a25a1338690115620f7003bb78554
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2840	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000173b2-9.dat	dcrat
behavioral1/memory/2272-13-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2864-123-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/1456-182-0x0000000001090000-0x00000000011A0000-memory.dmp	dcrat
behavioral1/memory/1016-301-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/1600-362-0x0000000001020000-0x0000000001130000-memory.dmp	dcrat
behavioral1/memory/2360-481-0x00000000010B0000-0x00000000011C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2340	powershell.exe
768	powershell.exe
1016	powershell.exe
2060	powershell.exe
352	powershell.exe
2968	powershell.exe
1456	powershell.exe
1580	powershell.exe
1280	powershell.exe
676	powershell.exe
3008	powershell.exe
2424	powershell.exe
1596	powershell.exe
2996	powershell.exe
892	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2272	DllCommonsvc.exe
2864	winlogon.exe
1456	winlogon.exe
1488	winlogon.exe
1016	winlogon.exe
1600	winlogon.exe
2704	winlogon.exe
2360	winlogon.exe
916	winlogon.exe
376	winlogon.exe
2340	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
848	cmd.exe
848	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
17	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\es-ES\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\es-ES\f3b6ecef712a24	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Media\Delta\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\Cursors\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\servicing\GC64\smss.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\Media\Delta\WmiPrvSE.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e1c89ab7e7ecf7e81e8f15c1b67c45faa8ee7e7b464c01377c3e4e37151e1792.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
916	schtasks.exe
572	schtasks.exe
2572	schtasks.exe
2636	schtasks.exe
2776	schtasks.exe
2924	schtasks.exe
1464	schtasks.exe
1656	schtasks.exe
2780	schtasks.exe
708	schtasks.exe
1524	schtasks.exe
1960	schtasks.exe
2820	schtasks.exe
3044	schtasks.exe
1276	schtasks.exe
2524	schtasks.exe
1444	schtasks.exe
348	schtasks.exe
2832	schtasks.exe
1800	schtasks.exe
2280	schtasks.exe
688	schtasks.exe
1708	schtasks.exe
2124	schtasks.exe
2916	schtasks.exe
2792	schtasks.exe
2892	schtasks.exe
712	schtasks.exe
2000	schtasks.exe
1848	schtasks.exe
3032	schtasks.exe
2112	schtasks.exe
2908	schtasks.exe
2212	schtasks.exe
2308	schtasks.exe
1512	schtasks.exe
1684	schtasks.exe
2328	schtasks.exe
1700	schtasks.exe
2456	schtasks.exe
1200	schtasks.exe
1748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
1456	powershell.exe
2424	powershell.exe
2968	powershell.exe
2060	powershell.exe
352	powershell.exe
676	powershell.exe
1596	powershell.exe
1016	powershell.exe
3008	powershell.exe
892	powershell.exe
768	powershell.exe
1280	powershell.exe
2340	powershell.exe
1580	powershell.exe
2864	winlogon.exe
1456	winlogon.exe
1488	winlogon.exe
1016	winlogon.exe
1600	winlogon.exe
2704	winlogon.exe
2360	winlogon.exe
916	winlogon.exe
376	winlogon.exe
2340	winlogon.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	DllCommonsvc.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2864	winlogon.exe
Token: SeDebugPrivilege	1456	winlogon.exe
Token: SeDebugPrivilege	1488	winlogon.exe
Token: SeDebugPrivilege	1016	winlogon.exe
Token: SeDebugPrivilege	1600	winlogon.exe
Token: SeDebugPrivilege	2704	winlogon.exe
Token: SeDebugPrivilege	2360	winlogon.exe
Token: SeDebugPrivilege	916	winlogon.exe
Token: SeDebugPrivilege	376	winlogon.exe
Token: SeDebugPrivilege	2340	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 1664	1852	JaffaCakes118_e1c89ab7e7ecf7e81e8f15c1b67c45faa8ee7e7b464c01377c3e4e37151e1792.exe	31
PID 1852 wrote to memory of 1664	1852	JaffaCakes118_e1c89ab7e7ecf7e81e8f15c1b67c45faa8ee7e7b464c01377c3e4e37151e1792.exe	31
PID 1852 wrote to memory of 1664	1852	JaffaCakes118_e1c89ab7e7ecf7e81e8f15c1b67c45faa8ee7e7b464c01377c3e4e37151e1792.exe	31
PID 1852 wrote to memory of 1664	1852	JaffaCakes118_e1c89ab7e7ecf7e81e8f15c1b67c45faa8ee7e7b464c01377c3e4e37151e1792.exe	31
PID 1664 wrote to memory of 848	1664	WScript.exe	32
PID 1664 wrote to memory of 848	1664	WScript.exe	32
PID 1664 wrote to memory of 848	1664	WScript.exe	32
PID 1664 wrote to memory of 848	1664	WScript.exe	32
PID 848 wrote to memory of 2272	848	cmd.exe	34
PID 848 wrote to memory of 2272	848	cmd.exe	34
PID 848 wrote to memory of 2272	848	cmd.exe	34
PID 848 wrote to memory of 2272	848	cmd.exe	34
PID 2272 wrote to memory of 2968	2272	DllCommonsvc.exe	78
PID 2272 wrote to memory of 2968	2272	DllCommonsvc.exe	78
PID 2272 wrote to memory of 2968	2272	DllCommonsvc.exe	78
PID 2272 wrote to memory of 2424	2272	DllCommonsvc.exe	79
PID 2272 wrote to memory of 2424	2272	DllCommonsvc.exe	79
PID 2272 wrote to memory of 2424	2272	DllCommonsvc.exe	79
PID 2272 wrote to memory of 2340	2272	DllCommonsvc.exe	80
PID 2272 wrote to memory of 2340	2272	DllCommonsvc.exe	80
PID 2272 wrote to memory of 2340	2272	DllCommonsvc.exe	80
PID 2272 wrote to memory of 1596	2272	DllCommonsvc.exe	82
PID 2272 wrote to memory of 1596	2272	DllCommonsvc.exe	82
PID 2272 wrote to memory of 1596	2272	DllCommonsvc.exe	82
PID 2272 wrote to memory of 1456	2272	DllCommonsvc.exe	83
PID 2272 wrote to memory of 1456	2272	DllCommonsvc.exe	83
PID 2272 wrote to memory of 1456	2272	DllCommonsvc.exe	83
PID 2272 wrote to memory of 352	2272	DllCommonsvc.exe	84
PID 2272 wrote to memory of 352	2272	DllCommonsvc.exe	84
PID 2272 wrote to memory of 352	2272	DllCommonsvc.exe	84
PID 2272 wrote to memory of 3008	2272	DllCommonsvc.exe	86
PID 2272 wrote to memory of 3008	2272	DllCommonsvc.exe	86
PID 2272 wrote to memory of 3008	2272	DllCommonsvc.exe	86
PID 2272 wrote to memory of 1016	2272	DllCommonsvc.exe	87
PID 2272 wrote to memory of 1016	2272	DllCommonsvc.exe	87
PID 2272 wrote to memory of 1016	2272	DllCommonsvc.exe	87
PID 2272 wrote to memory of 892	2272	DllCommonsvc.exe	88
PID 2272 wrote to memory of 892	2272	DllCommonsvc.exe	88
PID 2272 wrote to memory of 892	2272	DllCommonsvc.exe	88
PID 2272 wrote to memory of 1580	2272	DllCommonsvc.exe	90
PID 2272 wrote to memory of 1580	2272	DllCommonsvc.exe	90
PID 2272 wrote to memory of 1580	2272	DllCommonsvc.exe	90
PID 2272 wrote to memory of 676	2272	DllCommonsvc.exe	91
PID 2272 wrote to memory of 676	2272	DllCommonsvc.exe	91
PID 2272 wrote to memory of 676	2272	DllCommonsvc.exe	91
PID 2272 wrote to memory of 1280	2272	DllCommonsvc.exe	92
PID 2272 wrote to memory of 1280	2272	DllCommonsvc.exe	92
PID 2272 wrote to memory of 1280	2272	DllCommonsvc.exe	92
PID 2272 wrote to memory of 2060	2272	DllCommonsvc.exe	93
PID 2272 wrote to memory of 2060	2272	DllCommonsvc.exe	93
PID 2272 wrote to memory of 2060	2272	DllCommonsvc.exe	93
PID 2272 wrote to memory of 768	2272	DllCommonsvc.exe	94
PID 2272 wrote to memory of 768	2272	DllCommonsvc.exe	94
PID 2272 wrote to memory of 768	2272	DllCommonsvc.exe	94
PID 2272 wrote to memory of 2996	2272	DllCommonsvc.exe	96
PID 2272 wrote to memory of 2996	2272	DllCommonsvc.exe	96
PID 2272 wrote to memory of 2996	2272	DllCommonsvc.exe	96
PID 2272 wrote to memory of 1664	2272	DllCommonsvc.exe	108
PID 2272 wrote to memory of 1664	2272	DllCommonsvc.exe	108
PID 2272 wrote to memory of 1664	2272	DllCommonsvc.exe	108
PID 1664 wrote to memory of 576	1664	cmd.exe	110
PID 1664 wrote to memory of 576	1664	cmd.exe	110
PID 1664 wrote to memory of 576	1664	cmd.exe	110
PID 1664 wrote to memory of 2864	1664	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e1c89ab7e7ecf7e81e8f15c1b67c45faa8ee7e7b464c01377c3e4e37151e1792.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e1c89ab7e7ecf7e81e8f15c1b67c45faa8ee7e7b464c01377c3e4e37151e1792.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Delta\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2996
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aBpECK9RVv.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1664
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:576
      - C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"
        7⤵
        
        PID:2560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2996
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
        9⤵
        
        PID:2328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2424
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat"
        11⤵
        
        PID:2360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2288
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat"
        13⤵
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:608
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"
        15⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:380
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
        17⤵
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2808
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"
        19⤵
        
        PID:2136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2816
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat"
        21⤵
        
        PID:1592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2684
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"
        23⤵
        
        PID:2444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3044
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"
        25⤵
        
        PID:1464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Cursors\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Delta\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Media\Delta\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Delta\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f615d60cb29ed3e031ae44ac7ee54fdd

SHA1
d5c256ac227100045deb0210d46107b4184d51db

SHA256
797d7f0168f74efdab3eb17cc64588aaf7c1562d85eee625293e84e0f1fe7200

SHA512
f8819214828e65e2dd222bd4fde981b96e622a718e81aba0356a50e5afffe463788abb9f76fa936ef317c55da2eed3314027e271f3651997852e25bd3f79fa9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c925f66e0b89985d4914965123c27e2c

SHA1
18f18afae20d43085db087abdc23d4d5dc05dac2

SHA256
39f8ef5da5edcdd7bdcbea8cd8b95be77b12901c8365ac5ba215d88799d09472

SHA512
c74fd297e5d289318326301cfa3b7d0220c986835c88e2a828e4797994945dbe4fa2721a321f5735683efd6e2f3b37cbe49695374edfa2463c6a9814ef563abf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21810583fbb7f09cd5f4e7f5315b81f1

SHA1
8ab97cd547c0a758dd72c9d707cd8889948ce8b6

SHA256
bbf7e1c8805c90876b2d781ee455094da5e2fa253fe722b13a28599927a32523

SHA512
42dc806829beafe6078f9bc89d1c7b161cab48919e84708082604274afc3c4b18da6d00645d50188231b83e0c55637941027737e72182c7a0268ccb88cc448cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6696224d24a70adfee6ef4bee1167460

SHA1
783320bc4e5684ad37a1b31b4ff9c7a2596bae3d

SHA256
572ef8e4bc0ad40f7128b438ea49ee66d624d9e1ab8ba8430c451b70cb7d612d

SHA512
a7e0675839f8981acb19ac0d943fb759a3866e0ae6aba8a4be5d345580cce4bfd190694abf4b3ede9af432270f34f801c525bc155f1a15ab6a40c3b1eb454a4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee303b9379807d90d2062b32786764e5

SHA1
22b5516e80db7f85b48315c0144563e3902e90e9

SHA256
f9f12997f4653b7b038bbc6e2eb07ad53ee4f7eac10fc6e261defaf9b6285258

SHA512
6688363ac4f8f07db85d616d69084c1cedd6343949ea5bc2cae957cd350c0d9bade854780f4f6b98b1807900fee5424e6a08a3bb0d7e69469df9ade33f7f4300

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
548f117664090b7f72ebdacb59680663

SHA1
e8dd4c90b941264704ef617b59f92bba3ceeb85e

SHA256
a5426c836086399e19b3a4c8e3373b74f798eb09fb20ae2b3463c10df848f216

SHA512
8d1911546c71ce35cc651e80e40e78ad775e2c8426c73504bdf7916e04d594f1126fd7d1d15cd62b3fdcc32da9f6d398570a5ff4a97f781b86d40abad450156a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7da63fe27f60c05d64ca41148abf892

SHA1
ac790c18ffd3cbf321a61ddbe3ca95fb0e6669e3

SHA256
155b5dab8702c787b0c6d14a099096cb3bf530e90770076cb48b13b73628ef26

SHA512
2c67992a0846b539ad5d6871be089c11c43070166219a8cd773d910ff6fbd6a073b7fbf8a853916be786e8aec8ee16e4489407d7be544c77bf4af5678a4bb8f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe6e7b48ae824f4db7604943875fa667

SHA1
4ef79865333e8967a2045b019acd9547e82ce9c9

SHA256
3070b1ab7d99963dd3ea6270126a6206f111e17fc1a14763bf548edaac0bd57b

SHA512
8bfabfa739be0f79ed30c81754883c432cbc6bb131ddbe498a1be68af3a3ed326a493e727a14b8c00d94be5e3706f7973a05712a12786a34b15744ab993df6d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c10f02ea2a19acf6187f624701caaad6

SHA1
283df511a10d8e8724faabe13c163acc413f2804

SHA256
a688c390f6f1cd49ba33e2940894b3dff19bade7a7a06eba8318f4a6cef6d4bf

SHA512
555a45e76aa98df70241ea9cb2769fa654b473b02c8058c8ac4e9b742a1e5780aabe380784ba70d192e4523494537ea18081eb1e1679e2c2474f5e46424fb0d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat

Filesize
195B

MD5
1f5cbc64b470104cae2581823fb522d3

SHA1
c6ff5478b8ee82c63e02178331eb82780fd9b272

SHA256
900cb567f46edc8f7874978f99cc6291090ed7a3696e1452744b214fb57723eb

SHA512
39d75f7f06c8a15f1ab89f8ffe225590289463bfd415d9cf78471dbd61735ce869736eb6d19b479a9ad4e3df5371168a5b460ccac2dca3cefa12db27ac8af7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat

Filesize
195B

MD5
8bb31b85a426e01c96c83b8fa1b36dde

SHA1
654b684b5a815e5ad83942b3c9becab68294349c

SHA256
1a61f7ae62738629d66f9898d25df34d8e8ad70074bfbd17613ba0f456e95e9a

SHA512
32d475ffbeda2250760c16dfe0ad2798802c1a5a7f5bc31a8ae5009742b53a4148610e721520b4749eb87ba142c554ad18682c6741414c9a425a699ff9180974

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3593.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat

Filesize
195B

MD5
6f705f148408f421e214f3830f9afa1b

SHA1
cbd405df9a45bd954aec1f40711d2b1fce858f23

SHA256
5b595389b6c88f48c8292ac4272f889a169239c7061c8a0fa689494c486c5fbc

SHA512
cc783eb33c5ff8aff01616b84f4b6cff520c48798a2189d5571717b36bb3086c86af16c7e61852dd4b20cf4e70e743f4057f7832619d58a2df5a59ad1a97cf92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar35A6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat

Filesize
195B

MD5
b6fa7e75198747d69929a8b85deaa098

SHA1
ce50cd204767feb3ea572557b12fd013434a4ca4

SHA256
f8070f299b4cf4fa3f48b4b5bf3fb4727313c7cb3d35ca18b5a76fd02c8e9961

SHA512
366903c75c35c33c264761b1e0c111ef0afb5ffc1ef3ce96ad46752729e0c58c43e8b6a7080e57049f827ac0b72a511ef579c152ff37552e64b90699e3743617

Download Submit
C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat

Filesize
195B

MD5
3b68c91dd439e2b23787a158c6dc6a89

SHA1
3a78016c4fa2fc1ad133a9536c88a74a2beaa664

SHA256
db480fe48b0e2709d5ad9d54e07d912fb3181b294955307896a385c266f6dc78

SHA512
b85ff9a1b9efb4dff6f80c6789f6454dc6d0b3273cf6616d77ecc9b4ba20ff6fd0bbe4675679fa48c6ebbbf571cd2ba5951799a71f964ba7497ff8b5635e3da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aBpECK9RVv.bat

Filesize
195B

MD5
c856bd79812f2c0135db7a177e0ce52a

SHA1
287f0ff9cc8be696179c7a71e8709153bc0f193a

SHA256
667e0e27d8a34dcda12cf2a715801ff0f7dc32bf49db931bdc65f02dc0807618

SHA512
b459490de760bafc27af762745dec0ccdff237b805073e9d13228604b0f4750dccc9392c29640f1d190504ca610db1c855ffb70bf905e4055a349f0c5c7c98ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat

Filesize
195B

MD5
84e7d6bb4ee4778552b078745dae0f04

SHA1
c90b897264f51c80f1bc4e99365447f2927f60d4

SHA256
97902c9e80f5a3b76c2943099cca17443268f1fb3ab0c1ef5f95b2f596507ff2

SHA512
d3533b0eed45692ab5dd67ae9b77f2fa808f15f9a7dd2f630332423ebb470c724f85a462ce88b4af8e9008dc125efb979e51d05bec5512565428e70b71c2bdc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat

Filesize
195B

MD5
729cba48f861f0783a5b6310c9022965

SHA1
392b126654ec6d1d9ef295a40c7eec89c8a485a2

SHA256
7699cddb0219c1ccfa536851e63b3b8704c28a2081afcaa8252f3e59a725ce72

SHA512
9f8a8d5029a576ae1cbcde0eae6768c11a1b5b5daf89b3df3661ddf7db0671d4989822d6f905f3abeed6171e14c1a05a57fcc3885e19ab8c44d129df0b073379

Download Submit
C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat

Filesize
195B

MD5
aa96745d82b578b51495fc72d64b1bbf

SHA1
51ca619f8c892c73b6804bab2a8d350d0208db63

SHA256
3a9723ddd43ac1bed3ac3e3178afbcae608556ae21795ff922fa6a805e1bcd38

SHA512
dde5e0ff244b1c9df91e36eefd00cfc5b24112b1589e25e6a33ee3705138dbd931c3a7f6a4dc3aad168b1755963e9025530ddcbc87fed1492dca7a072325d5d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat

Filesize
195B

MD5
3b7f537be2c71414cd94275ae31d0c14

SHA1
a104ef994ef4e5493dfc31bbeae0c6d37e07977c

SHA256
b30b3c0f99f445bda91e3cfb5a9b0cf065d810c6cee1d9a5ba42a128533e648c

SHA512
611c629e1ba2dda01c1325f84f85848b885d73ee284890ba583b8ee71f1d6ceabf4714a28c266e00ab481996a19d549813cace83183f07ff63156414a84b4872

Download Submit
C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat

Filesize
195B

MD5
3e91db964b046eed8a048d22e0b0b319

SHA1
30d897b80383f44c8fd7a55957221e4c20cb5101

SHA256
6b8d6c11b4bda4f1e882d4b50c26f8b0986211a28bab46b9d72899d4da0bfb1a

SHA512
048fb47c7480d5757c296d4aa43431e4f153d12d35fa5a186d60b7003e10491cf6657ef457bed12764073e83b0a1429040924cec51deab3a5d8dc2959a64234d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ODTM87TSZYJVH872HJXJ.temp

Filesize
7KB

MD5
1bbab7878e41c79b0cd9e435b87f2bd1

SHA1
33419d5b78fd1b39eb81bf9ec845b52394045820

SHA256
6cc3f8a03e44c9aec72a38fa3a851a0acbf4b03a85f76abf15453106785f99f3

SHA512
6aa49e09f125e70a5d73a3c27e74d78ff449a73bde35f01f05caee3f1cef678267001907153bad6348bcb5752b7708fb07e392936f0a7acf8dee38bf0e09d7db

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/376-600-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/1016-302-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1016-301-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/1456-95-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/1456-182-0x0000000001090000-0x00000000011A0000-memory.dmp

Filesize
1.1MB

Download
memory/1456-96-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/1600-362-0x0000000001020000-0x0000000001130000-memory.dmp

Filesize
1.1MB

Download
memory/2272-17-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2272-16-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2272-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2272-14-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2272-13-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2360-481-0x00000000010B0000-0x00000000011C0000-memory.dmp

Filesize
1.1MB

Download
memory/2864-123-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download