dcrat | e9ed0e321cac9a46c533f2382508ff667f70b53316216aca6e3f17c2420fbe71

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e9ed0e321cac9a46c533f2382508ff667f70b53316216aca6e3f17c2420fbe71.exe
Size

1.3MB
MD5

ba54777b64adff82fbcb5b5a30a0ef79
SHA1

f6e839c15a6617b47e118ac63e8ba37d1ebc6d34
SHA256

e9ed0e321cac9a46c533f2382508ff667f70b53316216aca6e3f17c2420fbe71
SHA512

010ee92a3f8cb9e2fcd9afe16b537c1c920a22516730e242a091522317e7b9a84c2c12b6307f6bfa8492bf3c03527fefb3023564f0f449779421d235e2c779ea
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2812	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2812	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c62-10.dat	dcrat
behavioral1/memory/768-13-0x00000000009A0000-0x0000000000AB0000-memory.dmp	dcrat
behavioral1/memory/2052-50-0x0000000000870000-0x0000000000980000-memory.dmp	dcrat
behavioral1/memory/1760-180-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/2756-240-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/memory/2176-300-0x0000000000DD0000-0x0000000000EE0000-memory.dmp	dcrat
behavioral1/memory/1428-360-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2696-420-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/1892-480-0x00000000012A0000-0x00000000013B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2340	powershell.exe
2224	powershell.exe
2188	powershell.exe
3048	powershell.exe
1532	powershell.exe
2104	powershell.exe
868	powershell.exe
2304	powershell.exe
968	powershell.exe
1100	powershell.exe
2544	powershell.exe
800	powershell.exe
2212	powershell.exe
2420	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
768	DllCommonsvc.exe
2052	DllCommonsvc.exe
1760	DllCommonsvc.exe
2756	DllCommonsvc.exe
2176	DllCommonsvc.exe
1428	DllCommonsvc.exe
2696	DllCommonsvc.exe
1892	DllCommonsvc.exe
1328	DllCommonsvc.exe
2112	DllCommonsvc.exe
1912	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2152	cmd.exe
2152	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
12	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
18	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\it-IT\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\it-IT\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\5940a34987c991	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\schemas\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\schemas\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e9ed0e321cac9a46c533f2382508ff667f70b53316216aca6e3f17c2420fbe71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2836	schtasks.exe
1728	schtasks.exe
1608	schtasks.exe
1912	schtasks.exe
1984	schtasks.exe
1412	schtasks.exe
2568	schtasks.exe
444	schtasks.exe
1648	schtasks.exe
920	schtasks.exe
2096	schtasks.exe
2520	schtasks.exe
1712	schtasks.exe
1292	schtasks.exe
1304	schtasks.exe
2656	schtasks.exe
1692	schtasks.exe
752	schtasks.exe
892	schtasks.exe
2828	schtasks.exe
1684	schtasks.exe
2008	schtasks.exe
1760	schtasks.exe
2428	schtasks.exe
1816	schtasks.exe
2228	schtasks.exe
2596	schtasks.exe
1088	schtasks.exe
1696	schtasks.exe
2668	schtasks.exe
2900	schtasks.exe
2368	schtasks.exe
2896	schtasks.exe
1632	schtasks.exe
1716	schtasks.exe
2884	schtasks.exe
2720	schtasks.exe
2012	schtasks.exe
1424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
768	DllCommonsvc.exe
768	DllCommonsvc.exe
768	DllCommonsvc.exe
768	DllCommonsvc.exe
768	DllCommonsvc.exe
768	DllCommonsvc.exe
768	DllCommonsvc.exe
3048	powershell.exe
2340	powershell.exe
2104	powershell.exe
2052	DllCommonsvc.exe
968	powershell.exe
2224	powershell.exe
2188	powershell.exe
2212	powershell.exe
2420	powershell.exe
1100	powershell.exe
2304	powershell.exe
868	powershell.exe
1532	powershell.exe
800	powershell.exe
2544	powershell.exe
1760	DllCommonsvc.exe
2756	DllCommonsvc.exe
2176	DllCommonsvc.exe
1428	DllCommonsvc.exe
2696	DllCommonsvc.exe
1892	DllCommonsvc.exe
1328	DllCommonsvc.exe
2112	DllCommonsvc.exe
1912	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	768	DllCommonsvc.exe
Token: SeDebugPrivilege	2052	DllCommonsvc.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	1760	DllCommonsvc.exe
Token: SeDebugPrivilege	2756	DllCommonsvc.exe
Token: SeDebugPrivilege	2176	DllCommonsvc.exe
Token: SeDebugPrivilege	1428	DllCommonsvc.exe
Token: SeDebugPrivilege	2696	DllCommonsvc.exe
Token: SeDebugPrivilege	1892	DllCommonsvc.exe
Token: SeDebugPrivilege	1328	DllCommonsvc.exe
Token: SeDebugPrivilege	2112	DllCommonsvc.exe
Token: SeDebugPrivilege	1912	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2004	2960	JaffaCakes118_e9ed0e321cac9a46c533f2382508ff667f70b53316216aca6e3f17c2420fbe71.exe	30
PID 2960 wrote to memory of 2004	2960	JaffaCakes118_e9ed0e321cac9a46c533f2382508ff667f70b53316216aca6e3f17c2420fbe71.exe	30
PID 2960 wrote to memory of 2004	2960	JaffaCakes118_e9ed0e321cac9a46c533f2382508ff667f70b53316216aca6e3f17c2420fbe71.exe	30
PID 2960 wrote to memory of 2004	2960	JaffaCakes118_e9ed0e321cac9a46c533f2382508ff667f70b53316216aca6e3f17c2420fbe71.exe	30
PID 2004 wrote to memory of 2152	2004	WScript.exe	31
PID 2004 wrote to memory of 2152	2004	WScript.exe	31
PID 2004 wrote to memory of 2152	2004	WScript.exe	31
PID 2004 wrote to memory of 2152	2004	WScript.exe	31
PID 2152 wrote to memory of 768	2152	cmd.exe	33
PID 2152 wrote to memory of 768	2152	cmd.exe	33
PID 2152 wrote to memory of 768	2152	cmd.exe	33
PID 2152 wrote to memory of 768	2152	cmd.exe	33
PID 768 wrote to memory of 2104	768	DllCommonsvc.exe	75
PID 768 wrote to memory of 2104	768	DllCommonsvc.exe	75
PID 768 wrote to memory of 2104	768	DllCommonsvc.exe	75
PID 768 wrote to memory of 2224	768	DllCommonsvc.exe	76
PID 768 wrote to memory of 2224	768	DllCommonsvc.exe	76
PID 768 wrote to memory of 2224	768	DllCommonsvc.exe	76
PID 768 wrote to memory of 2188	768	DllCommonsvc.exe	77
PID 768 wrote to memory of 2188	768	DllCommonsvc.exe	77
PID 768 wrote to memory of 2188	768	DllCommonsvc.exe	77
PID 768 wrote to memory of 2420	768	DllCommonsvc.exe	78
PID 768 wrote to memory of 2420	768	DllCommonsvc.exe	78
PID 768 wrote to memory of 2420	768	DllCommonsvc.exe	78
PID 768 wrote to memory of 2340	768	DllCommonsvc.exe	79
PID 768 wrote to memory of 2340	768	DllCommonsvc.exe	79
PID 768 wrote to memory of 2340	768	DllCommonsvc.exe	79
PID 768 wrote to memory of 2544	768	DllCommonsvc.exe	80
PID 768 wrote to memory of 2544	768	DllCommonsvc.exe	80
PID 768 wrote to memory of 2544	768	DllCommonsvc.exe	80
PID 768 wrote to memory of 1100	768	DllCommonsvc.exe	82
PID 768 wrote to memory of 1100	768	DllCommonsvc.exe	82
PID 768 wrote to memory of 1100	768	DllCommonsvc.exe	82
PID 768 wrote to memory of 3048	768	DllCommonsvc.exe	83
PID 768 wrote to memory of 3048	768	DllCommonsvc.exe	83
PID 768 wrote to memory of 3048	768	DllCommonsvc.exe	83
PID 768 wrote to memory of 868	768	DllCommonsvc.exe	84
PID 768 wrote to memory of 868	768	DllCommonsvc.exe	84
PID 768 wrote to memory of 868	768	DllCommonsvc.exe	84
PID 768 wrote to memory of 2304	768	DllCommonsvc.exe	85
PID 768 wrote to memory of 2304	768	DllCommonsvc.exe	85
PID 768 wrote to memory of 2304	768	DllCommonsvc.exe	85
PID 768 wrote to memory of 2212	768	DllCommonsvc.exe	86
PID 768 wrote to memory of 2212	768	DllCommonsvc.exe	86
PID 768 wrote to memory of 2212	768	DllCommonsvc.exe	86
PID 768 wrote to memory of 968	768	DllCommonsvc.exe	87
PID 768 wrote to memory of 968	768	DllCommonsvc.exe	87
PID 768 wrote to memory of 968	768	DllCommonsvc.exe	87
PID 768 wrote to memory of 800	768	DllCommonsvc.exe	88
PID 768 wrote to memory of 800	768	DllCommonsvc.exe	88
PID 768 wrote to memory of 800	768	DllCommonsvc.exe	88
PID 768 wrote to memory of 1532	768	DllCommonsvc.exe	89
PID 768 wrote to memory of 1532	768	DllCommonsvc.exe	89
PID 768 wrote to memory of 1532	768	DllCommonsvc.exe	89
PID 768 wrote to memory of 2052	768	DllCommonsvc.exe	96
PID 768 wrote to memory of 2052	768	DllCommonsvc.exe	96
PID 768 wrote to memory of 2052	768	DllCommonsvc.exe	96
PID 2052 wrote to memory of 1356	2052	DllCommonsvc.exe	105
PID 2052 wrote to memory of 1356	2052	DllCommonsvc.exe	105
PID 2052 wrote to memory of 1356	2052	DllCommonsvc.exe	105
PID 1356 wrote to memory of 1648	1356	cmd.exe	107
PID 1356 wrote to memory of 1648	1356	cmd.exe	107
PID 1356 wrote to memory of 1648	1356	cmd.exe	107
PID 1356 wrote to memory of 1760	1356	cmd.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e9ed0e321cac9a46c533f2382508ff667f70b53316216aca6e3f17c2420fbe71.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e9ed0e321cac9a46c533f2382508ff667f70b53316216aca6e3f17c2420fbe71.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\it-IT\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\it-IT\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
    - - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1648
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"
        8⤵
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2492
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"
        10⤵
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1656
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat"
        12⤵
        
        PID:2440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:764
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat"
        14⤵
        
        PID:1228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2224
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"
        16⤵
        
        PID:2172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1592
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"
        18⤵
        
        PID:1128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2440
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"
        20⤵
        
        PID:1560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3024
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"
        22⤵
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2676
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat"
        24⤵
        
        PID:1992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\schemas\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97452de2446ff047877ce7c5661007ed

SHA1
c603f2d10aa07124fcefa4ff7f3f0719620f1e81

SHA256
6c08749c69e5ae1f39cbba69c86e93bb2a8edcff9d2f1b5f64e43efd463fbc04

SHA512
90b097382fb40714a2fbad6e2838d75f246579be53a521e8aeef5b07b11c16af3c1cf8192349c5296320c5ba134eb844270e12757689bc2651627d4171f9497c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e15fa2904fd2ca26b98ba707d256cd8

SHA1
2214f9f38bb3b7ab39a133998c99d5cce928c140

SHA256
800eed7d17b5456535326623a23f013fe6388d2f20329e8b1453d80dd959a292

SHA512
d7161bb9873caee826297aa2a94fe6dee920fc1520f761e25fc189d7631dfd64c9619a3c2fabfbb78b3174a60a22974f49b7e8f312a7d897ed5771aa6121b1be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e351c60e85c48db5fb162bd880e6d55a

SHA1
435ce4076bc1c2f185f554ce514347429c197912

SHA256
68bb7da1105c2027a181aabbb4caca1518907e138547153f9ce86d4c9ec734b1

SHA512
7e9dc62402643a390516522258bdff2acc5c19f9839e7a0c50a1724b4678796657e657363e50f6dff7c16912c7608fff819ab14066e00ab81037b375e5455e96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58dff9bb5a83483df4c85db468fbde71

SHA1
284f438e58d82a6c48a17aaf56a724d44ebb599b

SHA256
acd0d5bf09b23bb162181e1446fd632b92e8537e8d6a49ba4c80ef257a309bb3

SHA512
5ee27cc9d3e10cb5ef4e5ea15ef595515bdb055c740f9bd785d298b3a724652dbe222536b57d2048f35ffb093b31de48945c52b770852ef695ede863f2a31012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
479e0806cfdfc49e4daa8cd35fc2d5a4

SHA1
c6435535f4313288b69e2f5e85ee7fb715c61ec8

SHA256
16fe493df359426dd26f070aa1c4d7f01830c4a8b17acd56b956ef01656f7e50

SHA512
3de52bb6e7a91beb038ce3f571d45e59abfb1833ffc441e70989ed465874e99560e021dcc828a625d3e2d92f75c686427f6698b4483cff555de34c2d90ccd44b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a8f385ba7b700c13f13c5c94e678b40

SHA1
c9d2247296315a0808c1979b3a01ba7241cc9d9a

SHA256
90aabb290a341f7d2d75cca9774164df7aaef1eeaada285fe540c309fe41111f

SHA512
f609bcd02b28f48028f3926672d4657b295dcc0400342dec297fe2f87b5bc02b6339f70a61c7441ef66265ab1c30a409d3c903507f6c68aa5af313431866dcc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
670acb86d08712fce9af80d5bb02f683

SHA1
a30fa7b8e7c96348dd14d5c6b09c20b204034f66

SHA256
13713449380f84b6cf1887992b44206d1f75b77f4f48b60d0086f9046b2f29fc

SHA512
d7e1b6dd84b4f2cd4fbb2ea39acf7cd8075a68ed48b360534957d9a27949da00b6b536f3ad7985aaab6ec1e6e534f1d82d29d2de07ec8c32383b8eb691d8b4ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b2490c18fe0beb39669548307399d01

SHA1
56461f8b58fbc486f5988b712fd21ac51db9e2bd

SHA256
6b96b5c42b4ce7eb4985be7fad4b8b56d9dcc99e46bc2819e2e0c66c5243f551

SHA512
e30dc6f945557eeead29e4e3136ec84f4bf15249599bd77e5eba59bfbc1be3af08a1c903a284e490cce7423d3b00874c332cc0475d48668cf0464733c1e9f049

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0782d3a16c7191190912a50498b95e2

SHA1
cdba19e9b5fa8fd145fc6e8e5635061f87a98934

SHA256
615e7f0acbcf5d7884242df052e631efd32bdf9b96815de58b4eabe3b8afe954

SHA512
b2835b565f2ca431f5ef6eac8bae4626857bd4a6ef6b50657605cd02845ae8edcd39a7e0623becaaebf4b9a774b2644351609174d84364e4a5fd5d260e50d424

Download Submit
C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat

Filesize
230B

MD5
78af9dcdfcddec8c5c57ebe449804eb5

SHA1
a6c5634f3b71bea75d57c09fc28a20d0f1660374

SHA256
37f307055ca90b60399ccd049f70ea3646f58076570b6b4d83f167715f9fb56a

SHA512
2125f4b39894e8bb8e7e8be2456d038094b2dda7769b933724fb21ac3547788173aee44346217f58fef709f20d6dc30d0e65f922a940dba4fdde30d9e49b7825

Download Submit
C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat

Filesize
230B

MD5
574e04a69fc97dc8209a80f83c54b3b6

SHA1
6080a5c41eb46c078dce4ab29be270fa1fe2cead

SHA256
aac7fc3c99f14fe10315cac0c2ad7d019207e1110c265c3d67d6aa07e5e26912

SHA512
8748f057675291cb898ffe10dea2e0244d9a0fafe73dd409a4aca4c2ade7a52ac356e66b030c2f74bbec392a16b515f3b631b625b3815568948b447b4145b80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat

Filesize
230B

MD5
9aaf5c4acdd2b252c056d3d6d14cfaed

SHA1
55d2959afaf352032b6c7a12810b58893a2d7aae

SHA256
2e1778d7c9cd4aca81de7faa62c2f128e73b6bb4c195a5ebe52892ba52a2d0d7

SHA512
044889299c08dcb969976f611457db8dc53a28571366e454769149e86db2a329f2d0e78dc65f1e09c2b7423b28d0a35077b30a135ba8b6281fa1bd07f3bc1bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEEC4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat

Filesize
230B

MD5
97362d58ee61d7452a33485a82b407f7

SHA1
6c8aab6510bd0918cb6c8e0003ea5f14d4233d7b

SHA256
f6cded25b084c7e66f0116d5280a866cfecd4e1237bfae7715e657fdaff29b23

SHA512
96523b66d085b09280e156713bf86f9b46c5e191b8371d0e0470c3672681e41d6200b1d9dd69e3e6f2087c3cc757c821ab7c2f91605a164793334627a640a288

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEED7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat

Filesize
230B

MD5
14d8edfc339ab11e0181df1c4b2466df

SHA1
90f4f5ec1c77f3c81a5b117f5f76d95afc62a85e

SHA256
57b5c20a973798e8e1bc1fb15fe5798d06ed354f0d8a439132dbe5a4eb6c0d86

SHA512
8eb8c52295ce98270c35caf8ebfe41d5fbae34b2b9f9f3d2e6c0f3b97eea0a028245a28aeb69d0d3572dfaf1fff6ad8d85987f14fadece9d424303996857f76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat

Filesize
230B

MD5
0a61e7be41bc21d4ae9cbce26dc5257c

SHA1
5d2032a0042d64a56ade60d9d1c7a3a6d53f0712

SHA256
2f92473cec1a2e9db2ee4bf128bdadf6baef4b96f01d6b9f11edbbcf995e0df8

SHA512
ec7bd95609c50df3de02d195daa428f8c9ae2857657fb992cab66775b8e099e1b65046dca4685749d492d785d10a471783a09505417b71e40e196642b4e3d999

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat

Filesize
230B

MD5
f14eb413acd38eb177a3ae9fb56aec27

SHA1
cf86bcbb5391e27d8307da555cf2f9320074a9ee

SHA256
fad853669efe3fe68bd9bb697cb661102e78c7567a93c6120a962583aaf3405a

SHA512
c1382db89739e43c1105a9d15600eef349b1555d4572d1dee4d5c8bdbfba30013e3566f17565be017e355abd7f4170e91e4a502d145cbc7fbca8f77a1ea5262f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat

Filesize
230B

MD5
d5fd5e50b3584f4d66648b795f11c3e7

SHA1
81105f0c92ed045ec82a5ecad255116398488335

SHA256
5836ef397a2bb8187b26c95bd7c5813cfb7751f69c4a9aa8d61b68d8b6613d73

SHA512
73306e4de69387cd3764e5b3beb0eff0d1bb2734d17db66ae656b20ccb9541c8b88d85cbef5bf858b52a5562d28b15938c45266ffbe8e1040bd8a653f31b376e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat

Filesize
230B

MD5
9f1023f6ef13ff6c9515736ebe1c9e74

SHA1
148421723526fd595e3f5b33462112e41201c399

SHA256
198c37cec5eb1036f4a704780913b46f7d61f92f16d997f35f62e2541c0c81e0

SHA512
21c2392a13820acd9d0b457fb789340adaad1d7934f46d88fd084f8e2b55f8629638951b5306e13332ea697f3c9212c4a22059827a8b133ab94d14a1dcdc968c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat

Filesize
230B

MD5
7000398254024f390381871270ceea64

SHA1
9c4a199395b2f9c02707a0e895da76a1db379442

SHA256
ba62df418dfd8eb5293d4ee7ec5a494b1d849c733a3329e0d94022b950b8ed2b

SHA512
984abbb7eb8fc54b5f256509d6ed93ca0b6dd5aa8237ea0117d2bc9e7070db09fd60e5f03f72fcc94323752e3f8bbaa3a58724b2ea015134203fd0a6dcce5c79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ROSJN3F2AY3O6A0LPKH1.temp

Filesize
7KB

MD5
b630cbcdcd7bc9c5917befcf32d9ffed

SHA1
e662220737686858ca2ff0d92d9f1fc68f517d83

SHA256
a96e3d7a32be1adf8ad84183fc3b6fcbadf2d5e98560a16cba08952abd9d83d9

SHA512
e6ecb15c9413a5e3e706142cd731cdbca317ca2b10c97c494273eedf8562401ee171c35692211a0380feaff20062acded96b5176f9bfc827ab94b2dd2f68b4f7

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/768-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/768-13-0x00000000009A0000-0x0000000000AB0000-memory.dmp

Filesize
1.1MB

Download
memory/768-15-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/768-16-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/768-17-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/1428-360-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/1760-180-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/1892-480-0x00000000012A0000-0x00000000013B0000-memory.dmp

Filesize
1.1MB

Download
memory/2052-50-0x0000000000870000-0x0000000000980000-memory.dmp

Filesize
1.1MB

Download
memory/2176-300-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

Filesize
1.1MB

Download
memory/2696-420-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/2756-240-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/3048-58-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/3048-59-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download