dcrat | cb1ad8388d887d506e9074b1397600a3b2b39be22c129c9436bef70833ef3808

Analysis

max time kernel
146s
max time network
142s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_cb1ad8388d887d506e9074b1397600a3b2b39be22c129c9436bef70833ef3808.exe
Size

1.3MB
MD5

0c991d5808b03b1f2d68fd91c13640f8
SHA1

4d80e51f66dcac27e4b2e2e36f41b61836e53bf0
SHA256

cb1ad8388d887d506e9074b1397600a3b2b39be22c129c9436bef70833ef3808
SHA512

88ce8f2a81c2c7d33e75926a8afa835449d22958d84528f3c6f0f2648ebebdd0d76485d411bec57277f82e3f5ede70ee5088ea5d8874f6eb2cd4dec26ee3c971
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2792	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2792	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000019246-12.dat	dcrat
behavioral1/memory/2292-13-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat
behavioral1/memory/2776-122-0x0000000000DB0000-0x0000000000EC0000-memory.dmp	dcrat
behavioral1/memory/3000-181-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat
behavioral1/memory/340-241-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/2728-656-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/1296-716-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1480	powershell.exe
2764	powershell.exe
2216	powershell.exe
1636	powershell.exe
2264	powershell.exe
2904	powershell.exe
2268	powershell.exe
2448	powershell.exe
1704	powershell.exe
1744	powershell.exe
568	powershell.exe
1612	powershell.exe
684	powershell.exe
3044	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2292	DllCommonsvc.exe
2776	WMIADAP.exe
3000	WMIADAP.exe
340	WMIADAP.exe
2240	WMIADAP.exe
2828	WMIADAP.exe
2352	WMIADAP.exe
3028	WMIADAP.exe
2656	WMIADAP.exe
1088	WMIADAP.exe
2728	WMIADAP.exe
1296	WMIADAP.exe
2768	WMIADAP.exe

Loads dropped DLL 2 IoCs

pid	Process
2404	cmd.exe
2404	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
19	raw.githubusercontent.com
33	raw.githubusercontent.com
40	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Help\mui\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Windows\Help\mui\75a57c1bdf437c	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_cb1ad8388d887d506e9074b1397600a3b2b39be22c129c9436bef70833ef3808.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2020	schtasks.exe
1260	schtasks.exe
2536	schtasks.exe
2508	schtasks.exe
1720	schtasks.exe
1940	schtasks.exe
2516	schtasks.exe
2940	schtasks.exe
1644	schtasks.exe
1724	schtasks.exe
2460	schtasks.exe
3016	schtasks.exe
284	schtasks.exe
668	schtasks.exe
1908	schtasks.exe
2840	schtasks.exe
1736	schtasks.exe
2680	schtasks.exe
1036	schtasks.exe
1776	schtasks.exe
2564	schtasks.exe
2952	schtasks.exe
320	schtasks.exe
1364	schtasks.exe
2796	schtasks.exe
2620	schtasks.exe
2512	schtasks.exe
3068	schtasks.exe
1828	schtasks.exe
316	schtasks.exe
2648	schtasks.exe
2476	schtasks.exe
2044	schtasks.exe
952	schtasks.exe
2740	schtasks.exe
1088	schtasks.exe
1620	schtasks.exe
1956	schtasks.exe
1576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2292	DllCommonsvc.exe
2292	DllCommonsvc.exe
2292	DllCommonsvc.exe
1612	powershell.exe
3044	powershell.exe
1480	powershell.exe
2448	powershell.exe
2216	powershell.exe
1636	powershell.exe
2904	powershell.exe
1704	powershell.exe
2764	powershell.exe
1744	powershell.exe
2264	powershell.exe
684	powershell.exe
2268	powershell.exe
568	powershell.exe
2776	WMIADAP.exe
3000	WMIADAP.exe
340	WMIADAP.exe
2240	WMIADAP.exe
2828	WMIADAP.exe
2352	WMIADAP.exe
3028	WMIADAP.exe
2656	WMIADAP.exe
1088	WMIADAP.exe
2728	WMIADAP.exe
1296	WMIADAP.exe
2768	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	DllCommonsvc.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2776	WMIADAP.exe
Token: SeDebugPrivilege	3000	WMIADAP.exe
Token: SeDebugPrivilege	340	WMIADAP.exe
Token: SeDebugPrivilege	2240	WMIADAP.exe
Token: SeDebugPrivilege	2828	WMIADAP.exe
Token: SeDebugPrivilege	2352	WMIADAP.exe
Token: SeDebugPrivilege	3028	WMIADAP.exe
Token: SeDebugPrivilege	2656	WMIADAP.exe
Token: SeDebugPrivilege	1088	WMIADAP.exe
Token: SeDebugPrivilege	2728	WMIADAP.exe
Token: SeDebugPrivilege	1296	WMIADAP.exe
Token: SeDebugPrivilege	2768	WMIADAP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1800	2088	JaffaCakes118_cb1ad8388d887d506e9074b1397600a3b2b39be22c129c9436bef70833ef3808.exe	31
PID 2088 wrote to memory of 1800	2088	JaffaCakes118_cb1ad8388d887d506e9074b1397600a3b2b39be22c129c9436bef70833ef3808.exe	31
PID 2088 wrote to memory of 1800	2088	JaffaCakes118_cb1ad8388d887d506e9074b1397600a3b2b39be22c129c9436bef70833ef3808.exe	31
PID 2088 wrote to memory of 1800	2088	JaffaCakes118_cb1ad8388d887d506e9074b1397600a3b2b39be22c129c9436bef70833ef3808.exe	31
PID 1800 wrote to memory of 2404	1800	WScript.exe	32
PID 1800 wrote to memory of 2404	1800	WScript.exe	32
PID 1800 wrote to memory of 2404	1800	WScript.exe	32
PID 1800 wrote to memory of 2404	1800	WScript.exe	32
PID 2404 wrote to memory of 2292	2404	cmd.exe	34
PID 2404 wrote to memory of 2292	2404	cmd.exe	34
PID 2404 wrote to memory of 2292	2404	cmd.exe	34
PID 2404 wrote to memory of 2292	2404	cmd.exe	34
PID 2292 wrote to memory of 1704	2292	DllCommonsvc.exe	75
PID 2292 wrote to memory of 1704	2292	DllCommonsvc.exe	75
PID 2292 wrote to memory of 1704	2292	DllCommonsvc.exe	75
PID 2292 wrote to memory of 1744	2292	DllCommonsvc.exe	76
PID 2292 wrote to memory of 1744	2292	DllCommonsvc.exe	76
PID 2292 wrote to memory of 1744	2292	DllCommonsvc.exe	76
PID 2292 wrote to memory of 684	2292	DllCommonsvc.exe	78
PID 2292 wrote to memory of 684	2292	DllCommonsvc.exe	78
PID 2292 wrote to memory of 684	2292	DllCommonsvc.exe	78
PID 2292 wrote to memory of 1612	2292	DllCommonsvc.exe	79
PID 2292 wrote to memory of 1612	2292	DllCommonsvc.exe	79
PID 2292 wrote to memory of 1612	2292	DllCommonsvc.exe	79
PID 2292 wrote to memory of 3044	2292	DllCommonsvc.exe	80
PID 2292 wrote to memory of 3044	2292	DllCommonsvc.exe	80
PID 2292 wrote to memory of 3044	2292	DllCommonsvc.exe	80
PID 2292 wrote to memory of 2904	2292	DllCommonsvc.exe	81
PID 2292 wrote to memory of 2904	2292	DllCommonsvc.exe	81
PID 2292 wrote to memory of 2904	2292	DllCommonsvc.exe	81
PID 2292 wrote to memory of 2448	2292	DllCommonsvc.exe	83
PID 2292 wrote to memory of 2448	2292	DllCommonsvc.exe	83
PID 2292 wrote to memory of 2448	2292	DllCommonsvc.exe	83
PID 2292 wrote to memory of 568	2292	DllCommonsvc.exe	84
PID 2292 wrote to memory of 568	2292	DllCommonsvc.exe	84
PID 2292 wrote to memory of 568	2292	DllCommonsvc.exe	84
PID 2292 wrote to memory of 1480	2292	DllCommonsvc.exe	85
PID 2292 wrote to memory of 1480	2292	DllCommonsvc.exe	85
PID 2292 wrote to memory of 1480	2292	DllCommonsvc.exe	85
PID 2292 wrote to memory of 2216	2292	DllCommonsvc.exe	86
PID 2292 wrote to memory of 2216	2292	DllCommonsvc.exe	86
PID 2292 wrote to memory of 2216	2292	DllCommonsvc.exe	86
PID 2292 wrote to memory of 2268	2292	DllCommonsvc.exe	88
PID 2292 wrote to memory of 2268	2292	DllCommonsvc.exe	88
PID 2292 wrote to memory of 2268	2292	DllCommonsvc.exe	88
PID 2292 wrote to memory of 2764	2292	DllCommonsvc.exe	91
PID 2292 wrote to memory of 2764	2292	DllCommonsvc.exe	91
PID 2292 wrote to memory of 2764	2292	DllCommonsvc.exe	91
PID 2292 wrote to memory of 2264	2292	DllCommonsvc.exe	92
PID 2292 wrote to memory of 2264	2292	DllCommonsvc.exe	92
PID 2292 wrote to memory of 2264	2292	DllCommonsvc.exe	92
PID 2292 wrote to memory of 1636	2292	DllCommonsvc.exe	93
PID 2292 wrote to memory of 1636	2292	DllCommonsvc.exe	93
PID 2292 wrote to memory of 1636	2292	DllCommonsvc.exe	93
PID 2292 wrote to memory of 2436	2292	DllCommonsvc.exe	103
PID 2292 wrote to memory of 2436	2292	DllCommonsvc.exe	103
PID 2292 wrote to memory of 2436	2292	DllCommonsvc.exe	103
PID 2436 wrote to memory of 1508	2436	cmd.exe	105
PID 2436 wrote to memory of 1508	2436	cmd.exe	105
PID 2436 wrote to memory of 1508	2436	cmd.exe	105
PID 2436 wrote to memory of 2776	2436	cmd.exe	106
PID 2436 wrote to memory of 2776	2436	cmd.exe	106
PID 2436 wrote to memory of 2776	2436	cmd.exe	106
PID 2776 wrote to memory of 1332	2776	WMIADAP.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cb1ad8388d887d506e9074b1397600a3b2b39be22c129c9436bef70833ef3808.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cb1ad8388d887d506e9074b1397600a3b2b39be22c129c9436bef70833ef3808.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\it-IT\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\mui\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H9GGO1qJoc.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1508
      - C:\Windows\Help\mui\WMIADAP.exe
        
        "C:\Windows\Help\mui\WMIADAP.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat"
        7⤵
        
        PID:1332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:668
        
        C:\Windows\Help\mui\WMIADAP.exe
        
        "C:\Windows\Help\mui\WMIADAP.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat"
        9⤵
        
        PID:2376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2208
        
        C:\Windows\Help\mui\WMIADAP.exe
        
        "C:\Windows\Help\mui\WMIADAP.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat"
        11⤵
        
        PID:2360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2852
        
        C:\Windows\Help\mui\WMIADAP.exe
        
        "C:\Windows\Help\mui\WMIADAP.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mxrgiezM67.bat"
        13⤵
        
        PID:2108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1788
        
        C:\Windows\Help\mui\WMIADAP.exe
        
        "C:\Windows\Help\mui\WMIADAP.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"
        15⤵
        
        PID:1260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1724
        
        C:\Windows\Help\mui\WMIADAP.exe
        
        "C:\Windows\Help\mui\WMIADAP.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat"
        17⤵
        
        PID:2816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3052
        
        C:\Windows\Help\mui\WMIADAP.exe
        
        "C:\Windows\Help\mui\WMIADAP.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat"
        19⤵
        
        PID:1112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2172
        
        C:\Windows\Help\mui\WMIADAP.exe
        
        "C:\Windows\Help\mui\WMIADAP.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat"
        21⤵
        
        PID:2616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2372
        
        C:\Windows\Help\mui\WMIADAP.exe
        
        "C:\Windows\Help\mui\WMIADAP.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"
        23⤵
        
        PID:1968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2080
        
        C:\Windows\Help\mui\WMIADAP.exe
        
        "C:\Windows\Help\mui\WMIADAP.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
        25⤵
        
        PID:1388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:552
        
        C:\Windows\Help\mui\WMIADAP.exe
        
        "C:\Windows\Help\mui\WMIADAP.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
        27⤵
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2720
        
        C:\Windows\Help\mui\WMIADAP.exe
        
        "C:\Windows\Help\mui\WMIADAP.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\mui\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Help\mui\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\mui\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c2744a569bd709f331ee15dae76359f

SHA1
175722421d4292c9f9582e322c8d6dded9ea3f4b

SHA256
bb154a43d091f853d6ccb84f90947215155e419c143771afba7b7a479cbc654f

SHA512
c782684a60bc041e65fe1067733cbd26a39c4b9d01a9696b8610849cf2f8bd7d854cd16d58ba2b0e3b95d1c4eb0abf06d91a911522d88e4d282e05569eaf5b57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f788fcd01918ce2affc71c5abf7c918

SHA1
f985e0d09d8352226a1d46365799aed496ba9213

SHA256
0c39839a182c606c4fb2643609aeb9e40140c9dff5fa6364329e351870754f24

SHA512
f2f9f527c3b232097623a01e6206713ea0a5b1eee1f2b300f145ff118f5fc47eb479c9b90f577206ecf3f78b1ada2bc8e5acf6000094d0b552de967ce4dd59cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00238680b36a3bd198ab76b1655ebd4a

SHA1
9d2c7f5ddce49e6f5ded554759abc24b355e0fc6

SHA256
8d0b251536555155ff4767b0fff31c94a13735c0566bbc50b71baccc1d287704

SHA512
b2eabd2a67bb28c031175db85ad5b312dc8a8b21333c581f3d30fe4754565df50474baa279a4ec718449e29778379a5118eac6bfcaffdb2f2735b3c600f95c43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70d3936bc01ead6b59220dc2f2752e4b

SHA1
50a3c6382524b261df35cf9893361a2a33d639f2

SHA256
36785986e0a00d6aa9e7dc7917416302ef5e8ef7031eaa652fa792c1985b239b

SHA512
1691eae89567d5620768b61bcbc6b882d08fdfe600007d87c470956bfd498bfbd24711cc456607c972224077f963ba9e2c94fd8bba3c6e4ee2c55c17d48f6962

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8769163eae52753054152440d0f4df2c

SHA1
95535695695f6b40388f6672d53d084e0c8041f1

SHA256
5b7ae598d74477f27d7804b9fa304e387ebb4873033c3d1c47f2323570308810

SHA512
3de6c870ae4db41b9c07765be253c6a323a693a68b5af65f644c4378a8ade5e5f7c3d4ee35176b19a3600125a65d961e4c80baf4330299be808b42ada9fec8e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0454393d64e9bbc2b0bd6d7bec8eaee4

SHA1
0974895d1df97fd8f2fb6f28bcefdccc0ec4d135

SHA256
0576eedb9c6a431a493d7c93bcdbd602fa52f90dc0b226d7d704dcbdd54ea36c

SHA512
5f6428c228fc831ba6a040d76318d6bde0659e019f502c27201f0dd406ab6878d292b9d70206abd4b79b1b86a82018f9b0dba2aa81e7a59e365f4722ffc87e83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bd6ad7607474ceaa13583f3b8f95a08

SHA1
f140d7801d6c4db367cf2e03e9a690c018c061e8

SHA256
4b3df7302b7600d49664f51bf4a9a440b676049b8e370bfe80ce865d626576d2

SHA512
93b7e2ae94aa672dd5d2e27cffb05f693e0936fa78ba6629273bb494ae716a3d89daeb0ef060e574e59cf3d29cff3ae50a94d4df3a4b78241334e58a38794d15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed176c4900d05a067cd9117444f776bc

SHA1
dc1606c3c06481939aace30fb3d4d163af5352b3

SHA256
b64481a6a74cc271442e3b4c902e7fe57164b8a16e5ede239379c2ecfa18e9e9

SHA512
75adf8570fa5a16b850a5376c658ba34a1ebc31035f4957f692b9fe72e6a5479be96ca0aaf5c3469a3d664e9de4b9ae157b8534bd1ccbeb80e1e2580643f8be2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afcb9d12bfe092f3a594ee3e5c155abe

SHA1
e13ba2bfbc03e0f8e1467a19e31055f192bc42d2

SHA256
b1706c26dbd73e03cc3e9137790d43499dc97f6f6c54093a2fa8df16ea729dd0

SHA512
75f416586942328955187f2ef9b1f8b79b580098ce4e212858416a835ce18786b91d93e55690b161430ccd62302c77dd8abec73660c15df3659e3d56f0b77809

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfa44cbede21fb63f98800b85e16d9ab

SHA1
2bb675e15bdb4a24b312102504a4dd9d8bd5f381

SHA256
03dbe5fd5731687fabc34728200b534f51197e09c5c9cd677887ec1e77bdebe4

SHA512
8a1e9a40f4392cd6ebd826fdd01f284c00badff6d912373d750439405654cc45760957fe5d98f2834e527792c72c33411c644db1b2b1eb2351b5e8a533ac547b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

Filesize
196B

MD5
0533e591b399510b98bc1506cfb06ad3

SHA1
b66bc22480ca8a3aa05be4388140a68b42db7a86

SHA256
d2f6eefbfb714e22ca37526a3754fd8f324bb4615b7f888f265c455ecdea529f

SHA512
cdd82b6aa0c628616ce444d5bb1aedab9de00bc2f018f9c01a7dfb6f2881e7c44d28755d0b9a7783cd627fd42e607de3fe53c297963de94b2e444d8b409911c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2A9B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat

Filesize
196B

MD5
0c9ce08f703541890015dd68d8e91d45

SHA1
52257fb094314ad25985082b6057a49f417b3d71

SHA256
b438944279a6202ee72c16f8e6ba8c3ab59738847a43e1f0e0a5188d5edb008a

SHA512
5060278ccb7882e81b1bb71b7390be25b5f44a4c9ccc90eec3ac9528ef7126aad9e91d83cf2a376dd33f6dcc01f41cc131205c8e8e997b300fd9f8a5fb197afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\H9GGO1qJoc.bat

Filesize
196B

MD5
f566f7af23386c1572247f72d6b6ec73

SHA1
dee1c81454f1841ae9fe49d4fa355316244396ae

SHA256
4673f5060be3fa398214654958b725382d4e23365b3d2ad2ccf57df19edfdbe7

SHA512
ad5ca2c7cebbf79f435a03ef3dd3ede665a16ce0e6d929a35fc28e7745d7d660af34377f37a75a991af8bf0fa5459a3d522310ba1118fb817327e3c313c3c1c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat

Filesize
196B

MD5
825de0cb5340e59a42bac556ef182107

SHA1
9177bbe091ccf518f0404d7b20bea05383b8780d

SHA256
6028fd60ff505e18efc3dc323ad811c40bf425f98ecdbf22ece15a3e5d8e9a98

SHA512
2666c4b3389ef4e68596fc81be349688149eccc197a3d33f71a9f785f5f39eb8abbf09aa9b71240f758c247ca5d66849ddacb63147ee827dba443ec5cccd873e

Download Submit
C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat

Filesize
196B

MD5
a9d2d48d314de485d4abc7405012eec8

SHA1
bd23fa299e275ee87078a3196463bce1fec36800

SHA256
8da1a52a2b398ea2f1313e8b4ae9cbe0fb4a73dc074203395566a61e25002cc6

SHA512
b7f5df130227280ae4f5b5e5319b411666ff74aadebc5056bee95fa0019bd70e7239a951674516a456fdff09713b48c48162e06463e4ec0f3242f5a1b963110b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat

Filesize
196B

MD5
a0b826d85636f0402627131ea52d1797

SHA1
09a45815cf1ce6999237640996fdb82f44f38fbb

SHA256
acce84335fec95934c1a5a942b99c38bc34026409c87f1d38f4b4b7992463613

SHA512
29d89e63c4ca2587c9e72af59e6cefb60a66482efcd8cf5f68a0f599eac04da83825d5666e59cdd15ab36839b52d66d075d8a1cffc3455b582f07c25ddd971a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2ABD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat

Filesize
196B

MD5
0560b4959c5e7dd8abd044c7481d217e

SHA1
4fd612fe033037eafdaf274768918560a479ccfc

SHA256
1c610cd9b01b5775db3fab0ad5b8ba0d1d527b1c0a6984068f7700f12baeb959

SHA512
32457d628cc8d4bbf29a94121769d8ecffbc270511f55cec49e81069ba513b6a4cfb944a00247552c92b3357d8ae920712fd6e3c80077ceae78ac3a4ab48f693

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat

Filesize
196B

MD5
b17a81811e1227682f4a77aef17239aa

SHA1
be215badeffc05d8daaa1f923514cdeb40d30285

SHA256
b1aec8733852f9e6b86784f49b26834fc99a37ba1523510b73575ee71380a0a1

SHA512
641f47495f3af188798a4d866dafbee890d92e7e092c529c4d5ce3f6863bdee0437cf4187725ddbe61a6ced5bab4e5824f673e48d68b820b64b6e6cff0206660

Download Submit
C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat

Filesize
196B

MD5
7c853e35592cdf51942ff6bcf4a7199a

SHA1
f183d76d55eb99033b3241ec6b64959b6769faad

SHA256
deb8c258ec121c7b62f08f8ec0cfd58e43a255b2e39568dd2dbe0f6f2434e38d

SHA512
4847bce2bf034797e9495d3109942ae6464257b25dfe5bc1460ab376f59bfbcc966c67ef42e93b82a6efe1d72f7b70aef8a723205a228ad3db24369e76a5b55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

Filesize
196B

MD5
6a667d830a5550329fab1bb1a17c7f1d

SHA1
3cfd09548080a8caeeca373cc349e43237893d27

SHA256
2ffc19e36a4b32f77e4c71b15c4b585f2ef45e4d006a8d4bcc9b85a0101cd99a

SHA512
f36a205cc7671bec58ae37b4362aed328880f113563dc82c17ba2d66c1bb3ce874d7ca1cb99e7dd4fd08535a1ae26bee32c3ca63b507492416f0c2511a02d033

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxrgiezM67.bat

Filesize
196B

MD5
171e0df8ab88fdc03b4ea2a6fa185308

SHA1
b9c5b09f4821c4d52618d84413b71d0abc33fa5d

SHA256
3749b134c88ff26799624d4659376af7f70a2e6e99fa0e7f59b36f22dee9a12a

SHA512
74139cd7036be047a950a92ab6cea5383125f31e2e0bc9ae566380b7b155daacd725f433013c42f592f8c13dd8498852fbf8aca7d7d54ddad5ecf49f2d2efe60

Download Submit
C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat

Filesize
196B

MD5
ac5ec4528ee7da2d52fcd934b3887bd6

SHA1
3eea13b5863855996967d669f075e70ef231113c

SHA256
409050027701f7ccd0612c35f47e7b46e81fb7fe59986d9b6113cd5f84794af4

SHA512
86f14cdab46d917dcd9ccece987da3f2559ee7a43ab2fa861adb45b3d9c15829d33d3c23084a631ec28578508adbdbcc26a56d91af4e6a59c1e3165dcde0ac4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ba58cf2209969cb3d796aef58cd39082

SHA1
17c439027023a772a85cb884c124247b19b1e21c

SHA256
333cdd4a3d31b28f5657392e1a8299911fab8aba746f688162b073b542e52ca6

SHA512
5073f6386a8301ba2366a94df2679117edf1a68789ebf4e6004af384309a3c9ae77ca17825778c5f441bee53e49fa2b7654ccb0937b956df8108ccbce5fcea6d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/340-241-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/1296-716-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download
memory/2292-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2292-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2292-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2292-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2292-13-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/2728-656-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/2776-122-0x0000000000DB0000-0x0000000000EC0000-memory.dmp

Filesize
1.1MB

Download
memory/3000-181-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download
memory/3028-478-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/3044-57-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/3044-59-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download