dcrat | 6887ddfcca990642732256f218b09ed56ce9e9cb6cf9493d1287aff50c7cde8d

Analysis

max time kernel
149s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6887ddfcca990642732256f218b09ed56ce9e9cb6cf9493d1287aff50c7cde8d.exe
Size

1.3MB
MD5

3afef39cd77f486cded780ede564a1a6
SHA1

a3f27f2aa89f9baa6c28c20444deb9846d53995e
SHA256

6887ddfcca990642732256f218b09ed56ce9e9cb6cf9493d1287aff50c7cde8d
SHA512

1875989f44186c35adc773d523020ddfd1b3ab1326f0c7544d7ac18909d078ea6a615793ae477e68e86a38480baa676564d3f7bc8cadc36315c8e3e22d190aca
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2720	schtasks.exe	35

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000186f8-9.dat	dcrat
behavioral1/memory/2656-13-0x0000000000AA0000-0x0000000000BB0000-memory.dmp	dcrat
behavioral1/memory/2748-82-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat
behavioral1/memory/3036-348-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2076-408-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2816	powershell.exe
2084	powershell.exe
1396	powershell.exe
1864	powershell.exe
1868	powershell.exe
568	powershell.exe
1368	powershell.exe
1736	powershell.exe
1852	powershell.exe
1424	powershell.exe
2408	powershell.exe
2172	powershell.exe
2224	powershell.exe
2392	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2656	DllCommonsvc.exe
2748	csrss.exe
1896	csrss.exe
3016	csrss.exe
1912	csrss.exe
3036	csrss.exe
2076	csrss.exe
2252	csrss.exe
2376	csrss.exe
1480	csrss.exe
2332	csrss.exe
812	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2424	cmd.exe
2424	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
35	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\de-DE\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\de-DE\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\csrss.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\OSPPSVC.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Fonts\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Windows\es-ES\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\1610b97d3ab4a7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6887ddfcca990642732256f218b09ed56ce9e9cb6cf9493d1287aff50c7cde8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2304	schtasks.exe
1740	schtasks.exe
2188	schtasks.exe
1304	schtasks.exe
1204	schtasks.exe
1976	schtasks.exe
948	schtasks.exe
2560	schtasks.exe
1400	schtasks.exe
1484	schtasks.exe
2300	schtasks.exe
2648	schtasks.exe
2100	schtasks.exe
1632	schtasks.exe
2020	schtasks.exe
1104	schtasks.exe
784	schtasks.exe
2620	schtasks.exe
1628	schtasks.exe
1744	schtasks.exe
2516	schtasks.exe
2612	schtasks.exe
1680	schtasks.exe
2432	schtasks.exe
2388	schtasks.exe
1432	schtasks.exe
2364	schtasks.exe
2096	schtasks.exe
2040	schtasks.exe
2580	schtasks.exe
1912	schtasks.exe
236	schtasks.exe
1048	schtasks.exe
576	schtasks.exe
1264	schtasks.exe
2844	schtasks.exe
1724	schtasks.exe
2312	schtasks.exe
1676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2656	DllCommonsvc.exe
2656	DllCommonsvc.exe
2656	DllCommonsvc.exe
1864	powershell.exe
1368	powershell.exe
1396	powershell.exe
2084	powershell.exe
2816	powershell.exe
1868	powershell.exe
1424	powershell.exe
2224	powershell.exe
2408	powershell.exe
568	powershell.exe
2172	powershell.exe
2392	powershell.exe
1736	powershell.exe
1852	powershell.exe
2748	csrss.exe
1896	csrss.exe
3016	csrss.exe
1912	csrss.exe
3036	csrss.exe
2076	csrss.exe
2252	csrss.exe
2376	csrss.exe
1480	csrss.exe
2332	csrss.exe
812	csrss.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	DllCommonsvc.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2748	csrss.exe
Token: SeDebugPrivilege	1896	csrss.exe
Token: SeDebugPrivilege	3016	csrss.exe
Token: SeDebugPrivilege	1912	csrss.exe
Token: SeDebugPrivilege	3036	csrss.exe
Token: SeDebugPrivilege	2076	csrss.exe
Token: SeDebugPrivilege	2252	csrss.exe
Token: SeDebugPrivilege	2376	csrss.exe
Token: SeDebugPrivilege	1480	csrss.exe
Token: SeDebugPrivilege	2332	csrss.exe
Token: SeDebugPrivilege	812	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2896	2384	JaffaCakes118_6887ddfcca990642732256f218b09ed56ce9e9cb6cf9493d1287aff50c7cde8d.exe	31
PID 2384 wrote to memory of 2896	2384	JaffaCakes118_6887ddfcca990642732256f218b09ed56ce9e9cb6cf9493d1287aff50c7cde8d.exe	31
PID 2384 wrote to memory of 2896	2384	JaffaCakes118_6887ddfcca990642732256f218b09ed56ce9e9cb6cf9493d1287aff50c7cde8d.exe	31
PID 2384 wrote to memory of 2896	2384	JaffaCakes118_6887ddfcca990642732256f218b09ed56ce9e9cb6cf9493d1287aff50c7cde8d.exe	31
PID 2896 wrote to memory of 2424	2896	WScript.exe	32
PID 2896 wrote to memory of 2424	2896	WScript.exe	32
PID 2896 wrote to memory of 2424	2896	WScript.exe	32
PID 2896 wrote to memory of 2424	2896	WScript.exe	32
PID 2424 wrote to memory of 2656	2424	cmd.exe	34
PID 2424 wrote to memory of 2656	2424	cmd.exe	34
PID 2424 wrote to memory of 2656	2424	cmd.exe	34
PID 2424 wrote to memory of 2656	2424	cmd.exe	34
PID 2656 wrote to memory of 1368	2656	DllCommonsvc.exe	75
PID 2656 wrote to memory of 1368	2656	DllCommonsvc.exe	75
PID 2656 wrote to memory of 1368	2656	DllCommonsvc.exe	75
PID 2656 wrote to memory of 2816	2656	DllCommonsvc.exe	77
PID 2656 wrote to memory of 2816	2656	DllCommonsvc.exe	77
PID 2656 wrote to memory of 2816	2656	DllCommonsvc.exe	77
PID 2656 wrote to memory of 2084	2656	DllCommonsvc.exe	78
PID 2656 wrote to memory of 2084	2656	DllCommonsvc.exe	78
PID 2656 wrote to memory of 2084	2656	DllCommonsvc.exe	78
PID 2656 wrote to memory of 2224	2656	DllCommonsvc.exe	80
PID 2656 wrote to memory of 2224	2656	DllCommonsvc.exe	80
PID 2656 wrote to memory of 2224	2656	DllCommonsvc.exe	80
PID 2656 wrote to memory of 568	2656	DllCommonsvc.exe	81
PID 2656 wrote to memory of 568	2656	DllCommonsvc.exe	81
PID 2656 wrote to memory of 568	2656	DllCommonsvc.exe	81
PID 2656 wrote to memory of 2408	2656	DllCommonsvc.exe	83
PID 2656 wrote to memory of 2408	2656	DllCommonsvc.exe	83
PID 2656 wrote to memory of 2408	2656	DllCommonsvc.exe	83
PID 2656 wrote to memory of 2392	2656	DllCommonsvc.exe	84
PID 2656 wrote to memory of 2392	2656	DllCommonsvc.exe	84
PID 2656 wrote to memory of 2392	2656	DllCommonsvc.exe	84
PID 2656 wrote to memory of 1868	2656	DllCommonsvc.exe	86
PID 2656 wrote to memory of 1868	2656	DllCommonsvc.exe	86
PID 2656 wrote to memory of 1868	2656	DllCommonsvc.exe	86
PID 2656 wrote to memory of 1736	2656	DllCommonsvc.exe	87
PID 2656 wrote to memory of 1736	2656	DllCommonsvc.exe	87
PID 2656 wrote to memory of 1736	2656	DllCommonsvc.exe	87
PID 2656 wrote to memory of 2172	2656	DllCommonsvc.exe	88
PID 2656 wrote to memory of 2172	2656	DllCommonsvc.exe	88
PID 2656 wrote to memory of 2172	2656	DllCommonsvc.exe	88
PID 2656 wrote to memory of 1864	2656	DllCommonsvc.exe	89
PID 2656 wrote to memory of 1864	2656	DllCommonsvc.exe	89
PID 2656 wrote to memory of 1864	2656	DllCommonsvc.exe	89
PID 2656 wrote to memory of 1424	2656	DllCommonsvc.exe	91
PID 2656 wrote to memory of 1424	2656	DllCommonsvc.exe	91
PID 2656 wrote to memory of 1424	2656	DllCommonsvc.exe	91
PID 2656 wrote to memory of 1396	2656	DllCommonsvc.exe	92
PID 2656 wrote to memory of 1396	2656	DllCommonsvc.exe	92
PID 2656 wrote to memory of 1396	2656	DllCommonsvc.exe	92
PID 2656 wrote to memory of 1852	2656	DllCommonsvc.exe	93
PID 2656 wrote to memory of 1852	2656	DllCommonsvc.exe	93
PID 2656 wrote to memory of 1852	2656	DllCommonsvc.exe	93
PID 2656 wrote to memory of 2748	2656	DllCommonsvc.exe	103
PID 2656 wrote to memory of 2748	2656	DllCommonsvc.exe	103
PID 2656 wrote to memory of 2748	2656	DllCommonsvc.exe	103
PID 2748 wrote to memory of 2364	2748	csrss.exe	104
PID 2748 wrote to memory of 2364	2748	csrss.exe	104
PID 2748 wrote to memory of 2364	2748	csrss.exe	104
PID 2364 wrote to memory of 1656	2364	cmd.exe	106
PID 2364 wrote to memory of 1656	2364	cmd.exe	106
PID 2364 wrote to memory of 1656	2364	cmd.exe	106
PID 2364 wrote to memory of 1896	2364	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6887ddfcca990642732256f218b09ed56ce9e9cb6cf9493d1287aff50c7cde8d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6887ddfcca990642732256f218b09ed56ce9e9cb6cf9493d1287aff50c7cde8d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Contacts\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\de-DE\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
    - - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1656
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"
        8⤵
        
        PID:2476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2448
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELd0wzhjGt.bat"
        10⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2784
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"
        12⤵
        
        PID:1660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1700
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat"
        14⤵
        
        PID:2292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1464
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"
        16⤵
        
        PID:1904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2656
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat"
        18⤵
        
        PID:1888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1912
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"
        20⤵
        
        PID:1980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:768
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat"
        22⤵
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2920
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWs9jrlB8v.bat"
        24⤵
        
        PID:848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2824
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Fonts\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Contacts\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Contacts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Searches\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Searches\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Searches\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8ba6ed6323f9b9ec88b7b4593971d5c

SHA1
3f915d17382025f6d2d52e7a94852d93ed6f39c1

SHA256
9f44ae53ed004df78ce5b75bfe543ad3ae1e62940bb76ac1bfbe253a624448c3

SHA512
d269a73304c0052cf986826a12facb657ae951547fad89353310457e3fe4d81ac6ee14a8100ed9a1f96f5e70a84a01ea256765bde82c91100eb6d29e4183387e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcd607672bb9522640cd95cbcf262c07

SHA1
945afb3b24c23ff7c59b0268158cc5c97b7f5a78

SHA256
4b0ec6bbe3a984aebe99e1ab336bde0c6a6e88aa2b8370b9ec69a3ca2cea1654

SHA512
bbae5dc19fd586c8658d7fe0283186adeac74cd947cc96550b1864593f08875bff1bd5b827741b2c226d520646188267fa8f7f55c4e84be906a16ca53a7484b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82eaa3ddf2b0823e8c10ecc6d62b6799

SHA1
1ecce3ae50390830dfd75be747cc1775d04c5b20

SHA256
69a797a54816e7264109f30c0d7afc10b2af49405e9c5644de625a0236938b03

SHA512
803c4b85ae437625ac9bd2a8e02b70e430604bb43cc8d2e0cb0cacd2988d4ccf76e1b928259888eea28d51fd23b691a44995329c028ff88a69811a6e34669523

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f08154e07ef19032bcdbf91c30b461b1

SHA1
24154f29949e7c3afe5b3a0570007cb1a22bbccf

SHA256
450c7d1b0206d3185c6daa09fe7069b12e58688fcabf68dd5c902bd49431dfce

SHA512
97a54f47c1fe406ddea8a360c84b12b408ff4f4d02813190436bb894a9a4a428793a507267c3f9b6652746be0e0c3a341f517364b8cec101daeb15c32d52fd52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46c8ca563904593a35f367a0b4c6d9c1

SHA1
eae372019b9a7e4e399deca81024050713b25ccb

SHA256
525ec410f2ad60077601e1a2ce07737c900d158ce6227df5b077cd06ca8fa1f5

SHA512
58bf62349b941f832c8fc86fc13a9d29a46b24cc017cf43cf66d04d28ff7f8e498f73dcc3b04b176b24f061208ae49426ab749d1d4d9d0adcbd1f58ecd755fdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cf20caaa8d423985649117e0a4886ac

SHA1
b9066a12556d587fbf4d366fdcb8e894f5c9384c

SHA256
ac2e5dafe93f53e0a170097c02006c73fda479a975d7b27ba01de13d3864e16a

SHA512
6be50092755459b2b288bbd8ad2c695a8b36193b839ccea64fd4e8d4fb33b24bd4128ec7829ca54858f2cbdaa675a4412a79c0f033b329c06b4437f222f0fc50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b1799e6290664c7426d2b35a1aef83f

SHA1
73b47fbee95d701bf3f03d64d513648a2e804e91

SHA256
a7437a78c08e109f52c06962efaba114488bd11d75a761e5f6736521a914e311

SHA512
ecbc1c1f581cb73ed918e0fed85ac922e3cad3523ec639c1b00c2eef181f9141760199751b9b01dbf2e85256c806e9553dee0e12384509297c50f607ea78df85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b10bf74bb0d349c5cfdffd97d10f5889

SHA1
25a45ba744a0f30caa6e133c302782a31096ebd2

SHA256
4534acf4a4666b98acc5beba74e88ee639e315bb2590f6cd5d8fd3de1c51177f

SHA512
487b0479524552019585094a00b3eb6884bb76e6ca2a6c31bbf56e109b0ef9a2631dd2c8b866585823834da12d8df077b6c372ebc90f66382dd74c9d3d281a4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a94b81904e1a8d9c7609d9fff40b14c

SHA1
276c00fe4f625cea2d82903750fc6a8b7bc5a2a4

SHA256
c84cb8da1ed7159db9a97835a5844ff3373e38c13daef5b65d612d58577df674

SHA512
2de166bd644996f630cad59c00ceee8d41c8e5b5940d06383d9c33759a3afff01fdb6fbc945e975fe1c66b1afa93e91b5d6fc46771b5af73c769163097f1e313

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2657.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELd0wzhjGt.bat

Filesize
223B

MD5
e6f450b1fa3a4ac584246eac3be1784d

SHA1
0e6071985795f1c34ecd39250b40aaed8a185fe1

SHA256
ca4d0202590af6538e4ec82d4fb276de12e4ca013b20b5ca2a73cf158b9fd18c

SHA512
042073b82067568369569e27f7cc1bb4324678384ff1489f37d8b2fcd5eee2c7b7f0796157483558b60d93c63c6521c8be870940697d85c9fe7c2d27fbe514f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat

Filesize
223B

MD5
63320a986aa687be038cc6ab94ada223

SHA1
e53cb6a678b2a4c1c6ece8169176a1fc0970e6a5

SHA256
9667be889e2301db421a6fc502794c98054eec932eee9f48d824e5cf721ba668

SHA512
2fe1ad6789f237467e56933db50f90d62058156c23165a9c2ba2de76aa86817020e23fc736d6ef7c8dd360bc5f7935732ed79ef4bc2e79d9f4c3b117c4f1a52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat

Filesize
223B

MD5
fdb15bf56d69eceec4b82b0923bbf52a

SHA1
2e35dbe75b2e7fdf4ec987e5a920c0e543d7a006

SHA256
43a9b90ad32cbd713b7ba55f2e32e0cd93ee928ee6d82c3ab70080cea43d4c1e

SHA512
9a42bb01d0f888f78553978851582ae8a0c4c620ef7213476c11d9dd18402db4f4514f585045407e1e2bf539158326e405ddb9345c62028f9a2704cbe60efc78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar266A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat

Filesize
223B

MD5
9f7fd23b4c8da5ec92e24b532e2a3c37

SHA1
3d14c6eb3191d34be3094c863f58d873459f3244

SHA256
43e90712b480be5850761f7b56cbea33c9841bc3d017ee5c1a8619c81b3e1ea0

SHA512
4d25a7c75491ffcf5bdf8f8fe65a92c6f9c4ccf0d51719de12ca1b83c5ef8dc45d6c92d44101c2385967299ea80ca5736d68c72c7b8f5f1387a7ec8a80dfd03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat

Filesize
223B

MD5
d8a4ecbc16531c2cb21f1d3732a522e7

SHA1
25c2cffadfdc9577513cdfd6f94e4898d9592b0f

SHA256
402f9ca409c98443550a52be0e3aec08a4dea43bbc30a44f5a482daa5c374245

SHA512
640e321f063fe76355c9ebf5b7e9e0ffb3b0bf5a61e3933503644c4ace022585a4fa96fda2df3cd5e8be16412f84f05220976d6e5870baefba256351fb6902ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat

Filesize
223B

MD5
359585a0ca26786a19925b5330aab0a9

SHA1
7f10f39f23fe9026b84a072494e37fde19eec9b8

SHA256
f631aa3179ad7b4999e506c1a56bee1ab4077bfb059513228469fa2e95989d8b

SHA512
587a22448397fb4f835defe576944a3e37ed8f22c67e2c5d0788ec74dc4d4047338be6636155dd9efaeafe026cc69794a117904881fc405bf24a82b2c2cec081

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat

Filesize
223B

MD5
8f49897f455c6c5c3a38bef41e3c2303

SHA1
46511ac4c4e243939b8bdf702e0e2a869c3961eb

SHA256
3b94f1b9f7a5f5b4e4a02d341f510bbd299bb1f995e62e5f995a34b5def6c44c

SHA512
9f278f42a05015ffea4ccf77ac675096aae4324c0097299780af63e77aa1b83a1bbce47b2e07393599b2dce9408682dbea00d3455badab748a09280b816db869

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWs9jrlB8v.bat

Filesize
223B

MD5
53ba4c28ab6c717f75044a160e3179b2

SHA1
15cdad1d8cc2362f226ea01a65992a69fb3f9d7b

SHA256
f8fdd1d4b5683a65021afe9a63e5dc0de0d28e0dfcc39aa0565d52309e267a52

SHA512
c497f51ad718522de751998a6325d394b482539a073526f03b955bf83be087ac2b7d0f4b1a23ceab2417bfdf446bce0ad5f47ad99d9a3694729a2ce7865c55fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat

Filesize
223B

MD5
778e8e90e5e12c45a708e43ce1d90779

SHA1
2155e9c6a37d4b75dfbad2cc34d96f8bc643683d

SHA256
08f4695f4cb91371fbd12ce7e0ca7bb8d15906a430db6f32d6219df3324e4600

SHA512
101e37d93a32a2d09fccc0b1ba7bee0c0f78e865ba2b9b915cd7201281c1797fa6e79d71c9c042ad30824965c42b2a983e7e63bb79368b6a827bb65148aa676d

Download Submit
C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat

Filesize
223B

MD5
71a619184a88b2c2fd8fddf76af662fb

SHA1
c434c835ac0324120ca0085f79ce5770872d1b77

SHA256
fac284a350471e8f75241a7a5022675caa4b8af65b35775f5c33d5f10e34cd51

SHA512
7c3e19973d57d2998639ae5c136caa050bec6051a39f2cae3706e6fe2985ca3aea3b70a36ed2c5efb7e8af1cf57bf495455f5496c3ab03017bcf146c5d0befbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XT4V47L00E8RQ6IJVIGU.temp

Filesize
7KB

MD5
c090389c611269ee00767809264a8ab4

SHA1
7c1452eb69cfb6cd3be4839b826bbf911b92ae98

SHA256
635e066ce35b3fcd689860362d321b7344ac64ddf79f7a56f59fcafbe046c4b3

SHA512
9ab83c4026954e0428b62570ab7986419740e67f9d5f80e0613f76fbdf4b23f825259b7a97e1fe4263f36cd3e73e01eab8fa4c3b0be33234032d88e8f72b4e56

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1864-70-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1864-65-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2076-408-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/2076-409-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2252-469-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2332-647-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/2656-17-0x0000000002110000-0x000000000211C000-memory.dmp

Filesize
48KB

Download
memory/2656-16-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/2656-15-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/2656-14-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download
memory/2656-13-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/2748-82-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/3036-348-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download