dcrat | dc8166a8baec796340ca73be826427608b6abe5faee9175636c549e676ce4ca5

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_dc8166a8baec796340ca73be826427608b6abe5faee9175636c549e676ce4ca5.exe
Size

1.3MB
MD5

1985aec9f1b8c644a3a21802d647744c
SHA1

d9527b9dc39857b09fa2082f376885e0df7f8233
SHA256

dc8166a8baec796340ca73be826427608b6abe5faee9175636c549e676ce4ca5
SHA512

9ccf97cb00948b5d3373c9fdbb311391409930697cf7ee0a44cbaa33ca92186aa435189121e0d3c73ace0950c23f0bfa96ed391265822875059c4d363411f958
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	268	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	268	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001628b-9.dat	dcrat
behavioral1/memory/2852-13-0x0000000000E40000-0x0000000000F50000-memory.dmp	dcrat
behavioral1/memory/2732-119-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/2840-178-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/572-239-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/memory/2256-299-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/1752-359-0x0000000000FE0000-0x00000000010F0000-memory.dmp	dcrat
behavioral1/memory/2916-419-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/2136-479-0x0000000000D00000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/memory/1576-539-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/1564-600-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/1524-660-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2396	powershell.exe
2608	powershell.exe
2412	powershell.exe
2600	powershell.exe
1680	powershell.exe
1872	powershell.exe
932	powershell.exe
1852	powershell.exe
2332	powershell.exe
568	powershell.exe
964	powershell.exe
972	powershell.exe
1984	powershell.exe
1232	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2852	DllCommonsvc.exe
2732	Idle.exe
2840	Idle.exe
572	Idle.exe
2256	Idle.exe
1752	Idle.exe
2916	Idle.exe
2136	Idle.exe
1576	Idle.exe
1564	Idle.exe
1524	Idle.exe
1652	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2840	cmd.exe
2840	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\es-ES\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\es-ES\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Portable Devices\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\System.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\Idle.exe	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\smss.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\CSC\v2.0.6\dwm.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_dc8166a8baec796340ca73be826427608b6abe5faee9175636c549e676ce4ca5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1896	schtasks.exe
2844	schtasks.exe
600	schtasks.exe
1100	schtasks.exe
2424	schtasks.exe
1576	schtasks.exe
1012	schtasks.exe
2748	schtasks.exe
2720	schtasks.exe
2400	schtasks.exe
716	schtasks.exe
1580	schtasks.exe
2336	schtasks.exe
2876	schtasks.exe
2116	schtasks.exe
1192	schtasks.exe
2404	schtasks.exe
3032	schtasks.exe
2232	schtasks.exe
408	schtasks.exe
1720	schtasks.exe
484	schtasks.exe
1648	schtasks.exe
2468	schtasks.exe
2884	schtasks.exe
3048	schtasks.exe
2540	schtasks.exe
288	schtasks.exe
1892	schtasks.exe
2364	schtasks.exe
3036	schtasks.exe
1420	schtasks.exe
2068	schtasks.exe
1924	schtasks.exe
1480	schtasks.exe
2524	schtasks.exe
1724	schtasks.exe
900	schtasks.exe
1700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2852	DllCommonsvc.exe
2600	powershell.exe
972	powershell.exe
1852	powershell.exe
2396	powershell.exe
1680	powershell.exe
1984	powershell.exe
568	powershell.exe
2412	powershell.exe
1232	powershell.exe
2332	powershell.exe
2608	powershell.exe
1872	powershell.exe
964	powershell.exe
932	powershell.exe
2732	Idle.exe
2840	Idle.exe
572	Idle.exe
2256	Idle.exe
1752	Idle.exe
2916	Idle.exe
2136	Idle.exe
1576	Idle.exe
1564	Idle.exe
1524	Idle.exe
1652	Idle.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	DllCommonsvc.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	2732	Idle.exe
Token: SeDebugPrivilege	2840	Idle.exe
Token: SeDebugPrivilege	572	Idle.exe
Token: SeDebugPrivilege	2256	Idle.exe
Token: SeDebugPrivilege	1752	Idle.exe
Token: SeDebugPrivilege	2916	Idle.exe
Token: SeDebugPrivilege	2136	Idle.exe
Token: SeDebugPrivilege	1576	Idle.exe
Token: SeDebugPrivilege	1564	Idle.exe
Token: SeDebugPrivilege	1524	Idle.exe
Token: SeDebugPrivilege	1652	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2816	2804	JaffaCakes118_dc8166a8baec796340ca73be826427608b6abe5faee9175636c549e676ce4ca5.exe	30
PID 2804 wrote to memory of 2816	2804	JaffaCakes118_dc8166a8baec796340ca73be826427608b6abe5faee9175636c549e676ce4ca5.exe	30
PID 2804 wrote to memory of 2816	2804	JaffaCakes118_dc8166a8baec796340ca73be826427608b6abe5faee9175636c549e676ce4ca5.exe	30
PID 2804 wrote to memory of 2816	2804	JaffaCakes118_dc8166a8baec796340ca73be826427608b6abe5faee9175636c549e676ce4ca5.exe	30
PID 2816 wrote to memory of 2840	2816	WScript.exe	31
PID 2816 wrote to memory of 2840	2816	WScript.exe	31
PID 2816 wrote to memory of 2840	2816	WScript.exe	31
PID 2816 wrote to memory of 2840	2816	WScript.exe	31
PID 2840 wrote to memory of 2852	2840	cmd.exe	33
PID 2840 wrote to memory of 2852	2840	cmd.exe	33
PID 2840 wrote to memory of 2852	2840	cmd.exe	33
PID 2840 wrote to memory of 2852	2840	cmd.exe	33
PID 2852 wrote to memory of 1680	2852	DllCommonsvc.exe	74
PID 2852 wrote to memory of 1680	2852	DllCommonsvc.exe	74
PID 2852 wrote to memory of 1680	2852	DllCommonsvc.exe	74
PID 2852 wrote to memory of 1984	2852	DllCommonsvc.exe	75
PID 2852 wrote to memory of 1984	2852	DllCommonsvc.exe	75
PID 2852 wrote to memory of 1984	2852	DllCommonsvc.exe	75
PID 2852 wrote to memory of 972	2852	DllCommonsvc.exe	76
PID 2852 wrote to memory of 972	2852	DllCommonsvc.exe	76
PID 2852 wrote to memory of 972	2852	DllCommonsvc.exe	76
PID 2852 wrote to memory of 964	2852	DllCommonsvc.exe	77
PID 2852 wrote to memory of 964	2852	DllCommonsvc.exe	77
PID 2852 wrote to memory of 964	2852	DllCommonsvc.exe	77
PID 2852 wrote to memory of 568	2852	DllCommonsvc.exe	78
PID 2852 wrote to memory of 568	2852	DllCommonsvc.exe	78
PID 2852 wrote to memory of 568	2852	DllCommonsvc.exe	78
PID 2852 wrote to memory of 2332	2852	DllCommonsvc.exe	79
PID 2852 wrote to memory of 2332	2852	DllCommonsvc.exe	79
PID 2852 wrote to memory of 2332	2852	DllCommonsvc.exe	79
PID 2852 wrote to memory of 2396	2852	DllCommonsvc.exe	80
PID 2852 wrote to memory of 2396	2852	DllCommonsvc.exe	80
PID 2852 wrote to memory of 2396	2852	DllCommonsvc.exe	80
PID 2852 wrote to memory of 1852	2852	DllCommonsvc.exe	83
PID 2852 wrote to memory of 1852	2852	DllCommonsvc.exe	83
PID 2852 wrote to memory of 1852	2852	DllCommonsvc.exe	83
PID 2852 wrote to memory of 2600	2852	DllCommonsvc.exe	84
PID 2852 wrote to memory of 2600	2852	DllCommonsvc.exe	84
PID 2852 wrote to memory of 2600	2852	DllCommonsvc.exe	84
PID 2852 wrote to memory of 1232	2852	DllCommonsvc.exe	86
PID 2852 wrote to memory of 1232	2852	DllCommonsvc.exe	86
PID 2852 wrote to memory of 1232	2852	DllCommonsvc.exe	86
PID 2852 wrote to memory of 1872	2852	DllCommonsvc.exe	88
PID 2852 wrote to memory of 1872	2852	DllCommonsvc.exe	88
PID 2852 wrote to memory of 1872	2852	DllCommonsvc.exe	88
PID 2852 wrote to memory of 2608	2852	DllCommonsvc.exe	90
PID 2852 wrote to memory of 2608	2852	DllCommonsvc.exe	90
PID 2852 wrote to memory of 2608	2852	DllCommonsvc.exe	90
PID 2852 wrote to memory of 932	2852	DllCommonsvc.exe	92
PID 2852 wrote to memory of 932	2852	DllCommonsvc.exe	92
PID 2852 wrote to memory of 932	2852	DllCommonsvc.exe	92
PID 2852 wrote to memory of 2412	2852	DllCommonsvc.exe	93
PID 2852 wrote to memory of 2412	2852	DllCommonsvc.exe	93
PID 2852 wrote to memory of 2412	2852	DllCommonsvc.exe	93
PID 2852 wrote to memory of 2864	2852	DllCommonsvc.exe	102
PID 2852 wrote to memory of 2864	2852	DllCommonsvc.exe	102
PID 2852 wrote to memory of 2864	2852	DllCommonsvc.exe	102
PID 2864 wrote to memory of 1420	2864	cmd.exe	104
PID 2864 wrote to memory of 1420	2864	cmd.exe	104
PID 2864 wrote to memory of 1420	2864	cmd.exe	104
PID 2864 wrote to memory of 2732	2864	cmd.exe	105
PID 2864 wrote to memory of 2732	2864	cmd.exe	105
PID 2864 wrote to memory of 2732	2864	cmd.exe	105
PID 2732 wrote to memory of 2472	2732	Idle.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc8166a8baec796340ca73be826427608b6abe5faee9175636c549e676ce4ca5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc8166a8baec796340ca73be826427608b6abe5faee9175636c549e676ce4ca5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\es-ES\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\uninstall\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pwiaXPPe1g.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1420
      - C:\Program Files\Windows Portable Devices\Idle.exe
        
        "C:\Program Files\Windows Portable Devices\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"
        7⤵
        
        PID:2472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1532
        
        C:\Program Files\Windows Portable Devices\Idle.exe
        
        "C:\Program Files\Windows Portable Devices\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"
        9⤵
        
        PID:2272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2560
        
        C:\Program Files\Windows Portable Devices\Idle.exe
        
        "C:\Program Files\Windows Portable Devices\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat"
        11⤵
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3064
        
        C:\Program Files\Windows Portable Devices\Idle.exe
        
        "C:\Program Files\Windows Portable Devices\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"
        13⤵
        
        PID:2128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2876
        
        C:\Program Files\Windows Portable Devices\Idle.exe
        
        "C:\Program Files\Windows Portable Devices\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat"
        15⤵
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2460
        
        C:\Program Files\Windows Portable Devices\Idle.exe
        
        "C:\Program Files\Windows Portable Devices\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat"
        17⤵
        
        PID:1012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2784
        
        C:\Program Files\Windows Portable Devices\Idle.exe
        
        "C:\Program Files\Windows Portable Devices\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"
        19⤵
        
        PID:2296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2424
        
        C:\Program Files\Windows Portable Devices\Idle.exe
        
        "C:\Program Files\Windows Portable Devices\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"
        21⤵
        
        PID:1656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1644
        
        C:\Program Files\Windows Portable Devices\Idle.exe
        
        "C:\Program Files\Windows Portable Devices\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"
        23⤵
        
        PID:968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2980
        
        C:\Program Files\Windows Portable Devices\Idle.exe
        
        "C:\Program Files\Windows Portable Devices\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat"
        25⤵
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1960
        
        C:\Program Files\Windows Portable Devices\Idle.exe
        
        "C:\Program Files\Windows Portable Devices\Idle.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\es-ES\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\es-ES\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\uninstall\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\uninstall\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3b3f5c399a2d76ea9ba5ab5be4c05ac

SHA1
0e5265d8c988337543ba316d2e837f247e4018b3

SHA256
f394fe951bffed2e621d44de8effe09e0b9e18d7075d0defa138b112ae4f3e70

SHA512
cf0db254c7f3cd041102803564a2de72bfadb600a06698f3aef142ad9fb72d74f7b88494213a88ba631108fdae02784eaf7736b4621224c1d4021013cc94a878

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3c89cd2e2b4c4cfefc7dde03242b3ea

SHA1
0a8c133a94397f33331e0b8787ed1dd996106db7

SHA256
acb7f45eb2628d4fff963f42da24e20fa7b6577d1f507e29e01eb7b23378b5ff

SHA512
94748b1b8f529c3ab4696a24554615b67cfe28c68d9f7a79bfc28d9227edd1da6d493ff02a0fd4995353e95fd257ae1aeab8e3e08b9a42325d4f87b5808ba6bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e7c3c31b512cf5d1a9f42cdbfc33578

SHA1
adf7f6bcc13b5e5f49039cfb2c777eaf056df981

SHA256
4986443897f01130cc828916e74dcbb99e4210630cc5d1e89bb7273411a8c6b1

SHA512
9422a10d0a62c21f654c4f7505f5b3196b990298674151cbb29b8adc1d177090c7e46c4218a34dd53a3d8971df11c78b4ecdd6160d9986edda485fb6933b0cd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
657b106aac83e2fa2458d1b1e2562b27

SHA1
d5053cee9d577f0f397b3b6c56551a80c4ba787e

SHA256
5df0f660d247b1edd8d46662d82bb0a4e2be32c8f2258e212bd32a88d9534a78

SHA512
3ab9613007f76592fcc005459f23c3c192cee1dc4c605627fc1337e4147d72a16d5a806de94b18c561be8216e7a91db373aa2fa9a6b8da088b61528693f19966

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d694cd47b22a1b60d24b607903d92f8c

SHA1
76505e87b660bdc4b16ca4ac5b65c5b4308cfcdb

SHA256
e4ccf0b14a733b7c142562404ca36eb97176f64e2adb1867bdad8131fa864dd0

SHA512
29c389a08839507f77cb07dfd0b8025e175dc9e63aff061346b585aef6dfc75ad2b1bb87836191f2cd01f5bfab144ba0bff9149aa5779e363de9b27ed6936bfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c511f4d3a86ebd42e412ea2d96a27706

SHA1
ebc0e388a5013a42d7beb307efc55a9e31f1fd99

SHA256
b1e70978cde4917a91700111300fe7607a7b30f5df8434b55fc6ba7880602375

SHA512
88636c0d7e03c0e1f98b40e7b28a31007ab804b040b47d7c0e4a08a057d1c330a959e04e7fd6e0b58da77633c2ad444f8d0a594e4442931be5aca97e98333434

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1928092bca30f0f9e7dbf53cab0327f3

SHA1
1c86b4bffc1502df8f623d5d11abf92ce5da4832

SHA256
d06e2ce811415a2696322ae28b37d3eb4f9a602c6d1cceed1247fdeea8478df4

SHA512
53f2d3e9cd1ba03cf77e69ea15cffc8e317f5cc83a8c112c3b240b532a9bc4da46f2fcff64557dbd84ecdaf523377732435ad1896cccaf1dd894fac27db199d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be51a924ee7f19ba3c47c597d000c7b1

SHA1
85d09923acfebaf9afa3efa5206c247c17db057c

SHA256
778b7bb6885ffa0bf77e10397b761520695c044e68fe47f57ab5661d69596344

SHA512
6b108d893ee3b01fa731bd26deadcaf12ae2ee2fbdd4cab89ec11e637ca0cf42a2934fab2dc793409bd1dab7bd734bec0d2fd86c6cfbb2d8ccfe334d4a9c3f75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97f1296cf196fd4e87c2466d41a013c1

SHA1
7951cf3f473721f2c921cf3691ed62f68bba72a4

SHA256
938893b5910c0e405babc33c1c5fe46fea3c2cc6f9f0d90478b64937ed348315

SHA512
60bdf7bdeef659e470c2ebdc2f2fbad396d179d94af07b1f7e285bda56e3af5f88124a384053ffc8cc6be1a74989e4963b77222992e01f4e72ea5df9c4a4edcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat

Filesize
215B

MD5
9a1b4cb2a7b8ce04ac3dd617c5c741f4

SHA1
b8580b2ec14e841914d45821485fde948e625e63

SHA256
6a5dbd103cd60d238d9319b037378e5e7a618f30d57051387a28026696494517

SHA512
31463d3311c64a56986970beefb08b1250c1b941455508e51d364622c75f75aaf580a26a4ec4a416bafa18ea78d3b296b6c4d1c118cfb8d74464a4a732d2d2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat

Filesize
215B

MD5
0d633a589216f5a2320ea35bb99f8f01

SHA1
3026cfc4286b781c2d410229e40424b27a93f56f

SHA256
356f6402627ddc160f50f542db1d181f92896146b5135b069e16e19b0c01b3a4

SHA512
5166cdcbfedf20df8b783a2856ffb268dd6a71b15aed6f3b9ede7e0a30825dc4da806d1376fb38662a8d61533bba8f828a18242e3137b86c563f3240fb55feb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8C5A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat

Filesize
215B

MD5
0f86ffd7c08f621537796932efc337e7

SHA1
d2e70f66b20aa04213912f6301bf60d9ca459b7d

SHA256
3ae25a3ff2e6a53ebc8ff72d405ec28986ba13d8cb80be92c31d0fd3de29e9eb

SHA512
7dac00287aecddd90a33d96619f79e560c4103592a0b52885847a9b2ae2d152f54301f6756a879e99e6777abe049afc67b902bed7a2e1f19f4b32a52cf0b3979

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat

Filesize
215B

MD5
3ca9dcee386de0819cd273e080a7b92b

SHA1
6dc3deca5d682486cf1b8a7e31f6e410a275877f

SHA256
883fe11795feb7aa4fb4a3ebe3baead8ddd2613fc76265a115f34f2306e03abe

SHA512
443cb447ef6e01c4e6a39b2607730c9d37fb2de2a42741cf72c21533c7dfbc4d0a016237a7937fd9d8b00653884a50f99e119572b89d94125b8fc5dd70bd8612

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat

Filesize
215B

MD5
97ea8c782bb4e58e6dd777b84a065fc6

SHA1
9d39cef1b2fa2f4b78aa0e0ed84e96a26cf890ee

SHA256
e4619364d52eada96f3c710e982cb419d601a261317ba2b644a989b72ebfa0af

SHA512
227d1c31ba2bcf17f4a68f312c3d437a17db21089dfb3f4bad9dfc0fcbe7b89b02d6945910ca0a4708cfda738598e9860c376f5cb98ddf18d7e64e6eb97b35e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat

Filesize
215B

MD5
3ab02b8e98cb9784980d02c7b043cdd0

SHA1
0b60db3ca836d1b60a3ccfdc3c44806c7c678ef3

SHA256
4d5025ae7b1c5cb0ad5076e2968dec02bf504b4a2dc5652dd10f93a670573117

SHA512
0c1939cad32403bc4b696098f1b0cb9aa810ec46f26a4793b44723375023ad614700384624e3f28795571961daa5ec3a357fe9ea5772fe0fa62a30f831ec261b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8C6C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat

Filesize
215B

MD5
b4e1f025ee41ef0561a32de5b600e91d

SHA1
389a37070ae2c6075dd6deaf72b710efb2b866e3

SHA256
62007272d4877f90f1e64d98a5d1fd2381e54d841116b8216e71763145f85bc5

SHA512
d9177999356e40a1fde6a901557eb316163f86425203a52794b94ad5085f95c9515f18ce4ae82e7039158df4bf5f132238d1f88fa8dff829ab01809b335185de

Download Submit
C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat

Filesize
215B

MD5
1539364a83d2704c90b5b4b4ed5ea48a

SHA1
955699905a3e87bea366173f5f60c2b8e8d146b8

SHA256
a59d546976343743a8edb60dabf9c909d0d6310ad2f0360fb05717d33f7e093e

SHA512
70f9d5612acd690696dd0b1faf8d56e43227aaa02d815001a38ad9139df1de605977b55913ed59e2587264286c6f76608be203d27ca91befb47a305a61c504f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwiaXPPe1g.bat

Filesize
215B

MD5
f959a0f881a142330075bc1e3dee9dab

SHA1
da7487a4f87906e7d24a26207716aab1c25eeb5f

SHA256
104796dcc7397e86cc169524bc44f6853ee0713ffa63f2a8cbabded1fcbb8af4

SHA512
2e40d41eef72e8e4515f4b875b81ef154c8526b5c00f5fc3630323106fe79947e9dadd88bf1c5e3fa7415dbd39a7e3d1171460b65456cbd2a4c86584b9d3caf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat

Filesize
215B

MD5
7ab630d7dbf8f2ca9fb3f8cb18dd3de8

SHA1
5eedc948ac49f061f967fea9a381d73252e33f73

SHA256
839de79f25558c05adc95b228e117f336791298246b0111210b1efe071bb29cf

SHA512
9a74bb02db6fdf454ae99025f9ba15b5f786601a296efcd11dd72782090c447b34824788ea5d244872606367ba122c6c01204731e876bfd7a1f5de7d1c987030

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat

Filesize
215B

MD5
ef92a02e111c682fb074825fd0a42003

SHA1
a562a5a55192bd1e38f576fd8fb1590e604a11b5

SHA256
5db839141d877efe62027d78fdb81205680c2840b6dd55ea824f20284c3918da

SHA512
455abfea3d32e8dd845559a508ac8ac0966f3912629e65741c0476dd41e042c2c9c97dfa221e381ff237a79af0900ca54614d0bfdf2a722a01b0ace9c7ae59b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
63cc7b3d15f7b2e69456bee8d41c4633

SHA1
2ebefe01e34eababde196c58e5b6b1398cd67a35

SHA256
b7130e515e0e768a1c950b2b72430fd8b6c2dd81632f3f2bff632e4e880b41e4

SHA512
907a84b5840fd49e3d51e15ed5110078182f7cebd4b0bebf14713e62b2c278824a503ab510abf57685f7d1df0686fff997e7a540d0dc90615538d29f67038c97

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/572-239-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download
memory/1524-660-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/1564-600-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/1576-540-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1576-539-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/1752-359-0x0000000000FE0000-0x00000000010F0000-memory.dmp

Filesize
1.1MB

Download
memory/2136-479-0x0000000000D00000-0x0000000000E10000-memory.dmp

Filesize
1.1MB

Download
memory/2256-299-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2600-58-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2600-59-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2732-119-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/2840-179-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2840-178-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/2852-15-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2852-14-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2852-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2852-13-0x0000000000E40000-0x0000000000F50000-memory.dmp

Filesize
1.1MB

Download
memory/2852-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2916-419-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download