dcrat | a42f583519df6a3d05674dd82ca71d91bb78a164486c8fbf9ea51006f5b1a2d1

Analysis

max time kernel
148s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a42f583519df6a3d05674dd82ca71d91bb78a164486c8fbf9ea51006f5b1a2d1.exe
Size

1.3MB
MD5

e9c3d47b3589f72833f88c47f040637e
SHA1

76ebdf1483098d197c30ba067c92ce116fba49b8
SHA256

a42f583519df6a3d05674dd82ca71d91bb78a164486c8fbf9ea51006f5b1a2d1
SHA512

345471b8a777516b251ac073ec509e95a90664332c3db55804fe7c633f230a3338af1733daa2ae1a3567ddaaeaed77ecc38702fb943b29ebef8aada71530a4ff
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2872	schtasks.exe	35

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d58-9.dat	dcrat
behavioral1/memory/2748-13-0x0000000000A90000-0x0000000000BA0000-memory.dmp	dcrat
behavioral1/memory/2428-50-0x0000000000A20000-0x0000000000B30000-memory.dmp	dcrat
behavioral1/memory/2964-178-0x0000000000F20000-0x0000000001030000-memory.dmp	dcrat
behavioral1/memory/2988-299-0x0000000000F90000-0x00000000010A0000-memory.dmp	dcrat
behavioral1/memory/1068-359-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/2084-420-0x0000000000820000-0x0000000000930000-memory.dmp	dcrat
behavioral1/memory/2540-480-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/480-600-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat
behavioral1/memory/2028-660-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/1868-721-0x0000000000DF0000-0x0000000000F00000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2372	powershell.exe
1888	powershell.exe
2412	powershell.exe
2572	powershell.exe
952	powershell.exe
3000	powershell.exe
2364	powershell.exe
2132	powershell.exe
1180	powershell.exe
1952	powershell.exe
2088	powershell.exe
2576	powershell.exe
2068	powershell.exe
1524	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2748	DllCommonsvc.exe
2428	conhost.exe
2964	conhost.exe
1632	conhost.exe
2988	conhost.exe
1068	conhost.exe
2084	conhost.exe
2540	conhost.exe
1536	conhost.exe
480	conhost.exe
2028	conhost.exe
1868	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2368	cmd.exe
2368	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\winlogon.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\explorer.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a42f583519df6a3d05674dd82ca71d91bb78a164486c8fbf9ea51006f5b1a2d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3048	schtasks.exe
1320	schtasks.exe
756	schtasks.exe
1732	schtasks.exe
2212	schtasks.exe
1908	schtasks.exe
1760	schtasks.exe
2916	schtasks.exe
2268	schtasks.exe
2020	schtasks.exe
2616	schtasks.exe
1064	schtasks.exe
1396	schtasks.exe
3032	schtasks.exe
1632	schtasks.exe
1728	schtasks.exe
2692	schtasks.exe
2668	schtasks.exe
740	schtasks.exe
2964	schtasks.exe
1720	schtasks.exe
3036	schtasks.exe
1240	schtasks.exe
836	schtasks.exe
1832	schtasks.exe
616	schtasks.exe
2920	schtasks.exe
2448	schtasks.exe
1700	schtasks.exe
2740	schtasks.exe
1860	schtasks.exe
1856	schtasks.exe
1764	schtasks.exe
2456	schtasks.exe
656	schtasks.exe
1656	schtasks.exe
1272	schtasks.exe
2468	schtasks.exe
2296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
1524	powershell.exe
2572	powershell.exe
2576	powershell.exe
2068	powershell.exe
1180	powershell.exe
3000	powershell.exe
952	powershell.exe
2132	powershell.exe
2412	powershell.exe
1952	powershell.exe
1888	powershell.exe
2428	conhost.exe
2364	powershell.exe
2372	powershell.exe
2088	powershell.exe
2964	conhost.exe
1632	conhost.exe
2988	conhost.exe
1068	conhost.exe
2084	conhost.exe
2540	conhost.exe
1536	conhost.exe
480	conhost.exe
2028	conhost.exe
1868	conhost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	DllCommonsvc.exe
Token: SeDebugPrivilege	2428	conhost.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2964	conhost.exe
Token: SeDebugPrivilege	1632	conhost.exe
Token: SeDebugPrivilege	2988	conhost.exe
Token: SeDebugPrivilege	1068	conhost.exe
Token: SeDebugPrivilege	2084	conhost.exe
Token: SeDebugPrivilege	2540	conhost.exe
Token: SeDebugPrivilege	1536	conhost.exe
Token: SeDebugPrivilege	480	conhost.exe
Token: SeDebugPrivilege	2028	conhost.exe
Token: SeDebugPrivilege	1868	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 1884	2936	JaffaCakes118_a42f583519df6a3d05674dd82ca71d91bb78a164486c8fbf9ea51006f5b1a2d1.exe	30
PID 2936 wrote to memory of 1884	2936	JaffaCakes118_a42f583519df6a3d05674dd82ca71d91bb78a164486c8fbf9ea51006f5b1a2d1.exe	30
PID 2936 wrote to memory of 1884	2936	JaffaCakes118_a42f583519df6a3d05674dd82ca71d91bb78a164486c8fbf9ea51006f5b1a2d1.exe	30
PID 2936 wrote to memory of 1884	2936	JaffaCakes118_a42f583519df6a3d05674dd82ca71d91bb78a164486c8fbf9ea51006f5b1a2d1.exe	30
PID 1884 wrote to memory of 2368	1884	WScript.exe	32
PID 1884 wrote to memory of 2368	1884	WScript.exe	32
PID 1884 wrote to memory of 2368	1884	WScript.exe	32
PID 1884 wrote to memory of 2368	1884	WScript.exe	32
PID 2368 wrote to memory of 2748	2368	cmd.exe	34
PID 2368 wrote to memory of 2748	2368	cmd.exe	34
PID 2368 wrote to memory of 2748	2368	cmd.exe	34
PID 2368 wrote to memory of 2748	2368	cmd.exe	34
PID 2748 wrote to memory of 2572	2748	DllCommonsvc.exe	75
PID 2748 wrote to memory of 2572	2748	DllCommonsvc.exe	75
PID 2748 wrote to memory of 2572	2748	DllCommonsvc.exe	75
PID 2748 wrote to memory of 2068	2748	DllCommonsvc.exe	76
PID 2748 wrote to memory of 2068	2748	DllCommonsvc.exe	76
PID 2748 wrote to memory of 2068	2748	DllCommonsvc.exe	76
PID 2748 wrote to memory of 952	2748	DllCommonsvc.exe	77
PID 2748 wrote to memory of 952	2748	DllCommonsvc.exe	77
PID 2748 wrote to memory of 952	2748	DllCommonsvc.exe	77
PID 2748 wrote to memory of 1524	2748	DllCommonsvc.exe	78
PID 2748 wrote to memory of 1524	2748	DllCommonsvc.exe	78
PID 2748 wrote to memory of 1524	2748	DllCommonsvc.exe	78
PID 2748 wrote to memory of 2364	2748	DllCommonsvc.exe	79
PID 2748 wrote to memory of 2364	2748	DllCommonsvc.exe	79
PID 2748 wrote to memory of 2364	2748	DllCommonsvc.exe	79
PID 2748 wrote to memory of 2576	2748	DllCommonsvc.exe	80
PID 2748 wrote to memory of 2576	2748	DllCommonsvc.exe	80
PID 2748 wrote to memory of 2576	2748	DllCommonsvc.exe	80
PID 2748 wrote to memory of 2372	2748	DllCommonsvc.exe	81
PID 2748 wrote to memory of 2372	2748	DllCommonsvc.exe	81
PID 2748 wrote to memory of 2372	2748	DllCommonsvc.exe	81
PID 2748 wrote to memory of 2132	2748	DllCommonsvc.exe	83
PID 2748 wrote to memory of 2132	2748	DllCommonsvc.exe	83
PID 2748 wrote to memory of 2132	2748	DllCommonsvc.exe	83
PID 2748 wrote to memory of 1888	2748	DllCommonsvc.exe	84
PID 2748 wrote to memory of 1888	2748	DllCommonsvc.exe	84
PID 2748 wrote to memory of 1888	2748	DllCommonsvc.exe	84
PID 2748 wrote to memory of 3000	2748	DllCommonsvc.exe	85
PID 2748 wrote to memory of 3000	2748	DllCommonsvc.exe	85
PID 2748 wrote to memory of 3000	2748	DllCommonsvc.exe	85
PID 2748 wrote to memory of 1180	2748	DllCommonsvc.exe	86
PID 2748 wrote to memory of 1180	2748	DllCommonsvc.exe	86
PID 2748 wrote to memory of 1180	2748	DllCommonsvc.exe	86
PID 2748 wrote to memory of 1952	2748	DllCommonsvc.exe	87
PID 2748 wrote to memory of 1952	2748	DllCommonsvc.exe	87
PID 2748 wrote to memory of 1952	2748	DllCommonsvc.exe	87
PID 2748 wrote to memory of 2088	2748	DllCommonsvc.exe	89
PID 2748 wrote to memory of 2088	2748	DllCommonsvc.exe	89
PID 2748 wrote to memory of 2088	2748	DllCommonsvc.exe	89
PID 2748 wrote to memory of 2412	2748	DllCommonsvc.exe	90
PID 2748 wrote to memory of 2412	2748	DllCommonsvc.exe	90
PID 2748 wrote to memory of 2412	2748	DllCommonsvc.exe	90
PID 2748 wrote to memory of 2428	2748	DllCommonsvc.exe	95
PID 2748 wrote to memory of 2428	2748	DllCommonsvc.exe	95
PID 2748 wrote to memory of 2428	2748	DllCommonsvc.exe	95
PID 2428 wrote to memory of 1016	2428	conhost.exe	104
PID 2428 wrote to memory of 1016	2428	conhost.exe	104
PID 2428 wrote to memory of 1016	2428	conhost.exe	104
PID 1016 wrote to memory of 1872	1016	cmd.exe	106
PID 1016 wrote to memory of 1872	1016	cmd.exe	106
PID 1016 wrote to memory of 1872	1016	cmd.exe	106
PID 1016 wrote to memory of 2964	1016	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a42f583519df6a3d05674dd82ca71d91bb78a164486c8fbf9ea51006f5b1a2d1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a42f583519df6a3d05674dd82ca71d91bb78a164486c8fbf9ea51006f5b1a2d1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\lib\images\cursors\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
    - - C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I4yJNRBzAA.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1872
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat"
        8⤵
        
        PID:616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2820
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"
        10⤵
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1732
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"
        12⤵
        
        PID:828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1048
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat"
        14⤵
        
        PID:2244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2592
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat"
        16⤵
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:888
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"
        18⤵
        
        PID:2656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1048
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"
        20⤵
        
        PID:1792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2772
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"
        22⤵
        
        PID:1888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2268
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"
        24⤵
        
        PID:2836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2016
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\lib\images\cursors\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\images\cursors\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\lib\images\cursors\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc116c7d333281a22a0a110c3517a51c

SHA1
e01adcfd13292f9d8b458dc2be506fd4cda5c77b

SHA256
f5a7138710585ef411a44b7d6ae3010cfb6842d57dad3f2827bc72cfea5eafac

SHA512
c5341f60b722bdb2b5247233ee8f97a4aea6db22ef8ff60623b30fdd4c2af6e40c91fcb437c7d573406255c35c28a98deb961313ee52713eff918395c7a73c65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87a47a5b62b1655d1098bbbc8f76714b

SHA1
f0d7b1d4e7e1e3dc3c9a4e3523aaed0bb9c37fd9

SHA256
00973fb9a0474cd9320d29a2f3df156c9c429f8f30937a3ba3640a22a043ea81

SHA512
7a225d54b49c72b5917a5dc63423a254bb736562d2b964db7970d763b3a94f78e4fd7fd9d6c86f0515b92da2cb20c8e822afc1ca27c8ab47646389f57927aa56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19e6689e853629de930e7befc928a4fd

SHA1
9bee55341efeb6686bd09cdbb1dc011d64ed9b11

SHA256
eca19d4af3d3518517e2258365acd74c6975e0f4053785705f8a598a6ff2db25

SHA512
89bda0ffba8408067c2c2c302ea8da253b172ce6339f6504ca62cf4565f35e525e188683a355c344e5efe820e9cde6c7504e997e7d56066978b84718a89d9239

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd806c4a702566d082f3160f9e232880

SHA1
2b9b3a7a8b4b5957604e24a61677b1079e848926

SHA256
eb1602246769295825a3a72479f923468e31dcd384742ae22a22e24c19cfedfe

SHA512
f8e071d0fca978095008e176a7d56fbcb3ca787315cb949d616f36eebf2c55c19ddf4bd5096e07bec58287f9ef14c66b5e8dc402b8facdfe5015e008d3334c26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28ceceed05548bac4c4665b0b5113923

SHA1
ccf7b62763c199bf3860eb284eff65c44aa52656

SHA256
ddf5860bab7172dc3985247c7f919f06874be6f88e451d445a31eca0ea093d33

SHA512
63d26cb412575a4be6acc38d3b9a04781f5bebe63d985c800620dab9b2972e4f80dd89b7733ce0b9c16336a714b7c7c4b675d0cabfbe088c79073b012fc9a5e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cbcf38daa069808059e43c2295854ea

SHA1
6ba16cbd15378993a92041d9e48a6a2254450e52

SHA256
24c15a19b6bc7c7bfef7ba2be8ac1d437115a5c03ca81d6d40ac8c66ad411b7b

SHA512
c79870d7613de40b8ee01f64e2065f12029ec74f27c71945f4d7e3e513a69fae95337d622c23f56715738a39e6f9653419f7c9edf1dd96687f59d0baa5752544

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b71d7d63b49728bf06a545c20e5f66f

SHA1
e3d4b4fb1fc69eec16c6c2a27d16101c246ceb48

SHA256
986028aee194d7af98ae52960388ba7017f8d56fb9ee239226deeef6a8902969

SHA512
1e6f0c0b7585740ca9ede5940fbd3515b9831eb0a53da2a882d99f7b040ef3d09b30225259aa1094755c61273b9aa01c719f4844d836fe99ebba905cb1fade93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46f92327621fda487fb64f4661562a15

SHA1
dd3d6a6f2e7d189087758bfe1945ac06fc2d080b

SHA256
8c89a8dd3f9053cb4b4b90ffeaf83ff91a648d6b985def7fab9e9eba132b04b0

SHA512
afddcb76c9ff81cba725927db07bd5ec1ba29f55156ab002eaab83df5df8e5484a2ee3455ed7b9389f5ef8e30791161b1e49f33c64e38886893968bf0342fc99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43e67d0d954f1de3c70a6418b8c94682

SHA1
97cf5b086c69e1ff90d302f3a226de337782c67d

SHA256
10e0f5f4e41a6c103b3181af36ea9e5b60161156967935fabd6ca0ee2f18899a

SHA512
717875017bc8d7df520120842f73fe2977615e8fa8120fc8c565e1864c7eb818ecac7845a461029185ce399b76189fb93c70e38155d36382a55ad69409dcf6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat

Filesize
194B

MD5
c7443eba0823b93392a3f0238ab13cb9

SHA1
19e5e5fd9cec1a95f24a13afdec3a53dddf4294c

SHA256
dc861d0c9bb9e2747a2e8de384424ff2a30985117508d88e396d0405f07c9367

SHA512
51a98fcb596f801d050fde5e66e90223f0e87a03ce1a60d9e30e746b291ec1dede27111d2a9f64fd2822930ef60216c8005de12a3cf5c74a7112241049f4849a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat

Filesize
194B

MD5
5fa50fb5996d93b824352c439831d6f8

SHA1
adedfedc961925628f00a3da69313a537d624523

SHA256
c25f5cba53772dbc47000a11d2e3028d6f0c21339c4b8a68a8bc9cd4f459db81

SHA512
fda29966f7a8fc0bb5e6aa16412ce648366e522cc10f3c16bbbc34d9091b091201c5165efa41b42a16d35b20bb0c7591271ade1daa501161ef470d7379d18cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab927.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat

Filesize
194B

MD5
0d9a7a6aa69e3e813fcd245771a233ee

SHA1
60b93f2b4a71908a522fb83eff676b1d7dca2099

SHA256
7e0680e7d6f18f789f8d08ddc672fa236be9e1d4c90091928db2fe88c10124ff

SHA512
83829c3bc28724cf7aab9e2846ad49a3995a851c61eba1b8224bd5d590ae8d7ac5f735235174de080f02bc24bfc9a8e4b4e6260d8134c999e8094722a156bcdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\I4yJNRBzAA.bat

Filesize
194B

MD5
44d6b3d4c3f67e9cdda0cd1e8a494fc5

SHA1
8eb0d03d54714ae30fe89309c63d4c93a66a8576

SHA256
19ca5d2ceedeb653363d34a581fc7e274d6e6f5aed896d6218e039516dee88ff

SHA512
22fbda32ddbddb5e12fbaf6013e8cd9674ecc4ba124ac009b600e49ee74ca148c2649fa5422b799f953b31966041aa3f3bb95895cc132f7240fa739148823e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat

Filesize
194B

MD5
8ef4d8d961cdd6816d98cf54fd024690

SHA1
0987ce7cad5ffceff8b88b4b6b88e24ed5dbd341

SHA256
66d12f06b085d0b6179b0e9eb8669acde78718aee93811e7618503b77efff4a2

SHA512
76d2dc9555f56e58e0c80c9e9df550ab8aa295f7335626d4efd6c2693397bf1412e5848b766f89a0d7fe83ba7bcb22d7212d556f41dfdd58c6f51e007e8b5223

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar949.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat

Filesize
194B

MD5
3f0e019732cb164c9285ab52b3731867

SHA1
a9235850376096d8693a3a830c344d141200198d

SHA256
dd366d4bd3843c50d3e09c6c943de47ad1b80c048039838d01e40c96c72e1120

SHA512
64ef2232f04b891360597b8c1f1df71f7d27ac311c56435ae02cd121df1f958547d8690b93bc51a2964a4d1e743edc9d8333ca9bc00de9fa1f8270430f996833

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat

Filesize
194B

MD5
c796a66c56752baccaf15e51d5f9b44f

SHA1
14d4aa6b84bee4b6b5192a4278e0a351a80ad25a

SHA256
bd355532b1d10dbb0f911e215c01e4acc83311cd7445b888f63d83412242b3af

SHA512
8871d76c8c8ed979c6c2ecdf777bac397875b260facb58314eaf8ea08f54380850cc566911887e2e3a3ac7024f24b095d9b59f9d93c8d57b78ab03a911da9b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat

Filesize
194B

MD5
9f476e93668fb64a2d3413b87ba2d168

SHA1
fdd3f4aa87c00fdab910abbeb652c204b87c6acb

SHA256
8e5584e4f0b1c99239192aad8c870b1d09705ef87c5b8a3603ccf255a2e3ea90

SHA512
e1ed53d7d4e430a6a93409900fb4aa21ff22478394dec403f89ce81cbae60e1040aaa5d11b82d649f211b6c5c54fdaf3069d87e5333ca79f97f6b620a224c03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat

Filesize
194B

MD5
ce8c8aeba1c8bb7e335093c8a3c84b46

SHA1
dd81ed7c23c8ad79652b04362dc6a21b13375298

SHA256
bb000ff922cb8b78c1ac02f964638d0564b271511be11b04dcc854c2120a7428

SHA512
b8e6c579a2ac42d228173409ebc6922502350fd343efac5c55a298fb822e8274ca311d72e42aeba95e17e91b7d5b2df1139a76f38bb7dd765201c9da8b97a35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat

Filesize
194B

MD5
bb0dc7eb3dbafe0828b38d5e48385698

SHA1
a50f771627ddd2e1ca1ac1fb44036318a411e494

SHA256
b6261712195fec942a89e856db6205eec8c515fb304b33f6d2fb1cde451b00a9

SHA512
213cef0f1f54ac477cbf1d83e3877823c4350e1a02f02fe17419614df9f6847e87a4a26c6230b8d9b698c2665dd9b47d33a4785590dd7c44c6ab98311035e908

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d110b29e60e65f2b4623994ba2d6a280

SHA1
7e604cb75af9b9b52ee505676c8f2a5f4fdf4641

SHA256
37af2ac61c86ca2d82c936380724dc787ddb46b2218931a54e66565bb17530b1

SHA512
ac5ae96c28dc8a8b8c193fb0458e06b7f1db1498934c55d4ebb3304f73568803c22f4eb216d1a18a57ff339d1c7b295d9d6b5e9303c37b56360c5bbb6caaec1a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/480-600-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/1068-360-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1068-359-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/1524-58-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/1524-57-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/1632-239-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1868-722-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1868-721-0x0000000000DF0000-0x0000000000F00000-memory.dmp

Filesize
1.1MB

Download
memory/2028-660-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2028-661-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2084-420-0x0000000000820000-0x0000000000930000-memory.dmp

Filesize
1.1MB

Download
memory/2428-50-0x0000000000A20000-0x0000000000B30000-memory.dmp

Filesize
1.1MB

Download
memory/2428-56-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2540-481-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2540-480-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/2748-17-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/2748-13-0x0000000000A90000-0x0000000000BA0000-memory.dmp

Filesize
1.1MB

Download
memory/2748-14-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2748-15-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2748-16-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2964-178-0x0000000000F20000-0x0000000001030000-memory.dmp

Filesize
1.1MB

Download
memory/2964-179-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2988-299-0x0000000000F90000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download