dcrat | 90183dceb6ae22dd40ffaf704f9ad5a7045935b85051bf841e9c63818c93e280

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_90183dceb6ae22dd40ffaf704f9ad5a7045935b85051bf841e9c63818c93e280.exe
Size

1.3MB
MD5

fabfa2fbe72a14484981caea1d8e2baa
SHA1

1b6a9f7a539b6aa7a64e8eb76b990b2510c126ca
SHA256

90183dceb6ae22dd40ffaf704f9ad5a7045935b85051bf841e9c63818c93e280
SHA512

5f8abc3720e39656a96e51f3028d1de10ac4fd28df406e1f2470840d2fc80eb5a994bd67bbc725630be8045b0e603286850b71e706ad5be2b1cf9376c95bf111
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2960	schtasks.exe	35

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016b47-9.dat	dcrat
behavioral1/memory/1748-13-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/1560-117-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/1708-532-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/576-593-0x0000000000CC0000-0x0000000000DD0000-memory.dmp	dcrat
behavioral1/memory/2992-653-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1112	powershell.exe
1800	powershell.exe
892	powershell.exe
2912	powershell.exe
1008	powershell.exe
2556	powershell.exe
1492	powershell.exe
1732	powershell.exe
1760	powershell.exe
780	powershell.exe
1308	powershell.exe
2612	powershell.exe
1604	powershell.exe
2504	powershell.exe
1764	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1748	DllCommonsvc.exe
1560	taskhost.exe
1724	taskhost.exe
2128	taskhost.exe
2012	taskhost.exe
1560	taskhost.exe
1248	taskhost.exe
2864	taskhost.exe
1708	taskhost.exe
576	taskhost.exe
2992	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2392	cmd.exe
2392	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\0a1fd5f707cd16	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Speech\Engines\SR\fr-FR\DllCommonsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_90183dceb6ae22dd40ffaf704f9ad5a7045935b85051bf841e9c63818c93e280.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
572	schtasks.exe
2516	schtasks.exe
564	schtasks.exe
1736	schtasks.exe
556	schtasks.exe
1620	schtasks.exe
1680	schtasks.exe
2124	schtasks.exe
2436	schtasks.exe
2200	schtasks.exe
1628	schtasks.exe
916	schtasks.exe
2984	schtasks.exe
2944	schtasks.exe
1948	schtasks.exe
2104	schtasks.exe
2728	schtasks.exe
1100	schtasks.exe
1988	schtasks.exe
2720	schtasks.exe
2068	schtasks.exe
1248	schtasks.exe
1368	schtasks.exe
3036	schtasks.exe
2724	schtasks.exe
2688	schtasks.exe
3004	schtasks.exe
2272	schtasks.exe
1048	schtasks.exe
2856	schtasks.exe
1648	schtasks.exe
1940	schtasks.exe
2864	schtasks.exe
2204	schtasks.exe
2032	schtasks.exe
1004	schtasks.exe
1696	schtasks.exe
1992	schtasks.exe
2580	schtasks.exe
1452	schtasks.exe
2288	schtasks.exe
380	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1748	DllCommonsvc.exe
1748	DllCommonsvc.exe
1748	DllCommonsvc.exe
1112	powershell.exe
1008	powershell.exe
2556	powershell.exe
1492	powershell.exe
780	powershell.exe
1308	powershell.exe
1764	powershell.exe
2612	powershell.exe
2912	powershell.exe
1800	powershell.exe
1732	powershell.exe
1760	powershell.exe
1604	powershell.exe
892	powershell.exe
1560	taskhost.exe
1724	taskhost.exe
2128	taskhost.exe
2012	taskhost.exe
1560	taskhost.exe
1248	taskhost.exe
2864	taskhost.exe
1708	taskhost.exe
576	taskhost.exe
2992	taskhost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	DllCommonsvc.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	1560	taskhost.exe
Token: SeDebugPrivilege	1724	taskhost.exe
Token: SeDebugPrivilege	2128	taskhost.exe
Token: SeDebugPrivilege	2012	taskhost.exe
Token: SeDebugPrivilege	1560	taskhost.exe
Token: SeDebugPrivilege	1248	taskhost.exe
Token: SeDebugPrivilege	2864	taskhost.exe
Token: SeDebugPrivilege	1708	taskhost.exe
Token: SeDebugPrivilege	576	taskhost.exe
Token: SeDebugPrivilege	2992	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1660	2172	JaffaCakes118_90183dceb6ae22dd40ffaf704f9ad5a7045935b85051bf841e9c63818c93e280.exe	30
PID 2172 wrote to memory of 1660	2172	JaffaCakes118_90183dceb6ae22dd40ffaf704f9ad5a7045935b85051bf841e9c63818c93e280.exe	30
PID 2172 wrote to memory of 1660	2172	JaffaCakes118_90183dceb6ae22dd40ffaf704f9ad5a7045935b85051bf841e9c63818c93e280.exe	30
PID 2172 wrote to memory of 1660	2172	JaffaCakes118_90183dceb6ae22dd40ffaf704f9ad5a7045935b85051bf841e9c63818c93e280.exe	30
PID 1660 wrote to memory of 2392	1660	WScript.exe	31
PID 1660 wrote to memory of 2392	1660	WScript.exe	31
PID 1660 wrote to memory of 2392	1660	WScript.exe	31
PID 1660 wrote to memory of 2392	1660	WScript.exe	31
PID 2392 wrote to memory of 1748	2392	cmd.exe	33
PID 2392 wrote to memory of 1748	2392	cmd.exe	33
PID 2392 wrote to memory of 1748	2392	cmd.exe	33
PID 2392 wrote to memory of 1748	2392	cmd.exe	33
PID 1748 wrote to memory of 1112	1748	DllCommonsvc.exe	78
PID 1748 wrote to memory of 1112	1748	DllCommonsvc.exe	78
PID 1748 wrote to memory of 1112	1748	DllCommonsvc.exe	78
PID 1748 wrote to memory of 2556	1748	DllCommonsvc.exe	79
PID 1748 wrote to memory of 2556	1748	DllCommonsvc.exe	79
PID 1748 wrote to memory of 2556	1748	DllCommonsvc.exe	79
PID 1748 wrote to memory of 1008	1748	DllCommonsvc.exe	81
PID 1748 wrote to memory of 1008	1748	DllCommonsvc.exe	81
PID 1748 wrote to memory of 1008	1748	DllCommonsvc.exe	81
PID 1748 wrote to memory of 2612	1748	DllCommonsvc.exe	82
PID 1748 wrote to memory of 2612	1748	DllCommonsvc.exe	82
PID 1748 wrote to memory of 2612	1748	DllCommonsvc.exe	82
PID 1748 wrote to memory of 1492	1748	DllCommonsvc.exe	83
PID 1748 wrote to memory of 1492	1748	DllCommonsvc.exe	83
PID 1748 wrote to memory of 1492	1748	DllCommonsvc.exe	83
PID 1748 wrote to memory of 2912	1748	DllCommonsvc.exe	84
PID 1748 wrote to memory of 2912	1748	DllCommonsvc.exe	84
PID 1748 wrote to memory of 2912	1748	DllCommonsvc.exe	84
PID 1748 wrote to memory of 892	1748	DllCommonsvc.exe	85
PID 1748 wrote to memory of 892	1748	DllCommonsvc.exe	85
PID 1748 wrote to memory of 892	1748	DllCommonsvc.exe	85
PID 1748 wrote to memory of 1308	1748	DllCommonsvc.exe	86
PID 1748 wrote to memory of 1308	1748	DllCommonsvc.exe	86
PID 1748 wrote to memory of 1308	1748	DllCommonsvc.exe	86
PID 1748 wrote to memory of 780	1748	DllCommonsvc.exe	89
PID 1748 wrote to memory of 780	1748	DllCommonsvc.exe	89
PID 1748 wrote to memory of 780	1748	DllCommonsvc.exe	89
PID 1748 wrote to memory of 1764	1748	DllCommonsvc.exe	92
PID 1748 wrote to memory of 1764	1748	DllCommonsvc.exe	92
PID 1748 wrote to memory of 1764	1748	DllCommonsvc.exe	92
PID 1748 wrote to memory of 2504	1748	DllCommonsvc.exe	93
PID 1748 wrote to memory of 2504	1748	DllCommonsvc.exe	93
PID 1748 wrote to memory of 2504	1748	DllCommonsvc.exe	93
PID 1748 wrote to memory of 1604	1748	DllCommonsvc.exe	94
PID 1748 wrote to memory of 1604	1748	DllCommonsvc.exe	94
PID 1748 wrote to memory of 1604	1748	DllCommonsvc.exe	94
PID 1748 wrote to memory of 1732	1748	DllCommonsvc.exe	95
PID 1748 wrote to memory of 1732	1748	DllCommonsvc.exe	95
PID 1748 wrote to memory of 1732	1748	DllCommonsvc.exe	95
PID 1748 wrote to memory of 1800	1748	DllCommonsvc.exe	98
PID 1748 wrote to memory of 1800	1748	DllCommonsvc.exe	98
PID 1748 wrote to memory of 1800	1748	DllCommonsvc.exe	98
PID 1748 wrote to memory of 1760	1748	DllCommonsvc.exe	99
PID 1748 wrote to memory of 1760	1748	DllCommonsvc.exe	99
PID 1748 wrote to memory of 1760	1748	DllCommonsvc.exe	99
PID 1748 wrote to memory of 2012	1748	DllCommonsvc.exe	108
PID 1748 wrote to memory of 2012	1748	DllCommonsvc.exe	108
PID 1748 wrote to memory of 2012	1748	DllCommonsvc.exe	108
PID 2012 wrote to memory of 2448	2012	cmd.exe	110
PID 2012 wrote to memory of 2448	2012	cmd.exe	110
PID 2012 wrote to memory of 2448	2012	cmd.exe	110
PID 2012 wrote to memory of 1560	2012	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90183dceb6ae22dd40ffaf704f9ad5a7045935b85051bf841e9c63818c93e280.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90183dceb6ae22dd40ffaf704f9ad5a7045935b85051bf841e9c63818c93e280.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\ja-JP\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MUBBUlN2QV.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2448
      - C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"
        7⤵
        
        PID:2656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1984
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat"
        9⤵
        
        PID:2004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1052
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
        11⤵
        
        PID:1748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2184
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"
        13⤵
        
        PID:2316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1280
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat"
        15⤵
        
        PID:2044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1380
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"
        17⤵
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2148
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"
        19⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2012
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat"
        21⤵
        
        PID:1944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2704
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat"
        23⤵
        
        PID:2692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1436
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\Templates\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Desktop\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Videos\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acbc2c97bbd4296f46186bd5c1335ceb

SHA1
07d9662eb81f0f4d1e699f10a0d52b85da2d3004

SHA256
124a3421138dabcd8fe837430cba897bca8003074fa0752f00d2f273b4ccc412

SHA512
c997fcadc1ceb69bc978df66a677c48bb14f038617f77fa7747622aaa197cce4c105fd3e3c53643bf6f452490b8ea857e16a32d9722cfe64cbe7888f68149e70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
696d0d8a6953c785270a0f1ef53b006e

SHA1
355c7fad7608c48f032d7be4626d89825f8a6400

SHA256
fc13dab2a235996a95697564147f7d7dc1e02de4305e17aedd9eb0f08dfb7599

SHA512
72eee4ffb097b30e7b8411d6051ea74913f235cf6a232edfd0852f2ac51ba0c718d937369b12717fabf9cbde5fa880db4aaf1fb42bac01dffb0d093bc1b1c27d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f4f543e9e0a4adb581b2adfa93d063c

SHA1
4b88f1e7d37abc610577d47c03de605a4d91da74

SHA256
14e7227d980b0567eeb52f27989352c150391c4f7f6d6cc57880e1cef888d425

SHA512
8cf7e9b258b756729a479fa475f3f44703ece16959a86dc2072cf68e80647f444ad48e38421ff214289a45c0e70b0eb8c843837ef511779bf6b14820de52e8bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52500252b12256f565a5252e89b8b8a8

SHA1
ea4e04f868bf8ee5d3289090c1861b09cb2294e7

SHA256
770acd257e27fe37291447c6452159862790a9bd45537c76fbd99f878c52d342

SHA512
67b0761ac3f2b9f951ed77426155c99f7c52ddcd8adba1905045b3a6322c6bf79b6a7c65148ac4bee35c672708de1fd394af3d356f4234cbde915fc112a8d540

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23f5fb5fcd33285dfb919b3b0b4b1f7d

SHA1
6b7f8629c014520a3b9f9e23e517649b88ff2def

SHA256
8f0398070ca52d003a6f48dabd38f6f053dbeccc7707a1b2f75cdb40993042e1

SHA512
94bb3941e9daf9428baa968b74d5b0adf49c55a6cf047a01089de4ceed41336e5795dfe9d3301a43daeafc7b2d157f137ea75f6810be74f8deb91abb47154d15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db3643f161a85c130f0bcb9777c7abd2

SHA1
f023cc31518814ca5c78244d9751d9cc3dfcf2ec

SHA256
ba37a30f7031df34479f791d0bca2014fc725583075875ecd9f00c999012d03f

SHA512
4f7308739acf6c500663a0f034e70fc7c8681798c46d82b6e5990e44630c8e45258231d87a3e1def821e16729b0cfaa222f3e131251596106315e42f37ee739e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
430cb82a6a81ce006e04924a5e4f0b72

SHA1
a04cf1ee2e8aef273b8ff3f18c69fd39ae27daa2

SHA256
d50b98bc31ce0ee85a62cbdfc9be896c9b6a8d066f02851d03449fdd5745e97c

SHA512
eaf840d58d12a414d1ebe46d388ee5875c7131c6f088054441be050b0fb4522a987cfda64a13e09eddec0c9bce56581a9cf695b932cdcc8bfe91f975306e312a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24a593c071bec9ce55c475f02ade2a3d

SHA1
166abd91f4e37f9428ef788c72df571c400fb0cb

SHA256
4aa3d44612b7db734a0758f603fedece15b5d7e80d5bf5c1b3ed33466ca99cf6

SHA512
4863f53bfee4b3440da4b425979f364900a11f7cb4a1226681050059adba6967219d19f905ef6bc935b8d3cfd09d2d2fe8cdac6d51d5caf23a612e959485b4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat

Filesize
199B

MD5
c6f8c0120bf630e1919eef058fbb2bc5

SHA1
0a3e8b03c494a369030f243f3793685b5ea63efd

SHA256
edd49a55f1985a0801e0f29afa3aa74118918718a16ebc172edb35709cd38a65

SHA512
e65c567396072adf811f438c62ccc20652bb7fa1e1b9b60c754617154b517f9c789ac863a2c0fddbd4fe78ca2beee8778409649760499d0bd25304fa3da9022b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat

Filesize
199B

MD5
497ec459e3bd4fcb5ddb00b0b3fe5f5c

SHA1
269c763a5f16487f2663b2b00011ec1e31a6e7d2

SHA256
81ae4d8f12ac82848b7d8053e2a1ee97b5fabb8482c03f64b620c995e7db5300

SHA512
da6e97e10fe1f2fd2297a1797823ade5c4dda8f0b99ac2c0ce86499200a816c18cedd71056c2a1b600f520b19371e4a88c553fadca7ea026d61d3fd297e35429

Download Submit
C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat

Filesize
199B

MD5
02c302a4559c8664b7347d7280c8de68

SHA1
d8af5f20175a7b826deed3b524a2b83b5e2780aa

SHA256
084397d5162674646c6a784c8b84b60aac6700f00c9ee72e9f470c266aa25837

SHA512
32ef9f88ad60e7b37db6a7ef1544a8baf782181ac828060dc02fb51cccd9fb07df4d3c828255333dd7c6afd18df9bc5a4b908f31dda8011af3e4e4e498859b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1C78.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUBBUlN2QV.bat

Filesize
199B

MD5
a4c4fd06578e08cf74bb1e340e316879

SHA1
cbfcb6211e516aad130ce3df3e494b79fbdd29f4

SHA256
0b872bdafff42b0a1cb48425af81a3956a22bde4b9133a6a071b3aa8bfe88e4b

SHA512
726aa3bef572f7420f686b144c23f99e24324d379166c21a1af6d9e6899d04073bb2be54b0b095a9d88a4952f2ff37a2b13f7f1e44416fb7196e7f6bad8f053f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat

Filesize
199B

MD5
ba7ba658db4390f62ac6de09ba918ab2

SHA1
845d8a09f50cb3204275858cda7aae0b6d2d9bd2

SHA256
c259fd385fbc4d3486702bb7e788e2695b516877d27a76cee698c185b66a191d

SHA512
4739438cd03046cf4e6fd9989e793ae5d2afaf21d7755cd3675457efd85e2e23e8f0e2d4bb7af02beeedda5eb97b35b8dfca38bdc21368ecfa8194cbf89fa16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

Filesize
199B

MD5
fed5a72ea8a7ec9c88c380399d3fa019

SHA1
44bb99dd4b7b186279b353c724c0f396b0c06a22

SHA256
44940862012483345bf76eb42a9188f839f6d6b50d621acc09f32073a6537270

SHA512
92f1c97fb09072577d0e2b225ab306cfe5a9ac814a636b0abdedd984608e14802b5db6706e75362ef736bc665c500ecc8e16ee27a3dd03da5fdc30b8263e4320

Download Submit
C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

Filesize
199B

MD5
5be346674468be23bf32295aa733c6a9

SHA1
0ef38f391ea8fa2bc4092f7669bc2f11683f5ead

SHA256
6e0c3afdaa327e431c47688a7b86100e3b633614f868293a302f74c0d2834fff

SHA512
fb5e2c6cb314cb198534f806edd913303b4e47b7696b754a21eddcc9d906d56327df84317b89df8238ed306978053d774ec276e47b9817017b0b6694d955a636

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat

Filesize
199B

MD5
1ef8b02ae83ff6926fbdc2726b1e86ae

SHA1
0be534cf991591c0f1d0d2db510ece83c40697a8

SHA256
e470a4e42942a85d6a5acb3f6730ddc736b6cc6802917d0f5250a3add36b00a4

SHA512
dab72e84c8a1a8fa2c893af47f2e9cea39ecb2e19297b5cece52ed541de77cf5aa073b3ad20d565390b32ec448c90cb044bdb63c3ac9459e8dface3daa5d85e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1C9A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat

Filesize
199B

MD5
2961e59ae0376bf26a6aa7f8c762b349

SHA1
d25b639132797e6ad758680a29c291e202babd71

SHA256
a9beabbefd4ec6d0e8e2836ef9411095c3567c448abbfc67d1478d07064df3e6

SHA512
02c0c8cad749e23f7722a1605347a078cb0eafade1116fa54cb2cdcf856b776107493d7aab86843147a5766e83c42d18031efd79925027014cb88d106092c1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat

Filesize
199B

MD5
41e82d2a7a5334a6292aa2605484ce48

SHA1
635ada61f6208e10f1ce574ccc6dbfd5654954e2

SHA256
91cdb00315a0526b58f32674ec247b9935f51973d7b03adf7da4a3a31143aa10

SHA512
a14213f562f29533a1885f9fac2c79356504ab031d34c66757d6d5ac5b8c2e4ac9b60c23045125e79a89f9a3a205a2d2aada4e2b2877cede94c7676164078ec9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6996aa2d9cb156b8db8f4532ce9897f4

SHA1
74a33c991c22717c40123373601d7242c10f5914

SHA256
6971b435bd8ab493260441480d7408f9bad6f91bee830330259c5ec7dc8a7b6b

SHA512
fa9bf42bc708cc6c309d38945bcef655012c225f56207c39ad788518d9d7522994b71eba52bf4061e3e0fc8b017c3d0a58e3f73af8b50d4e5f3a05372dfca319

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/576-593-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1008-88-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/1112-89-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/1560-117-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download
memory/1708-532-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/1708-533-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1748-17-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/1748-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/1748-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1748-14-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1748-13-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/2012-295-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2128-235-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2992-653-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/2992-654-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download