dcrat | 502c8929fa16fff35ab78c396413742fe8acaae8e8480c00c8483ebff06532a3

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_502c8929fa16fff35ab78c396413742fe8acaae8e8480c00c8483ebff06532a3.exe
Size

1.3MB
MD5

45666f08e13932238b6ef2d51f08650b
SHA1

0373411fcd020d35a3c2598776a2a238e81ed61b
SHA256

502c8929fa16fff35ab78c396413742fe8acaae8e8480c00c8483ebff06532a3
SHA512

0a775da43585cc4403027acd459d58e2f7aabaa081e6087181e74167c3d73c9b2a78e9f43dffddfe6084b2640f4105b501e469fca8c4ad4282947c677a526e2d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2500	schtasks.exe	32

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000146e1-9.dat	dcrat
behavioral1/memory/2616-13-0x0000000000B00000-0x0000000000C10000-memory.dmp	dcrat
behavioral1/memory/2536-122-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/792-181-0x0000000001180000-0x0000000001290000-memory.dmp	dcrat
behavioral1/memory/852-242-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/2416-303-0x0000000000E50000-0x0000000000F60000-memory.dmp	dcrat
behavioral1/memory/2892-482-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/2260-601-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2324	powershell.exe
2924	powershell.exe
2952	powershell.exe
928	powershell.exe
2004	powershell.exe
1536	powershell.exe
2288	powershell.exe
1632	powershell.exe
1328	powershell.exe
1560	powershell.exe
2444	powershell.exe
2200	powershell.exe
1520	powershell.exe
2248	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2616	DllCommonsvc.exe
2536	conhost.exe
792	conhost.exe
852	conhost.exe
2416	conhost.exe
2020	conhost.exe
2572	conhost.exe
2892	conhost.exe
2340	conhost.exe
2260	conhost.exe
1492	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2624	cmd.exe
2624	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
27	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\ja-JP\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\de-DE\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\de-DE\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Branding\ShellBrd\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\ShellBrd\6cb0b6c459d5d3	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_502c8929fa16fff35ab78c396413742fe8acaae8e8480c00c8483ebff06532a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2240	schtasks.exe
1704	schtasks.exe
2388	schtasks.exe
2080	schtasks.exe
812	schtasks.exe
2792	schtasks.exe
1488	schtasks.exe
2728	schtasks.exe
3040	schtasks.exe
2032	schtasks.exe
2484	schtasks.exe
792	schtasks.exe
592	schtasks.exe
560	schtasks.exe
1640	schtasks.exe
2732	schtasks.exe
1996	schtasks.exe
1760	schtasks.exe
1784	schtasks.exe
692	schtasks.exe
588	schtasks.exe
1860	schtasks.exe
3012	schtasks.exe
2568	schtasks.exe
1728	schtasks.exe
2316	schtasks.exe
2252	schtasks.exe
2868	schtasks.exe
1248	schtasks.exe
1540	schtasks.exe
1360	schtasks.exe
1736	schtasks.exe
2196	schtasks.exe
2572	schtasks.exe
2340	schtasks.exe
2092	schtasks.exe
344	schtasks.exe
2668	schtasks.exe
1064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2616	DllCommonsvc.exe
1536	powershell.exe
1328	powershell.exe
1520	powershell.exe
2288	powershell.exe
2924	powershell.exe
1632	powershell.exe
2200	powershell.exe
1560	powershell.exe
2444	powershell.exe
2004	powershell.exe
2248	powershell.exe
2324	powershell.exe
928	powershell.exe
2952	powershell.exe
2536	conhost.exe
792	conhost.exe
852	conhost.exe
2416	conhost.exe
2020	conhost.exe
2572	conhost.exe
2892	conhost.exe
2340	conhost.exe
2260	conhost.exe
1492	conhost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	DllCommonsvc.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2536	conhost.exe
Token: SeDebugPrivilege	792	conhost.exe
Token: SeDebugPrivilege	852	conhost.exe
Token: SeDebugPrivilege	2416	conhost.exe
Token: SeDebugPrivilege	2020	conhost.exe
Token: SeDebugPrivilege	2572	conhost.exe
Token: SeDebugPrivilege	2892	conhost.exe
Token: SeDebugPrivilege	2340	conhost.exe
Token: SeDebugPrivilege	2260	conhost.exe
Token: SeDebugPrivilege	1492	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1660	1716	JaffaCakes118_502c8929fa16fff35ab78c396413742fe8acaae8e8480c00c8483ebff06532a3.exe	28
PID 1716 wrote to memory of 1660	1716	JaffaCakes118_502c8929fa16fff35ab78c396413742fe8acaae8e8480c00c8483ebff06532a3.exe	28
PID 1716 wrote to memory of 1660	1716	JaffaCakes118_502c8929fa16fff35ab78c396413742fe8acaae8e8480c00c8483ebff06532a3.exe	28
PID 1716 wrote to memory of 1660	1716	JaffaCakes118_502c8929fa16fff35ab78c396413742fe8acaae8e8480c00c8483ebff06532a3.exe	28
PID 1660 wrote to memory of 2624	1660	WScript.exe	29
PID 1660 wrote to memory of 2624	1660	WScript.exe	29
PID 1660 wrote to memory of 2624	1660	WScript.exe	29
PID 1660 wrote to memory of 2624	1660	WScript.exe	29
PID 2624 wrote to memory of 2616	2624	cmd.exe	31
PID 2624 wrote to memory of 2616	2624	cmd.exe	31
PID 2624 wrote to memory of 2616	2624	cmd.exe	31
PID 2624 wrote to memory of 2616	2624	cmd.exe	31
PID 2616 wrote to memory of 1328	2616	DllCommonsvc.exe	72
PID 2616 wrote to memory of 1328	2616	DllCommonsvc.exe	72
PID 2616 wrote to memory of 1328	2616	DllCommonsvc.exe	72
PID 2616 wrote to memory of 1560	2616	DllCommonsvc.exe	73
PID 2616 wrote to memory of 1560	2616	DllCommonsvc.exe	73
PID 2616 wrote to memory of 1560	2616	DllCommonsvc.exe	73
PID 2616 wrote to memory of 1632	2616	DllCommonsvc.exe	75
PID 2616 wrote to memory of 1632	2616	DllCommonsvc.exe	75
PID 2616 wrote to memory of 1632	2616	DllCommonsvc.exe	75
PID 2616 wrote to memory of 2924	2616	DllCommonsvc.exe	76
PID 2616 wrote to memory of 2924	2616	DllCommonsvc.exe	76
PID 2616 wrote to memory of 2924	2616	DllCommonsvc.exe	76
PID 2616 wrote to memory of 2004	2616	DllCommonsvc.exe	77
PID 2616 wrote to memory of 2004	2616	DllCommonsvc.exe	77
PID 2616 wrote to memory of 2004	2616	DllCommonsvc.exe	77
PID 2616 wrote to memory of 1520	2616	DllCommonsvc.exe	78
PID 2616 wrote to memory of 1520	2616	DllCommonsvc.exe	78
PID 2616 wrote to memory of 1520	2616	DllCommonsvc.exe	78
PID 2616 wrote to memory of 1536	2616	DllCommonsvc.exe	79
PID 2616 wrote to memory of 1536	2616	DllCommonsvc.exe	79
PID 2616 wrote to memory of 1536	2616	DllCommonsvc.exe	79
PID 2616 wrote to memory of 2248	2616	DllCommonsvc.exe	80
PID 2616 wrote to memory of 2248	2616	DllCommonsvc.exe	80
PID 2616 wrote to memory of 2248	2616	DllCommonsvc.exe	80
PID 2616 wrote to memory of 928	2616	DllCommonsvc.exe	81
PID 2616 wrote to memory of 928	2616	DllCommonsvc.exe	81
PID 2616 wrote to memory of 928	2616	DllCommonsvc.exe	81
PID 2616 wrote to memory of 2200	2616	DllCommonsvc.exe	83
PID 2616 wrote to memory of 2200	2616	DllCommonsvc.exe	83
PID 2616 wrote to memory of 2200	2616	DllCommonsvc.exe	83
PID 2616 wrote to memory of 2952	2616	DllCommonsvc.exe	85
PID 2616 wrote to memory of 2952	2616	DllCommonsvc.exe	85
PID 2616 wrote to memory of 2952	2616	DllCommonsvc.exe	85
PID 2616 wrote to memory of 2444	2616	DllCommonsvc.exe	87
PID 2616 wrote to memory of 2444	2616	DllCommonsvc.exe	87
PID 2616 wrote to memory of 2444	2616	DllCommonsvc.exe	87
PID 2616 wrote to memory of 2288	2616	DllCommonsvc.exe	88
PID 2616 wrote to memory of 2288	2616	DllCommonsvc.exe	88
PID 2616 wrote to memory of 2288	2616	DllCommonsvc.exe	88
PID 2616 wrote to memory of 2324	2616	DllCommonsvc.exe	89
PID 2616 wrote to memory of 2324	2616	DllCommonsvc.exe	89
PID 2616 wrote to memory of 2324	2616	DllCommonsvc.exe	89
PID 2616 wrote to memory of 1616	2616	DllCommonsvc.exe	100
PID 2616 wrote to memory of 1616	2616	DllCommonsvc.exe	100
PID 2616 wrote to memory of 1616	2616	DllCommonsvc.exe	100
PID 1616 wrote to memory of 2464	1616	cmd.exe	102
PID 1616 wrote to memory of 2464	1616	cmd.exe	102
PID 1616 wrote to memory of 2464	1616	cmd.exe	102
PID 1616 wrote to memory of 2536	1616	cmd.exe	103
PID 1616 wrote to memory of 2536	1616	cmd.exe	103
PID 1616 wrote to memory of 2536	1616	cmd.exe	103
PID 2536 wrote to memory of 1728	2536	conhost.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_502c8929fa16fff35ab78c396413742fe8acaae8e8480c00c8483ebff06532a3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_502c8929fa16fff35ab78c396413742fe8acaae8e8480c00c8483ebff06532a3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\de-DE\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3zRe6kLImV.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2464
      - C:\Program Files\Windows Sidebar\de-DE\conhost.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat"
        7⤵
        
        PID:1728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1072
        
        C:\Program Files\Windows Sidebar\de-DE\conhost.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
        9⤵
        
        PID:1508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2444
        
        C:\Program Files\Windows Sidebar\de-DE\conhost.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat"
        11⤵
        
        PID:1604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2616
        
        C:\Program Files\Windows Sidebar\de-DE\conhost.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
        13⤵
        
        PID:776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2872
        
        C:\Program Files\Windows Sidebar\de-DE\conhost.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat"
        15⤵
        
        PID:2632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2920
        
        C:\Program Files\Windows Sidebar\de-DE\conhost.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"
        17⤵
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2840
        
        C:\Program Files\Windows Sidebar\de-DE\conhost.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"
        19⤵
        
        PID:2556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2660
        
        C:\Program Files\Windows Sidebar\de-DE\conhost.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat"
        21⤵
        
        PID:2972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2256
        
        C:\Program Files\Windows Sidebar\de-DE\conhost.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat"
        23⤵
        
        PID:1976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2692
        
        C:\Program Files\Windows Sidebar\de-DE\conhost.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"
        25⤵
        
        PID:2352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\de-DE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\ShellBrd\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\ShellBrd\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0556bbd9338660a4b00cb3101250d5a

SHA1
3cf006a654d21119cee91a0ee0246e2d5778773d

SHA256
deacdd5794045df36e2cf26dc527fa5d5360108428bf067622c2c29175e8e5a0

SHA512
081bd271d280379b318714ca3ab5669066ba6a7144dd85db84925b8e648528b1c9999d7cc7e5cd0fd93e063de420a899484c6abb5a730cc8e13a64a437dd78a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1799b96369801c96f872ab6acb2d2422

SHA1
57a5e07c2bdaec86ab0826a38f33407f47ee1076

SHA256
520d37a393704bf8959230de8f859ed610e613c1f5fa10c4864796f137ba3039

SHA512
f25ed805c20c93555f362ae6dcec58f6fe4e7a781bcf40764e641503272eb9ffb087747bf35f195cbcb7297ea762b0634d169b835c0de7857bd5dc5c144aa485

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebebca7066703ea9244de51fddb86a53

SHA1
3f60444a7e6155de0482e0d770e98d976f6e6781

SHA256
04199be72863099a82dc84fd4d1428be5307d0b34bf36f4bf40fea8feb91ebca

SHA512
b20ea05199c6b1c21fe49b3cb94fb2eb5b14bf518d636d2dab792821fb0553fc280047232d8c1f8d25efc89d0624d3aa1daa136223e7db45c155d4bc3f0db02c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0f105814a420339e089583952f4e23b

SHA1
e4d109f45daa15884024ba33489c3215280cb1f9

SHA256
370466db52900bfb81eedc5062381ab3de9a9bc06bf7465832e7936a7fe904b4

SHA512
774ca236c44863f5dedba5144d89197be3f895d0dec9e08c21a3c90532795c56b5e6117b3c58c9db1ac90cfffe8ed74e9ca3f1cd860e46aaf585c36eec95cb1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f930c999f3641b22445be0f045656e1

SHA1
60697989e0ada85e4b7ad354c7c0bdf74595cfae

SHA256
d8f666a69ac2ae1a317a529eb8f0b24fe10b67a5a8acb4a322df61e24771a11a

SHA512
105d7aad145eb1e7dec20b86ae580b634a4afeca3ecc9a3cecabe5062078d059da27207cbcfae218fc2aaf704caae2361355ccd30d8d4f370e8f1a74befa7180

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17b93e54fce57dc368e856f8896087b0

SHA1
455f8b23fe5e1ac430d3d59af6c71d26bb9461ed

SHA256
0a51f01de586e6d3de2d990291a0a5720466cb19a6c2a2e0cbf3f3bdcfbb86f8

SHA512
6e14eb50f49f61a56ee6b036467c9f581bb85bd954693465c39e2cbde86b80df12dd0965236c9d6a07ccda9502d5af735ec21e17b357e378f8ff796c7871aa4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39f45cc0c78ce3329ae8f7c59c32fcf0

SHA1
0c76b9154aebf9c1f356e9280c9fb9e6e80c753c

SHA256
3013e5534840c38b1651d267f02ff8860b57680156c0fc8e298478959792edbe

SHA512
f8c0a037f45077ddb7f39f61da41b872110eecddf065966899cf15838fc400eac29ccd11db3a56c9c3caf4ebcfb2de393fd6eaf2c2172e0dd81d1c07c3883a57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c2b9a7f7e3e3dbd72e54d5898592a17

SHA1
4d9dd6b21a78e36a7eb08c4bc86626c1d4b1d5f7

SHA256
e506ab18c4b65df268e57252464aaa442a0880ad015fc8cb0033ae4fbafee35d

SHA512
b3290474a0950313f83b7f1b69e2af9703e8651135b14c41b4054010e97a85d68a85327d98df699e1c1b07ae95a0f9da6b4769dc5fdf19a662736e82b99350e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c90f3c26d6e676f9b07dfb221ce875e

SHA1
9b7840bbc6a8de2816d69e377161612e94f8a953

SHA256
04d19acf3a5de5fa3c6b43379a512761acdef828675f85e5de9e4813b0fc4acd

SHA512
512cf5ccd2990066c407da31bfdf16c2ca5fb99eb48238ead769490596996040db5af6bd45cd06eab24a8546687e834fba75f1b7d24d59bdfefb31b4d035adfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat

Filesize
215B

MD5
4292a78c706b56d6d2ca9b0032f14fd6

SHA1
77547717ee2300a4b2e90faf8e32907d40042029

SHA256
d1ad1fe4bbbfcfe8a4708fe027b616f3cffa89ab6d132a2b8f93a20956744d94

SHA512
150140f5c25fe1adb1395560eadf5f064a0249ae52729b3bfb2dc01d8f60efaebc372d8a48dc3e576e0835d8b55d751e3204b48f07477f881739ce9787a1124c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3zRe6kLImV.bat

Filesize
215B

MD5
549295c54abaa60d8370b47639f1d49b

SHA1
a4a07461610d9b17b62b46a524110bb9a2f04d2b

SHA256
b767cb2899338b3852e81fa571fcd636e42ed0e146ad8e4c27d65e4f9af187de

SHA512
f928a15c1af86773430fceb1dacbdb3e71cc935b101176127ae93a7dbe992f0d68ab92657c416ad030fb67a38596d4336f103074f355ed05ba860e4d5465af70

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat

Filesize
215B

MD5
d76c49a9fe7b14a3879033120eed33ff

SHA1
ac91fe21c4ff970850f1ee55759591047a2cd888

SHA256
a64f8d6a2af94d96ce46cc87787f5485d46744e87f8f9d03cbb750a4921ede09

SHA512
fea0f1e3264b198d4eaa0f62fb16d97aed9621a19a1b696a214877a060bf5c72777973661f716f7c135d68b0e9c1928d72bafb71339fb85a691302bba73d6ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

Filesize
215B

MD5
72d8b3f7a0b35dc1b539c8410f53fc9c

SHA1
634666e8388326343015edbc5c3f4fa98ed71642

SHA256
56a1959720e6d653160da9d3c4fb52c36299932369ad765703c16692678f17c9

SHA512
e0ba1f2248a57f71b5f19850f1a1cea03072ea0a9add7aa30f3a062c74e55f3bf194ba92a04223e5908520a35023e14a98f104efc85cdb3af0f16fcbba6d2167

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat

Filesize
215B

MD5
b07505c5ab996802e4ec746722724326

SHA1
c7bb3f2c191e21484395ea705261abcd4be39270

SHA256
bda54887edc34f87f4a174d6d4c46560743c24b009793b4907afbc05107d1481

SHA512
23feab02e804570f1f0403c9561e36c0cfd4ecd479855dee760d5f768739a01b0e039b4aa9d453d1e9688f9748fb01241acf30b4a64a8265ca642afc11b8d99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat

Filesize
215B

MD5
1f4685656a57761311b9f77577af84d4

SHA1
6d8f441269c84ffa3110b865495bf2f4d9a259ad

SHA256
167b5176ce222a64291a26b642cadf265bd2a63232a2a2f32498bbb9ebf9b204

SHA512
c8c740051e03c338e02039d36fcde94afd6d2e6407bd955411d03908f157ceffb140a1c22e7c126f8243561281cc9a5737627a42f92267c5a2b121fb4fbac129

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA057.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat

Filesize
215B

MD5
dedb05bc7a1d3424aa77b07edfe83926

SHA1
c433f13bf197eacf23532c4b6f2f3aab7a102c97

SHA256
c684d05753d38bed682685354b1304726e309e9495da255da04b05300fe02a79

SHA512
3f690da7a6ac500245eb1658749f71de3c3a2b69e404ee195daeda4803dcee6c87e13b0aba6a53b27af12652893b27df7a42239a4ed67ae01ea4873114e98841

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA069.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat

Filesize
215B

MD5
5c009c5b977d45a583830bc4af38ad4f

SHA1
85311e995e54f34df805c3ea2cbb6719525408be

SHA256
795abf9314708f480ec06fde700d3a0672f315dff0b87f6c9bb6e8ef7193cf8a

SHA512
fd8f7f041d7e6bd6a6159cd2cc86f3da646a962fac858e53c7ba2a4c573f41135cd07e92f17202611b2d42eaa091b32566e545322b2d272e103987edf85e09f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat

Filesize
215B

MD5
2a12b589b864b888041cb47d27c60f4b

SHA1
b631a307c1954a1aeadedd30d77a0a2e05ffb1aa

SHA256
f37a11e80faff03d077d06ace600d08668cbf836cfbdefbc5b19be56a077b41f

SHA512
d56a2cb1785bf1f0ac9344599ea3e420460b787af1050a857516d17e5e7ff37298479fcfbd44fe22986d9e648d7906e2ea093496d2f1ef68ebc300ac8c6d77ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

Filesize
215B

MD5
809e2f438a977eb8afe6b7bda5aaf895

SHA1
89a07422d6ebaa1d90852095f501a0178fbed342

SHA256
1608b5323d03f404ae2fc4a9e2007801b1d029fa58c8374fbd390bb09f7a8943

SHA512
1d1731c366ae8c7f68c29f16b7723175530ab89a36787aae90f846a9aa836f3ba5edc55c8ded198727eb817da826d3eda66483b78634d6c760563c27496e05bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat

Filesize
215B

MD5
3ca439828cca4d7663ed3e656342179f

SHA1
57a193f43801b07379f9a1c2b1abeede11890df8

SHA256
f95c1975b7b2e85f98e296f8ca346848857b200668a119ff8b1aeb6c23052fd8

SHA512
f917e02b29b4ba56bc42b5b39acc5d8b647e61d7bb7c196f4fae6f4ff218b12ac89694b71cbdb70e4274d0986abc2b95160acf44bd5373c6d83ae8a91d1f2e28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d3ab86505b028e83552cc32c4e824b30

SHA1
dcbb4869d6265c42d00d6123adc511f52e071dbb

SHA256
acb3ed5da72ef11bd0030f419174a09d019c96b13742a70df5780f1fa1d66447

SHA512
ec19661a144e3b1f40b9eb283a081f4bb61aded325962800dfb76c209bbe27334e0e68e3f0961b8fbc72dee6d204ec7640253dc76c8f76676216b569d4ade1bb

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/792-182-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/792-181-0x0000000001180000-0x0000000001290000-memory.dmp

Filesize
1.1MB

Download
memory/852-242-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/852-243-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1536-77-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/1632-98-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/2260-601-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download
memory/2416-303-0x0000000000E50000-0x0000000000F60000-memory.dmp

Filesize
1.1MB

Download
memory/2536-122-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/2572-422-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2616-16-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2616-17-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2616-15-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2616-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2616-13-0x0000000000B00000-0x0000000000C10000-memory.dmp

Filesize
1.1MB

Download
memory/2892-482-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download