dcrat | e7bbdca410d3640d2e35f043e272fdbcc877e46e0bc191debab004cebbc811ad

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7bbdca410d3640d2e35f043e272fdbcc877e46e0bc191debab004cebbc811ad.exe
Size

1.3MB
MD5

f1804de6b3fbef0c6b8b41c32789639b
SHA1

198d815c5e4b1b829050a27a29cfc1b9a4bf579d
SHA256

e7bbdca410d3640d2e35f043e272fdbcc877e46e0bc191debab004cebbc811ad
SHA512

ee038e678deefc443801076212f1e8a88dc07d5ed3bfeeb6d78f5862d243c6cfa6fa6861647b1ce6e1324c995c710012c895b31fd13f9a0099cfb0148f17d7f1
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2832	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019278-9.dat	dcrat
behavioral1/memory/2676-13-0x0000000001190000-0x00000000012A0000-memory.dmp	dcrat
behavioral1/memory/540-132-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/2860-191-0x0000000000B80000-0x0000000000C90000-memory.dmp	dcrat
behavioral1/memory/1976-251-0x0000000000DC0000-0x0000000000ED0000-memory.dmp	dcrat
behavioral1/memory/2532-375-0x0000000001010000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/2052-435-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/1532-495-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2732	powershell.exe
1764	powershell.exe
1616	powershell.exe
2660	powershell.exe
2748	powershell.exe
2824	powershell.exe
1512	powershell.exe
2524	powershell.exe
1800	powershell.exe
2992	powershell.exe
2596	powershell.exe
1944	powershell.exe
2528	powershell.exe
996	powershell.exe
3016	powershell.exe
2744	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2676	DllCommonsvc.exe
2796	DllCommonsvc.exe
540	smss.exe
2860	smss.exe
1976	smss.exe
2896	smss.exe
2908	smss.exe
2532	smss.exe
2052	smss.exe
1532	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2392	cmd.exe
2392	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Common Files\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\it-IT\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\it-IT\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\addins\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\addins\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\System.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\System.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7bbdca410d3640d2e35f043e272fdbcc877e46e0bc191debab004cebbc811ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1360	schtasks.exe
1652	schtasks.exe
1852	schtasks.exe
2420	schtasks.exe
2008	schtasks.exe
2496	schtasks.exe
2548	schtasks.exe
2208	schtasks.exe
2980	schtasks.exe
2964	schtasks.exe
2844	schtasks.exe
2568	schtasks.exe
944	schtasks.exe
2944	schtasks.exe
1112	schtasks.exe
1796	schtasks.exe
1752	schtasks.exe
2604	schtasks.exe
920	schtasks.exe
840	schtasks.exe
2780	schtasks.exe
1736	schtasks.exe
1636	schtasks.exe
336	schtasks.exe
1560	schtasks.exe
2912	schtasks.exe
2120	schtasks.exe
1284	schtasks.exe
2720	schtasks.exe
2084	schtasks.exe
2616	schtasks.exe
2680	schtasks.exe
1340	schtasks.exe
1316	schtasks.exe
3040	schtasks.exe
2800	schtasks.exe
2264	schtasks.exe
2868	schtasks.exe
2996	schtasks.exe
2156	schtasks.exe
2196	schtasks.exe
2664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2676	DllCommonsvc.exe
1944	powershell.exe
1512	powershell.exe
3016	powershell.exe
2796	DllCommonsvc.exe
2528	powershell.exe
2660	powershell.exe
2824	powershell.exe
2524	powershell.exe
2732	powershell.exe
1800	powershell.exe
1616	powershell.exe
2992	powershell.exe
2744	powershell.exe
1764	powershell.exe
996	powershell.exe
2596	powershell.exe
2748	powershell.exe
540	smss.exe
2860	smss.exe
1976	smss.exe
2896	smss.exe
2532	smss.exe
2052	smss.exe
1532	smss.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	DllCommonsvc.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2796	DllCommonsvc.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	540	smss.exe
Token: SeDebugPrivilege	2860	smss.exe
Token: SeDebugPrivilege	1976	smss.exe
Token: SeDebugPrivilege	2896	smss.exe
Token: SeDebugPrivilege	2532	smss.exe
Token: SeDebugPrivilege	2052	smss.exe
Token: SeDebugPrivilege	1532	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1276	2616	e7bbdca410d3640d2e35f043e272fdbcc877e46e0bc191debab004cebbc811ad.exe	31
PID 2616 wrote to memory of 1276	2616	e7bbdca410d3640d2e35f043e272fdbcc877e46e0bc191debab004cebbc811ad.exe	31
PID 2616 wrote to memory of 1276	2616	e7bbdca410d3640d2e35f043e272fdbcc877e46e0bc191debab004cebbc811ad.exe	31
PID 2616 wrote to memory of 1276	2616	e7bbdca410d3640d2e35f043e272fdbcc877e46e0bc191debab004cebbc811ad.exe	31
PID 1276 wrote to memory of 2392	1276	WScript.exe	32
PID 1276 wrote to memory of 2392	1276	WScript.exe	32
PID 1276 wrote to memory of 2392	1276	WScript.exe	32
PID 1276 wrote to memory of 2392	1276	WScript.exe	32
PID 2392 wrote to memory of 2676	2392	cmd.exe	34
PID 2392 wrote to memory of 2676	2392	cmd.exe	34
PID 2392 wrote to memory of 2676	2392	cmd.exe	34
PID 2392 wrote to memory of 2676	2392	cmd.exe	34
PID 2676 wrote to memory of 1944	2676	DllCommonsvc.exe	42
PID 2676 wrote to memory of 1944	2676	DllCommonsvc.exe	42
PID 2676 wrote to memory of 1944	2676	DllCommonsvc.exe	42
PID 2676 wrote to memory of 3016	2676	DllCommonsvc.exe	43
PID 2676 wrote to memory of 3016	2676	DllCommonsvc.exe	43
PID 2676 wrote to memory of 3016	2676	DllCommonsvc.exe	43
PID 2676 wrote to memory of 1512	2676	DllCommonsvc.exe	44
PID 2676 wrote to memory of 1512	2676	DllCommonsvc.exe	44
PID 2676 wrote to memory of 1512	2676	DllCommonsvc.exe	44
PID 2676 wrote to memory of 1868	2676	DllCommonsvc.exe	48
PID 2676 wrote to memory of 1868	2676	DllCommonsvc.exe	48
PID 2676 wrote to memory of 1868	2676	DllCommonsvc.exe	48
PID 1868 wrote to memory of 1632	1868	cmd.exe	50
PID 1868 wrote to memory of 1632	1868	cmd.exe	50
PID 1868 wrote to memory of 1632	1868	cmd.exe	50
PID 1868 wrote to memory of 2796	1868	cmd.exe	51
PID 1868 wrote to memory of 2796	1868	cmd.exe	51
PID 1868 wrote to memory of 2796	1868	cmd.exe	51
PID 2796 wrote to memory of 2528	2796	DllCommonsvc.exe	88
PID 2796 wrote to memory of 2528	2796	DllCommonsvc.exe	88
PID 2796 wrote to memory of 2528	2796	DllCommonsvc.exe	88
PID 2796 wrote to memory of 2524	2796	DllCommonsvc.exe	89
PID 2796 wrote to memory of 2524	2796	DllCommonsvc.exe	89
PID 2796 wrote to memory of 2524	2796	DllCommonsvc.exe	89
PID 2796 wrote to memory of 2660	2796	DllCommonsvc.exe	90
PID 2796 wrote to memory of 2660	2796	DllCommonsvc.exe	90
PID 2796 wrote to memory of 2660	2796	DllCommonsvc.exe	90
PID 2796 wrote to memory of 2596	2796	DllCommonsvc.exe	91
PID 2796 wrote to memory of 2596	2796	DllCommonsvc.exe	91
PID 2796 wrote to memory of 2596	2796	DllCommonsvc.exe	91
PID 2796 wrote to memory of 2992	2796	DllCommonsvc.exe	92
PID 2796 wrote to memory of 2992	2796	DllCommonsvc.exe	92
PID 2796 wrote to memory of 2992	2796	DllCommonsvc.exe	92
PID 2796 wrote to memory of 1616	2796	DllCommonsvc.exe	94
PID 2796 wrote to memory of 1616	2796	DllCommonsvc.exe	94
PID 2796 wrote to memory of 1616	2796	DllCommonsvc.exe	94
PID 2796 wrote to memory of 1764	2796	DllCommonsvc.exe	96
PID 2796 wrote to memory of 1764	2796	DllCommonsvc.exe	96
PID 2796 wrote to memory of 1764	2796	DllCommonsvc.exe	96
PID 2796 wrote to memory of 1800	2796	DllCommonsvc.exe	99
PID 2796 wrote to memory of 1800	2796	DllCommonsvc.exe	99
PID 2796 wrote to memory of 1800	2796	DllCommonsvc.exe	99
PID 2796 wrote to memory of 996	2796	DllCommonsvc.exe	101
PID 2796 wrote to memory of 996	2796	DllCommonsvc.exe	101
PID 2796 wrote to memory of 996	2796	DllCommonsvc.exe	101
PID 2796 wrote to memory of 2824	2796	DllCommonsvc.exe	102
PID 2796 wrote to memory of 2824	2796	DllCommonsvc.exe	102
PID 2796 wrote to memory of 2824	2796	DllCommonsvc.exe	102
PID 2796 wrote to memory of 2732	2796	DllCommonsvc.exe	103
PID 2796 wrote to memory of 2732	2796	DllCommonsvc.exe	103
PID 2796 wrote to memory of 2732	2796	DllCommonsvc.exe	103
PID 2796 wrote to memory of 2744	2796	DllCommonsvc.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e7bbdca410d3640d2e35f043e272fdbcc877e46e0bc191debab004cebbc811ad.exe
"C:\Users\Admin\AppData\Local\Temp\e7bbdca410d3640d2e35f043e272fdbcc877e46e0bc191debab004cebbc811ad.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\ja-JP\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5oQSJwSTU5.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1632
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\it-IT\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\ja-JP\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c1pfVO9b59.bat"
        7⤵
        
        PID:1700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2348
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"
        9⤵
        
        PID:2996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2880
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat"
        11⤵
        
        PID:708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1864
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"
        13⤵
        
        PID:2980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1488
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
        15⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2420
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        16⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"
        17⤵
        
        PID:2888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2800
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"
        19⤵
        
        PID:1924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2644
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat"
        21⤵
        
        PID:2328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2196
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\it-IT\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\it-IT\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Common Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\ja-JP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e20e005420dd8dcdfe775d513d09934d

SHA1
c68b8aca5728e116226ea1776f270823ba083421

SHA256
786c98a1faffae2377546c342eeb57b01a557f779040975bc63f5c1fb5bc1ba8

SHA512
21c323c5374f550d455672792942bb5350d84ce183eb8b5556dc0ccb62026cb49546fe1fe6518261b0fe9d1b16f07f8bcecc3739312ffe71b92d4f89f15c07ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edd298280f9fee8c6362a2bceddecdb1

SHA1
7d8efd15540a8008fa20d0c9483f5132d03f552b

SHA256
7e0083a24595a94e989107ee9bf7ffd77b58b3461cac5948e1aadea59c01c6b4

SHA512
243ce6b2063a1c17d2da59ff0b5c192567177493dbd079e8cb5dc4bc105b2f6f9ff853909415616a76d365e5da52879023374641d91f388822c131de93163007

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c72418a3affa337b17e4afa425f706e

SHA1
1e6928c0165f322f07879e15610f418c50311c26

SHA256
ce405d301e739baadb33907b7a739422ed50a8e4149fc9d5e0b292c6ff5806a7

SHA512
a45a4dbc73b1586147780bf2a3ec21ccdf920509c5d5e6aff60312de8a3741a6ca34f01a25d77725e7ae4a875d84e4569571fa6014472c158afa88c083c2cb66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef6bf064ff20a578d35e2a5992a4099a

SHA1
1678452837995c385187f7abd959fe3de5c812df

SHA256
ba74af5d4e399cf0f913ae1be99fb3a4315615ec097d5a07ca0ccc95e1094642

SHA512
c2b7f26d245535be94a5c685e09e3714cb7990b25c1d5335e58ba7f536becdb8f2f532185f190a348190ab47b4ef26704282bdcb7b6a61d55c64920e1c44ec98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acf475e1672bbf15312f393a235b2bfe

SHA1
31a99f6626dc52e37667aa924d8e9f708068940a

SHA256
3d8bee0d531e2c066244a128b9bc9d46ed2953710886cc4177ebf50a815dc087

SHA512
57d34d4bab8a683a89b5f1559c0a6ce4270b2c0723de58b96138897673d077bd36585bd7e75ef71918c2448b85309a0ebead6f6ddecd1e4309fe02e50411132e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat

Filesize
191B

MD5
20b6ee5166bba08e18e47297026acd83

SHA1
d36d97466dc7bb23c17f78e238dad172174b4aca

SHA256
a5ba040475d0997cde71c853dbc00497b5588f28e44c2a7e262bdc91e6b4f033

SHA512
518caa6c92d0078c1f2fe32db02fce11c168844b41627365511457ebc1b7e90dbd2dae1d263da1a8f841a2734325097a2deacc5dd3e98c50e08423e40a0dc793

Download Submit
C:\Users\Admin\AppData\Local\Temp\5oQSJwSTU5.bat

Filesize
199B

MD5
4205300563381855ac7d9bf3a21c0277

SHA1
27954f2c3dd819cbbf23f986aeca96c26d798a7a

SHA256
d3590d2f2e02704a6d02dbcd71093ab2c947b1e855f5603afc6fa78c099b7204

SHA512
a32bc2d30e0c18070e41b88e7f61b470fa2dca0aa54e6d833bdfbc51d97e74ffd079454eea2f10130d340a5d3ccf545f993a2cd0fea4148823e213c5be4ea3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4C3E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat

Filesize
191B

MD5
5df4599da4454e92b908f8badd758cf2

SHA1
4b85aa43d2c920f6f973f07fa7ceba5a05308d4c

SHA256
a8ea739c18c5d6daa3a9cc32f011173c81985d54a51ac68f667c2b4afcc76dce

SHA512
33a51a68ec0d0c0f58c48e5613b48f555f2fdfefcd51cda55a644426205d326549bfc0892fbe9cf25c50add36b844df7a51cc5f0802a86b714cf4a8876c83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat

Filesize
191B

MD5
07d592860f300f85c6cc5543d4f1bdb0

SHA1
56092db34c7707905e2f5d2051b244d4cc97e049

SHA256
63b14859b7b8f207cb73cb5a6db254af39f3fda67451c8a0546f37e84d308a56

SHA512
14fed9057d07e5987ee472777be4659b3686994cbdc88b753c299d2f1d291a12a8242059a5adf18024027aabc798f794d0d2356444fd8572b1d6097b752598f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat

Filesize
191B

MD5
5401d6633759b8e9cd3587e686e5da31

SHA1
cdeebc1597a37440241eaac46578bd3035a55c41

SHA256
4cda739c21c671afacca7808614b1fe85a0746599aae0565456d6da4acd6c253

SHA512
95632a41e0bc40a119a7044497a5b8b5e439ffd3e920063ce72c5f823e7c4734646e782fa4b56b49d2af5508c2f9021540635a98bf01d388354d57b05dda497e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4C61.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1pfVO9b59.bat

Filesize
191B

MD5
f2c4bbd41ab74a6085ed9341596e3547

SHA1
5d8ed351cf237e91a9058ea08de6a3a415d86934

SHA256
c91631dd97bad63fe3500cb198abbb839b9c0df44a6e2395d126a781d72be5ca

SHA512
c7353ac27b322d8c093e1a87773982dddf45224f51d824d21894f1eb86b4d234a5db97b787a39c655fb2775481a76e01e5befbaf9fc7ca727d612ca3486af60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat

Filesize
191B

MD5
3593b912d298b6b21587ab99a97d8203

SHA1
025952e0a76f74f03dde8ea756c02052d2a6561d

SHA256
cda439f26a3a0066c31561bd7d1cbc37bf09c4a2d2ed7966532a6965a8e664b2

SHA512
3687ab632bd5a735efebe40c2d9d107127ee31a1c0a6f5bd4c8e4e2bf0c07a4ac8d97ed0d4ab82d5345a9d11ec6bb4073f062c71962206fad80feed5e9e12c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

Filesize
191B

MD5
7842cddc42c8ace8f4a2a64ce87a6a76

SHA1
109e08dac7512bd40dbbb37d1d9cd3e16e6b3891

SHA256
5db88af84662e4169fe925280d14ed08ce1a8a2aba57a6afd4e7a1cfee120332

SHA512
8624fbe2e21676a2d8ce78ce564334e971b1aafb142b6b6100d33aaf62b43cfc2696b6a87272f3be5f9801a81180901290cde39d3ff2c5100f524f5f8a94e283

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
acfbaade5371b3e33873f841ebc4716f

SHA1
815d3ed14ac3258e544654d1922032459798c9a0

SHA256
82bbb64d5007a6c3fe555572926e7a57b6cdb3ba47d0acd08367889212221a2d

SHA512
9beefa097102c6b1c0af4af0d050db0cd48eb2f1347b40c0b454be8b738e7abe728102aa98bd56aee5cd1e8afcf0bc51cb7f7b96ff79814a530218fd1032ba08

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/540-132-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/1532-495-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/1944-37-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1944-38-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/1976-251-0x0000000000DC0000-0x0000000000ED0000-memory.dmp

Filesize
1.1MB

Download
memory/1976-252-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2052-435-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2528-79-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2528-78-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2532-375-0x0000000001010000-0x0000000001120000-memory.dmp

Filesize
1.1MB

Download
memory/2676-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2676-13-0x0000000001190000-0x00000000012A0000-memory.dmp

Filesize
1.1MB

Download
memory/2676-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2676-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2676-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2796-44-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download
memory/2860-191-0x0000000000B80000-0x0000000000C90000-memory.dmp

Filesize
1.1MB

Download
memory/2896-312-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download