dcrat | b5380a4f03f883b58f4f6df3fb7192d56235c89d2699598c6c7ac2c7d690a06f

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b5380a4f03f883b58f4f6df3fb7192d56235c89d2699598c6c7ac2c7d690a06f.exe
Size

1.3MB
MD5

a1b34eac480e0ce25371955586ff92da
SHA1

2844d78c6449bbfbd5e13f1a03bcc97f79f85bff
SHA256

b5380a4f03f883b58f4f6df3fb7192d56235c89d2699598c6c7ac2c7d690a06f
SHA512

fc9f535490a9f9150dc381bc30cface37e96a60cc6cb68eac99b9e1f91c8a5323ea36c57a04f2feb1bd018ed4dce41d20bbf5b0bfbb4b9fa2efc7e62e5fd12e0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2548	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2548	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016e1d-11.dat	dcrat
behavioral1/memory/2852-13-0x0000000001190000-0x00000000012A0000-memory.dmp	dcrat
behavioral1/memory/2164-50-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/memory/2388-181-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/616-241-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat
behavioral1/memory/2336-360-0x0000000000250000-0x0000000000360000-memory.dmp	dcrat
behavioral1/memory/996-421-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat
behavioral1/memory/2420-481-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/2684-541-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/1212-601-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/2944-661-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2652	powershell.exe
288	powershell.exe
2080	powershell.exe
1636	powershell.exe
2240	powershell.exe
1888	powershell.exe
1316	powershell.exe
1700	powershell.exe
764	powershell.exe
2612	powershell.exe
1496	powershell.exe
1464	powershell.exe
1968	powershell.exe
2284	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2852	DllCommonsvc.exe
2164	smss.exe
2388	smss.exe
616	smss.exe
2304	smss.exe
2336	smss.exe
996	smss.exe
2420	smss.exe
2684	smss.exe
1212	smss.exe
2944	smss.exe
2416	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2864	cmd.exe
2864	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
28	raw.githubusercontent.com
35	raw.githubusercontent.com
5	raw.githubusercontent.com
18	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
31	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Icons\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\it-IT\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\it-IT\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\24dbde2999530e	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\servicing\Idle.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b5380a4f03f883b58f4f6df3fb7192d56235c89d2699598c6c7ac2c7d690a06f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
264	schtasks.exe
844	schtasks.exe
2916	schtasks.exe
540	schtasks.exe
2216	schtasks.exe
2188	schtasks.exe
1976	schtasks.exe
1224	schtasks.exe
2412	schtasks.exe
1568	schtasks.exe
1160	schtasks.exe
2156	schtasks.exe
1864	schtasks.exe
2260	schtasks.exe
768	schtasks.exe
1392	schtasks.exe
2324	schtasks.exe
2964	schtasks.exe
2640	schtasks.exe
2208	schtasks.exe
1768	schtasks.exe
2116	schtasks.exe
2144	schtasks.exe
1376	schtasks.exe
2076	schtasks.exe
1060	schtasks.exe
2228	schtasks.exe
1552	schtasks.exe
2512	schtasks.exe
3016	schtasks.exe
2380	schtasks.exe
1044	schtasks.exe
2244	schtasks.exe
1336	schtasks.exe
900	schtasks.exe
2476	schtasks.exe
2436	schtasks.exe
1816	schtasks.exe
1324	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2852	DllCommonsvc.exe
2852	DllCommonsvc.exe
2852	DllCommonsvc.exe
2852	DllCommonsvc.exe
2852	DllCommonsvc.exe
2612	powershell.exe
288	powershell.exe
1968	powershell.exe
2164	smss.exe
1888	powershell.exe
2240	powershell.exe
1496	powershell.exe
1464	powershell.exe
764	powershell.exe
1700	powershell.exe
1316	powershell.exe
1636	powershell.exe
2080	powershell.exe
2652	powershell.exe
2284	powershell.exe
2388	smss.exe
616	smss.exe
2304	smss.exe
2336	smss.exe
996	smss.exe
2420	smss.exe
2684	smss.exe
1212	smss.exe
2944	smss.exe
2416	smss.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	DllCommonsvc.exe
Token: SeDebugPrivilege	2164	smss.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2388	smss.exe
Token: SeDebugPrivilege	616	smss.exe
Token: SeDebugPrivilege	2304	smss.exe
Token: SeDebugPrivilege	2336	smss.exe
Token: SeDebugPrivilege	996	smss.exe
Token: SeDebugPrivilege	2420	smss.exe
Token: SeDebugPrivilege	2684	smss.exe
Token: SeDebugPrivilege	1212	smss.exe
Token: SeDebugPrivilege	2944	smss.exe
Token: SeDebugPrivilege	2416	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2748	1900	JaffaCakes118_b5380a4f03f883b58f4f6df3fb7192d56235c89d2699598c6c7ac2c7d690a06f.exe	30
PID 1900 wrote to memory of 2748	1900	JaffaCakes118_b5380a4f03f883b58f4f6df3fb7192d56235c89d2699598c6c7ac2c7d690a06f.exe	30
PID 1900 wrote to memory of 2748	1900	JaffaCakes118_b5380a4f03f883b58f4f6df3fb7192d56235c89d2699598c6c7ac2c7d690a06f.exe	30
PID 1900 wrote to memory of 2748	1900	JaffaCakes118_b5380a4f03f883b58f4f6df3fb7192d56235c89d2699598c6c7ac2c7d690a06f.exe	30
PID 2748 wrote to memory of 2864	2748	WScript.exe	31
PID 2748 wrote to memory of 2864	2748	WScript.exe	31
PID 2748 wrote to memory of 2864	2748	WScript.exe	31
PID 2748 wrote to memory of 2864	2748	WScript.exe	31
PID 2864 wrote to memory of 2852	2864	cmd.exe	33
PID 2864 wrote to memory of 2852	2864	cmd.exe	33
PID 2864 wrote to memory of 2852	2864	cmd.exe	33
PID 2864 wrote to memory of 2852	2864	cmd.exe	33
PID 2852 wrote to memory of 1968	2852	DllCommonsvc.exe	74
PID 2852 wrote to memory of 1968	2852	DllCommonsvc.exe	74
PID 2852 wrote to memory of 1968	2852	DllCommonsvc.exe	74
PID 2852 wrote to memory of 288	2852	DllCommonsvc.exe	75
PID 2852 wrote to memory of 288	2852	DllCommonsvc.exe	75
PID 2852 wrote to memory of 288	2852	DllCommonsvc.exe	75
PID 2852 wrote to memory of 1888	2852	DllCommonsvc.exe	76
PID 2852 wrote to memory of 1888	2852	DllCommonsvc.exe	76
PID 2852 wrote to memory of 1888	2852	DllCommonsvc.exe	76
PID 2852 wrote to memory of 2612	2852	DllCommonsvc.exe	77
PID 2852 wrote to memory of 2612	2852	DllCommonsvc.exe	77
PID 2852 wrote to memory of 2612	2852	DllCommonsvc.exe	77
PID 2852 wrote to memory of 1316	2852	DllCommonsvc.exe	80
PID 2852 wrote to memory of 1316	2852	DllCommonsvc.exe	80
PID 2852 wrote to memory of 1316	2852	DllCommonsvc.exe	80
PID 2852 wrote to memory of 764	2852	DllCommonsvc.exe	81
PID 2852 wrote to memory of 764	2852	DllCommonsvc.exe	81
PID 2852 wrote to memory of 764	2852	DllCommonsvc.exe	81
PID 2852 wrote to memory of 1464	2852	DllCommonsvc.exe	82
PID 2852 wrote to memory of 1464	2852	DllCommonsvc.exe	82
PID 2852 wrote to memory of 1464	2852	DllCommonsvc.exe	82
PID 2852 wrote to memory of 2652	2852	DllCommonsvc.exe	83
PID 2852 wrote to memory of 2652	2852	DllCommonsvc.exe	83
PID 2852 wrote to memory of 2652	2852	DllCommonsvc.exe	83
PID 2852 wrote to memory of 2284	2852	DllCommonsvc.exe	84
PID 2852 wrote to memory of 2284	2852	DllCommonsvc.exe	84
PID 2852 wrote to memory of 2284	2852	DllCommonsvc.exe	84
PID 2852 wrote to memory of 2080	2852	DllCommonsvc.exe	85
PID 2852 wrote to memory of 2080	2852	DllCommonsvc.exe	85
PID 2852 wrote to memory of 2080	2852	DllCommonsvc.exe	85
PID 2852 wrote to memory of 2240	2852	DllCommonsvc.exe	86
PID 2852 wrote to memory of 2240	2852	DllCommonsvc.exe	86
PID 2852 wrote to memory of 2240	2852	DllCommonsvc.exe	86
PID 2852 wrote to memory of 1700	2852	DllCommonsvc.exe	87
PID 2852 wrote to memory of 1700	2852	DllCommonsvc.exe	87
PID 2852 wrote to memory of 1700	2852	DllCommonsvc.exe	87
PID 2852 wrote to memory of 1636	2852	DllCommonsvc.exe	88
PID 2852 wrote to memory of 1636	2852	DllCommonsvc.exe	88
PID 2852 wrote to memory of 1636	2852	DllCommonsvc.exe	88
PID 2852 wrote to memory of 1496	2852	DllCommonsvc.exe	89
PID 2852 wrote to memory of 1496	2852	DllCommonsvc.exe	89
PID 2852 wrote to memory of 1496	2852	DllCommonsvc.exe	89
PID 2852 wrote to memory of 2164	2852	DllCommonsvc.exe	102
PID 2852 wrote to memory of 2164	2852	DllCommonsvc.exe	102
PID 2852 wrote to memory of 2164	2852	DllCommonsvc.exe	102
PID 2164 wrote to memory of 3012	2164	smss.exe	104
PID 2164 wrote to memory of 3012	2164	smss.exe	104
PID 2164 wrote to memory of 3012	2164	smss.exe	104
PID 3012 wrote to memory of 760	3012	cmd.exe	106
PID 3012 wrote to memory of 760	3012	cmd.exe	106
PID 3012 wrote to memory of 760	3012	cmd.exe	106
PID 3012 wrote to memory of 2388	3012	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b5380a4f03f883b58f4f6df3fb7192d56235c89d2699598c6c7ac2c7d690a06f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b5380a4f03f883b58f4f6df3fb7192d56235c89d2699598c6c7ac2c7d690a06f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\it-IT\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
    - - C:\Program Files (x86)\Windows Portable Devices\smss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\smss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:760
        
        C:\Program Files (x86)\Windows Portable Devices\smss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat"
        8⤵
        
        PID:1936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:672
        
        C:\Program Files (x86)\Windows Portable Devices\smss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\smss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svsOdT1nlB.bat"
        10⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1912
        
        C:\Program Files (x86)\Windows Portable Devices\smss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\smss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"
        12⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1044
        
        C:\Program Files (x86)\Windows Portable Devices\smss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\smss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiBdOqTAMf.bat"
        14⤵
        
        PID:1252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2168
        
        C:\Program Files (x86)\Windows Portable Devices\smss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\smss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat"
        16⤵
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:764
        
        C:\Program Files (x86)\Windows Portable Devices\smss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\smss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat"
        18⤵
        
        PID:2172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2716
        
        C:\Program Files (x86)\Windows Portable Devices\smss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\smss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat"
        20⤵
        
        PID:1900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2708
        
        C:\Program Files (x86)\Windows Portable Devices\smss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\smss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"
        22⤵
        
        PID:2028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2996
        
        C:\Program Files (x86)\Windows Portable Devices\smss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\smss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"
        24⤵
        
        PID:2108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2864
        
        C:\Program Files (x86)\Windows Portable Devices\smss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\smss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6931fb9546e9d11e65860c84443e08a0

SHA1
5988cf10d506792c27a505c1a724c8194375d0a4

SHA256
ee6f6b243d2c6afd9acd602d01413be94ec72391d8d590409c1558a7b22e4118

SHA512
0fdc2423af6a3b05a80520b925a12959dffc798114c45883d7f27dbdbeda44fa3579ef22241e962c9377ec389e1c0156791193b92ce98b2586cfad8dd1d5bbce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c737ee93e15f55880214b23493a5e73e

SHA1
975825143f9b83c231d3c3955e2f9d2a04ab579d

SHA256
94855d237c73a2762e15a41b6cc159cf4dbf2ff7359ee744319a6b37181177cd

SHA512
9bfca195ab0060ec7619672269e4b6f21bab9c2b14af503c6f49b615a62cbe9603445b300bdd8922e61f5be895c9524323a3b7092308d028573184189cb74af1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bced604af88d5f0ea96b6c9870b1c798

SHA1
8967e05383a675b693649de32d88414159569d79

SHA256
a9f82f8de5abd0d67c9b1bfefc100b8fa4782055e9887131a7a09406a89b9605

SHA512
bd066a24e5853f58284ecb7c062e0377fa245d5c3248ffd4cff70706a223a6c4cac5a6d792c61dd18429d7b35bcac5e10cfe714b0086abbf18db980a2b3f7859

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c751c0f3d7d8987936f504b86059935f

SHA1
98b8d6e2736cb1869c3895a59f75fac356e57dd1

SHA256
73ec5d7cc02fa9eeb2ca3c6360ca4ad157745421e7b4f85cb35c29e9f29ebd35

SHA512
45e36874a5813ec6225efecfdf92baecb3146d606b8a4201c6b74995fd398333d848009865eb0c448b61051296260b5d6bdb877d671433023a83d3a696dec786

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1dda95423f8126e4a3c621725d006961

SHA1
6fa11eba3a35eccb9f777db11b951e2fa15c06c5

SHA256
904ca278b9d15c1d55bae9babb50d8d73ebdad894d344076a8f8085daf34f891

SHA512
82e3026863fb1f75ae9ccf7fbb5c230dd58b3b54c8ba09429c399e131873623386f9f69ba4c88bd9b247da93f8fdb289dbf5a552f879b66929fdfb7abce10067

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3309e84e89aedb79e154593bbed078c0

SHA1
843921ffe9b8ebdb7606ac1c014a064e895eb79a

SHA256
37ffb1860503fe610becff0e0c77b3ba6ca1ad4d17c79c113ad2bf705ab95a14

SHA512
33ba822d758a14092b5645f1d795b0db71b48b449e22f308c41141cbaf9503666cf0e3fbbcc59a06390624dfb3e3c6f3b9f85c11bf889881fcbb92c662fc1f9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d72e1916e87bcb55ee0904de7ee4c327

SHA1
3b034e850fce16d85fdc1e9e538f2fbefc8519db

SHA256
b76362b67f533af8a7ef84b550ec927a9ff310411110a2f943b285e0498d4648

SHA512
6e2eb723523e5db6757afb748247a081d4c4a4995ddf3b5d35e80dbb35a02f6daf9b1431bcc7228c2cf6faae1d70fae8f2933b0b5eecc0fda6103ae62ca6dff4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7481331c0b3804acc2476b007f72d831

SHA1
8e83a4e7146f6e81ec8d1805ff03a98db4258202

SHA256
3b9240a5d9a6fa8e6fd58e548a10c1711ec73039650e36907e8b461aef5b0f17

SHA512
5ccbb89f53a1613c3bf32152c2611606d3b150cae4bab5e195d2226e0f56a2523013ea938bc2362439c228df98507fee6018b5e7fbe58b176ae71ff7c39146ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efa1505e501aa4fdcccc78d2ce097834

SHA1
2cfb77e75f70675d901ce5ef711b179d6e2225b0

SHA256
a6e53cfdba96bcf442a3f2cde3cbc8809ed904845202937ad621f63c004d7dfe

SHA512
858fb8db72a9cdfd2473a7e4fbcaae21f8a8e79585b93510c8d964c23ed38ca9579b755d6d5ac28262ca3f3b5f7e946d39f61cb5dc4aaf3f766c6dc334f4991b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat

Filesize
221B

MD5
67a2d1a7cadcb0e6ad9022240cad2d1f

SHA1
335837c012a2ebe0487ed4be1e60256818679a7d

SHA256
2d7a55cfe9e207fab0d6221e3fa28f84eb731c2df240c22336e4e1d1415c1c33

SHA512
f653f4e22b77a2dbc470dbd463e832d3b69ee648c8baaf490ef3b913c1e7642f9eed9a69d7059cbcb640f4754724453b63aaaa8685a3ee0509320fc7f0f4bf99

Download Submit
C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat

Filesize
221B

MD5
6010473ff5058d3ae78628d51fbe1f36

SHA1
12d9b927736fd71f9b9bd2b07f5fe90fa2bdbff0

SHA256
75cdc721120302f206aaab2932d046d0be63c9a6572f6a222dc343fc7cc892bc

SHA512
5f0fa47cd3452cdb0dc5b9b85cd16246de41727fb7cf58cf63a8ecb796b8eecd85a5dc9bf20a4726e6d77c92e118ff03cdc34b0e7336ee99a346f6132db5b07b

Download Submit
C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat

Filesize
221B

MD5
ffd671df6cce692529ca816f9693d238

SHA1
2445cb5fa1ca5494f7638aedaad63a7d11481a3c

SHA256
89a1db435df8894f4d5c1b9082f6702ec05acc5c5c37457e764f4f2a12688739

SHA512
ff9049bf925e62fe25e34d2e9be5512100d0ec8a9240d20541407caae9031ac0111269ad58e7d02fdb6a5d30199f5f877da2bdfbe539a871a204c08251195edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat

Filesize
221B

MD5
9c1263a25216db87a25e5b9ec2c9f9b4

SHA1
7e75c16e7f81d2370a105ba7945d6690e16126f6

SHA256
6b54cfe8256d1ab6c284b07a2dbbc78322cbe5bddd5316da4feb79295227e90f

SHA512
1a2021eabc033bea83c9ac85c8bcf3de27e45f7a78d81da3813e64725fab090ff94b992626f270d1b4729b1833df79ca16d75505afe7a41656c54eb3b28c5000

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat

Filesize
221B

MD5
ca838465a228be41cd20283c25b7308d

SHA1
ebcffb5c82f35563a117057dc1ea9035b17402f5

SHA256
3c598e37c2a7420ea4f1e52cbab95dc43b95946faadfe25969e6c8fa7f73a672

SHA512
9d1bc4f7356d101644dab426f5bb27a1dc4465741cf417d80dd21588ffdffb42535d6ed383b69264292c78729bafe139a980d84702bee69457861dc43e77a913

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9DC7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat

Filesize
221B

MD5
8b192a9d4e36332d4dddcbfc5798eba8

SHA1
d61f587408002ab0a68e5d4f130d7e46aba87113

SHA256
99d5b0b5f2f3768114ebc3e15a0bc549b0d0d3cb767cd6cb55e1701afb7394bf

SHA512
eaddeb7468c9f86b21d0acbf0f7ca39fc0ef0f269dea011b2816915ed17ff5c74e2d8d1695343e640dabcc279690433e5e204fa0a68808d9b40ca7b811917835

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9DDA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat

Filesize
221B

MD5
4ec335ec518ae82e6169059fbd299734

SHA1
ec00c4190fd18cc566016a6e5c7fede9aab93c05

SHA256
2c62d896c3b76c87765944b4f3035584b6d0ab188d4dac5365298c99f2dc07d5

SHA512
622fe3f9798c0ee9623511268204afe22c2fd99a7b51d97c6bc7bf03f66973c03e618335c5005fe518f9d0bf67d1902380b47eea4cc50deed1e71da382d8783a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svsOdT1nlB.bat

Filesize
221B

MD5
678eb7d9bc74875e469c1606986ab38e

SHA1
8461d859fc848a035181b7d528ba07f8d2a8e296

SHA256
935fa9fdeac799449b7016a6e993adf1f37813c5ca67c331979bffdab2bf8785

SHA512
7e9734f636ceb11400291d51159c638a69f4f518c0b43ff165d65b2f078d7bec311602566a94c46d3e29b2e0d5b26f248b4bb71f725a61bfdcf960cb826fb9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiBdOqTAMf.bat

Filesize
221B

MD5
869b65a952ab99eaf7b330319e755620

SHA1
3268f7ae12c31b78724d97070086b514f3ff1812

SHA256
527107074bea75fc4527019fb6b90f08ba5cdd5334d8ebb3e3d7a12b7dbc081f

SHA512
d1151637c5e891bbb68903518a2aaec09d92831c110132d4afe794908a3bc5c12fe935d517a7be25f81f9ab1b9ad5753320ffc5fdfab2f9af31d46fd6c3261c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat

Filesize
221B

MD5
c628d26b87c0fe932e73e37ca11a1023

SHA1
3c9cd720af40751abf0790a58bf89b78a87dbf16

SHA256
d95734a044fd1054a1b4cb05b4c3e486e5ce94147efe8576efc90659980685fe

SHA512
4d4454447952efe0cca81a67d4c3558d9a45471bd377f2446f0f7b98f2a75edd6ffdaf1a693a2a00c40d89929e7a19a04b8aa59e3d04eee0b8f277c39b663dc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fc43dbb64d22b2ef9aa657cdf4f1262c

SHA1
121a10ebbba30520401e789ec969abbd6f55b945

SHA256
3ab22c840dc0aff41c3fed93df915b039d5e8bb7a9ce9e1440e27b6a257a39ba

SHA512
00e8b5d92a28dd8266976e0b4c288a64a8f4c2a3f73fcc2bad8bd85becdb6bd7b92d377f2f50d33df0d6e395c251adc1b8ae9a86d1343646f0ff1955c12630c1

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/616-241-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download
memory/996-421-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/1212-601-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/2164-70-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2164-50-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/2336-361-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2336-360-0x0000000000250000-0x0000000000360000-memory.dmp

Filesize
1.1MB

Download
memory/2388-181-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2420-481-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/2612-71-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2612-72-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2684-541-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/2852-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2852-13-0x0000000001190000-0x00000000012A0000-memory.dmp

Filesize
1.1MB

Download
memory/2852-17-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2852-15-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/2852-16-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/2944-661-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download