dcrat | 0439084aa3446284d0fa721c6b6becc7ddc3220691ff089fabc25af38bab10ea

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0439084aa3446284d0fa721c6b6becc7ddc3220691ff089fabc25af38bab10ea.exe
Size

1.3MB
MD5

0b113ec15bb5ccb71d4ddde8fd6c9cd9
SHA1

ba4196d40fb55a3cea9843d6705c7c4c8dfb50d0
SHA256

0439084aa3446284d0fa721c6b6becc7ddc3220691ff089fabc25af38bab10ea
SHA512

fc4b066a243ac3ec4dba01eff8745b60a672c8c38466cc08f3d3461a45f45386ad9ab3f5459b6fe2b403ab18603f0ba3a76a1f89c5da5a6507abdc9e3585abfa
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2608	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015e25-12.dat	dcrat
behavioral1/memory/2724-13-0x0000000001250000-0x0000000001360000-memory.dmp	dcrat
behavioral1/memory/2468-126-0x0000000000F00000-0x0000000001010000-memory.dmp	dcrat
behavioral1/memory/2224-305-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/524-365-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2404	powershell.exe
1040	powershell.exe
976	powershell.exe
2524	powershell.exe
2100	powershell.exe
2080	powershell.exe
3020	powershell.exe
680	powershell.exe
2536	powershell.exe
2984	powershell.exe
772	powershell.exe
1916	powershell.exe
284	powershell.exe
1892	powershell.exe
1252	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2724	DllCommonsvc.exe
2468	smss.exe
1520	smss.exe
1804	smss.exe
2224	smss.exe
524	smss.exe
1548	smss.exe
564	smss.exe
2192	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2996	cmd.exe
2996	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\it-IT\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\it-IT\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Boot\Fonts\taskhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0439084aa3446284d0fa721c6b6becc7ddc3220691ff089fabc25af38bab10ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2456	schtasks.exe
824	schtasks.exe
2836	schtasks.exe
1884	schtasks.exe
1764	schtasks.exe
2680	schtasks.exe
2200	schtasks.exe
3016	schtasks.exe
1568	schtasks.exe
2428	schtasks.exe
2784	schtasks.exe
2852	schtasks.exe
1904	schtasks.exe
2788	schtasks.exe
1148	schtasks.exe
2324	schtasks.exe
1048	schtasks.exe
1744	schtasks.exe
2676	schtasks.exe
2060	schtasks.exe
1280	schtasks.exe
2452	schtasks.exe
1644	schtasks.exe
2224	schtasks.exe
1164	schtasks.exe
2132	schtasks.exe
628	schtasks.exe
1132	schtasks.exe
2308	schtasks.exe
2588	schtasks.exe
1736	schtasks.exe
2296	schtasks.exe
1640	schtasks.exe
1540	schtasks.exe
3044	schtasks.exe
1144	schtasks.exe
2696	schtasks.exe
1696	schtasks.exe
1620	schtasks.exe
2440	schtasks.exe
1472	schtasks.exe
3024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2984	powershell.exe
1040	powershell.exe
976	powershell.exe
1252	powershell.exe
2404	powershell.exe
772	powershell.exe
284	powershell.exe
680	powershell.exe
1916	powershell.exe
1892	powershell.exe
2536	powershell.exe
2080	powershell.exe
2524	powershell.exe
2100	powershell.exe
3020	powershell.exe
2468	smss.exe
1520	smss.exe
1804	smss.exe
2224	smss.exe
524	smss.exe
1548	smss.exe
564	smss.exe
2192	smss.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	DllCommonsvc.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	284	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2468	smss.exe
Token: SeDebugPrivilege	1520	smss.exe
Token: SeDebugPrivilege	1804	smss.exe
Token: SeDebugPrivilege	2224	smss.exe
Token: SeDebugPrivilege	524	smss.exe
Token: SeDebugPrivilege	1548	smss.exe
Token: SeDebugPrivilege	564	smss.exe
Token: SeDebugPrivilege	2192	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2316	2800	JaffaCakes118_0439084aa3446284d0fa721c6b6becc7ddc3220691ff089fabc25af38bab10ea.exe	30
PID 2800 wrote to memory of 2316	2800	JaffaCakes118_0439084aa3446284d0fa721c6b6becc7ddc3220691ff089fabc25af38bab10ea.exe	30
PID 2800 wrote to memory of 2316	2800	JaffaCakes118_0439084aa3446284d0fa721c6b6becc7ddc3220691ff089fabc25af38bab10ea.exe	30
PID 2800 wrote to memory of 2316	2800	JaffaCakes118_0439084aa3446284d0fa721c6b6becc7ddc3220691ff089fabc25af38bab10ea.exe	30
PID 2316 wrote to memory of 2996	2316	WScript.exe	31
PID 2316 wrote to memory of 2996	2316	WScript.exe	31
PID 2316 wrote to memory of 2996	2316	WScript.exe	31
PID 2316 wrote to memory of 2996	2316	WScript.exe	31
PID 2996 wrote to memory of 2724	2996	cmd.exe	33
PID 2996 wrote to memory of 2724	2996	cmd.exe	33
PID 2996 wrote to memory of 2724	2996	cmd.exe	33
PID 2996 wrote to memory of 2724	2996	cmd.exe	33
PID 2724 wrote to memory of 2100	2724	DllCommonsvc.exe	77
PID 2724 wrote to memory of 2100	2724	DllCommonsvc.exe	77
PID 2724 wrote to memory of 2100	2724	DllCommonsvc.exe	77
PID 2724 wrote to memory of 1892	2724	DllCommonsvc.exe	78
PID 2724 wrote to memory of 1892	2724	DllCommonsvc.exe	78
PID 2724 wrote to memory of 1892	2724	DllCommonsvc.exe	78
PID 2724 wrote to memory of 1252	2724	DllCommonsvc.exe	80
PID 2724 wrote to memory of 1252	2724	DllCommonsvc.exe	80
PID 2724 wrote to memory of 1252	2724	DllCommonsvc.exe	80
PID 2724 wrote to memory of 772	2724	DllCommonsvc.exe	81
PID 2724 wrote to memory of 772	2724	DllCommonsvc.exe	81
PID 2724 wrote to memory of 772	2724	DllCommonsvc.exe	81
PID 2724 wrote to memory of 3020	2724	DllCommonsvc.exe	83
PID 2724 wrote to memory of 3020	2724	DllCommonsvc.exe	83
PID 2724 wrote to memory of 3020	2724	DllCommonsvc.exe	83
PID 2724 wrote to memory of 2524	2724	DllCommonsvc.exe	85
PID 2724 wrote to memory of 2524	2724	DllCommonsvc.exe	85
PID 2724 wrote to memory of 2524	2724	DllCommonsvc.exe	85
PID 2724 wrote to memory of 2536	2724	DllCommonsvc.exe	86
PID 2724 wrote to memory of 2536	2724	DllCommonsvc.exe	86
PID 2724 wrote to memory of 2536	2724	DllCommonsvc.exe	86
PID 2724 wrote to memory of 2080	2724	DllCommonsvc.exe	87
PID 2724 wrote to memory of 2080	2724	DllCommonsvc.exe	87
PID 2724 wrote to memory of 2080	2724	DllCommonsvc.exe	87
PID 2724 wrote to memory of 976	2724	DllCommonsvc.exe	88
PID 2724 wrote to memory of 976	2724	DllCommonsvc.exe	88
PID 2724 wrote to memory of 976	2724	DllCommonsvc.exe	88
PID 2724 wrote to memory of 680	2724	DllCommonsvc.exe	89
PID 2724 wrote to memory of 680	2724	DllCommonsvc.exe	89
PID 2724 wrote to memory of 680	2724	DllCommonsvc.exe	89
PID 2724 wrote to memory of 284	2724	DllCommonsvc.exe	90
PID 2724 wrote to memory of 284	2724	DllCommonsvc.exe	90
PID 2724 wrote to memory of 284	2724	DllCommonsvc.exe	90
PID 2724 wrote to memory of 1916	2724	DllCommonsvc.exe	91
PID 2724 wrote to memory of 1916	2724	DllCommonsvc.exe	91
PID 2724 wrote to memory of 1916	2724	DllCommonsvc.exe	91
PID 2724 wrote to memory of 1040	2724	DllCommonsvc.exe	92
PID 2724 wrote to memory of 1040	2724	DllCommonsvc.exe	92
PID 2724 wrote to memory of 1040	2724	DllCommonsvc.exe	92
PID 2724 wrote to memory of 2984	2724	DllCommonsvc.exe	93
PID 2724 wrote to memory of 2984	2724	DllCommonsvc.exe	93
PID 2724 wrote to memory of 2984	2724	DllCommonsvc.exe	93
PID 2724 wrote to memory of 2404	2724	DllCommonsvc.exe	94
PID 2724 wrote to memory of 2404	2724	DllCommonsvc.exe	94
PID 2724 wrote to memory of 2404	2724	DllCommonsvc.exe	94
PID 2724 wrote to memory of 2736	2724	DllCommonsvc.exe	104
PID 2724 wrote to memory of 2736	2724	DllCommonsvc.exe	104
PID 2724 wrote to memory of 2736	2724	DllCommonsvc.exe	104
PID 2736 wrote to memory of 1812	2736	cmd.exe	109
PID 2736 wrote to memory of 1812	2736	cmd.exe	109
PID 2736 wrote to memory of 1812	2736	cmd.exe	109
PID 2736 wrote to memory of 2468	2736	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0439084aa3446284d0fa721c6b6becc7ddc3220691ff089fabc25af38bab10ea.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0439084aa3446284d0fa721c6b6becc7ddc3220691ff089fabc25af38bab10ea.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Purble Place\ja-JP\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\plugin2\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\it-IT\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mw7UChg7s6.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1812
      - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"
        7⤵
        
        PID:2376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2480
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat"
        9⤵
        
        PID:2432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2704
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat"
        11⤵
        
        PID:800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1568
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat"
        13⤵
        
        PID:1876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1832
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat"
        15⤵
        
        PID:1476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2944
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
        17⤵
        
        PID:864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2272
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat"
        19⤵
        
        PID:2476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1948
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\fonts\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Purble Place\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Purble Place\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Purble Place\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\plugin2\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\bin\plugin2\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
781840dcc2813ed771a5f32e6e55e2b3

SHA1
801e3b4ec3dfd613c97b3fb9206c38af5b75bcd3

SHA256
4ee69246f56c2e23bc1dfe86ef8790dc163f677c3afcdf5a1d788863b879d410

SHA512
21c8690e91a4c725dcfb7082b96dc20ae8814b064a86bc685a8900f00eb784bbf0e6e67266d6e0f8e580d088075f5f51099833b66547f2048bd88830c28f5744

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
864d963e8cbec83430cc04be83a0b9c0

SHA1
1e5c942eb6083762a10b7a959de6d803a2e22362

SHA256
99b6fb018be4d6c959e09fd31958108320eaa4d8ab375c8d741cc53e53f76fc8

SHA512
e23ae61cd2aced2aa55fc7fc8362e28ecc8beda10c7c3f3faf6e0c91dd82a77f8be24c6f760d2541a70177abef6db5f75e4897f7e7dc7be597351f95bbc8f18c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a09e56e548ef7021d7030a878344ef5b

SHA1
ef6078cb5ad5dffac86404e6fc03eb2032b3eef2

SHA256
e22d13b8900d8594904433a5d9e53e6ec973925d39cd4f824076a46d71398257

SHA512
e0207adb94e3aa069f43c43484d221371ff48f38e102b56958b63d52fe2d2d39d04f9937317fb2fcff4a9abde3b95a7e614a17a0497c81ab11530a5fc8272077

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22349887079ebcf2ad35fb4b9acc916c

SHA1
903007f875a7106d47f1941fa3cfa6a74cfe6cb6

SHA256
2cc151caa1a1a00eb81b8c84db1c27fc2ae71c6c48626dca4960fbb3a4736766

SHA512
8df4dae7a98c563906ab4b3b1cb0ed8d9be91070b964bb76e77fb497094ba20f8bb69d14e503abb84aa85054e6041ace6b8a2444417b3fa6dc570dbf92449349

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42e7bdb4fae8e9cfb746557c388c2154

SHA1
a97d3fbeec5ba41342aaa3c00aaeb0b58a837cd9

SHA256
6f93405adab7e9e3a6de66a9943378c311a9ef6e8e4f718fd82c6652fe7646d5

SHA512
a260c339a6ebd9d95193a9f2a6cba5179aa7140c5eb7af078983248fd378c6332a528b07bfa13412d68ed282c056d70515ab3d87b0521bc138d4b0a9e5744343

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6db0ac5217a07ba13ed434aaabc2cac

SHA1
1f8b3011f8c5cae98a34ac6365d989f1f4385963

SHA256
0f0142cef82971a362b79cc1be99c8b16b12da76375f3255de0be8dd70b1423f

SHA512
780e0bdf9ee8952a32bbb65bd7947fef7f3e959996829f15efa3b41c01a1ab8f8bf3e85b13c263b1233e4b48b04cc226992437f2481c968872afb85d56d882eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat

Filesize
236B

MD5
21d224732f313777fbd02c84b0519f1c

SHA1
60e243ad14e4efc299ee2b3a8a8bf0b9ed217f34

SHA256
dba989da29d68fca53ddc9eedb122a2ec1c7a1d6b208a31fc1c165d56e6a340d

SHA512
cd4b1ca2dd89594907e472240fda5422ada9b2be0e2ae47d6ff84bd523fda26b9ddd6eb7e0a976074c2d21497fba95f977e00541d72a7e7cf5433de9b21adef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat

Filesize
236B

MD5
28d4f40b60b9287271e2667c76d6771a

SHA1
46b125c024f91ab2ed37876a4852783aeb4f505f

SHA256
a75587a14052ee9ecd7c124c2df217230552acb6a534a72f580692feca51647d

SHA512
c94dab9b3382fc0c5285a7f559e1afad55913a57349e481c3d43100c86535d457bbc50352fcf2efce1f9fe1d92564a30e71c3872b565ca8168499bcdb1cc4464

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBE52.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat

Filesize
236B

MD5
2d9843e40dbc774b6fdb021028a7026a

SHA1
81267767b71fcd91d2c9d066c02242d266ed0ab2

SHA256
fbe709c2ce69d37b8862364c044b5448948cac587d2b704b443c96ffcfb5df94

SHA512
cf40847611599b648840dd7f6acebc758e1923bf806936936ebf550820ea35ee304c3f4c78e6df1b71770cbc16a9f22681103890216a7fa647a314b1c9172440

Download Submit
C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat

Filesize
236B

MD5
43acac56ab28e956caaea67a823d6793

SHA1
569049d437ca5c6e4e583e9813c735db6d906074

SHA256
eeee276f12d131ad67d8bd93ddc2668ba2e7618dfec4178c70993fc0bcda81fc

SHA512
1e94089aa84c0d756e9a843b4e3bb14da757716d82095dd2dd6c497d0f62e44a9e81601e051f5b56ba7ad94148abe105226576ede646df9f99a7db3b09a7390e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat

Filesize
236B

MD5
501ad6f88bf14f578784355e20bc5aea

SHA1
32645903c27a1c7cdf751471a0b0e669c5b45af9

SHA256
382bb8cd7be74a782e589050f48f4c2266b1b8bce8988c92b0aa0c6d138724f8

SHA512
319a120f20956a3d566bb6b2ee927bbc41add97eed6e457a1c6ca0c5453b892c01aae79fe9f5d3b350799020579eddb732b841d5e6f4c507faae18eb156aee2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mw7UChg7s6.bat

Filesize
236B

MD5
67b13fbb23ee0dc21dcc3facca3a0d7a

SHA1
ac484303f65a1cb12d421e38336c1f259bd9b144

SHA256
c0a14cc1e9b30b41007bcde4a5a2444acca73472eb5544640ac70e4bb05bed73

SHA512
1c17567c783e9622379c130ae1e41b749597df3b7462a3c3ab78bd72f398f646aa200baa61d0e21c5ea8bcd2c1c1280282b7f79ed89cc18588012c42b3de80bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBE64.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat

Filesize
236B

MD5
d26d4a8ca7b114ebfc7830211b091de9

SHA1
b9c479baf6b8b8dcd0523766322560c07bddeaed

SHA256
de0d2875296163a8e1ac0f2c1375bd12b677912b2af31a44529a5fe93f6797db

SHA512
276d5fcaf3f573d871869eb763fa980db03df1a398c315be669eb71b7c64acd3d497cbe6695e588f0d8f5237d1456b33a24cf92f30d27f7a2e98c82ee899cb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat

Filesize
236B

MD5
156096c31bf9427c5d4314132cf1b6af

SHA1
2a91728ac7a6b93317cb5f4a7d7e20477aafd480

SHA256
85847c082c2618c7d84e7393c8ce64a06aab9acef0a171262a548e06eb837fe9

SHA512
97fbdc29f594a287204f52cf81f06d2ea8deabdf1670560b2b1e6301b78eb2752843b88088d0e8c9e920a2dba6be20d0b46a6190a9472372947afe4d5bb1405b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DDGYCBNARQ5CPIV1C5Q7.temp

Filesize
7KB

MD5
4236c713d0f2443ca684bc575e4df1b9

SHA1
315f7f71131bb3c694a845748090fa0a2985bb47

SHA256
ad0792059670c2fd58db160e8790d6f678529d6e36a499b23487014bb63736b6

SHA512
9bb933a439829961e670d67d69b4931cb13e7ef86892599eb25afe665fd149478edf17420a5fc625cc9e0621642c13cbe1273a30482f241999710d9138f93420

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/524-365-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/1040-104-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1804-245-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2224-305-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/2468-127-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download
memory/2468-126-0x0000000000F00000-0x0000000001010000-memory.dmp

Filesize
1.1MB

Download
memory/2724-17-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2724-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2724-15-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2724-14-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2724-13-0x0000000001250000-0x0000000001360000-memory.dmp

Filesize
1.1MB

Download
memory/2984-103-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download