dcrat | 98a8e8dcda6716bbae8544350aaba846de1e39639611489bdd559dbdda07d361

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_98a8e8dcda6716bbae8544350aaba846de1e39639611489bdd559dbdda07d361.exe
Size

1.3MB
MD5

0448034f4d76cd9c5a865614b9c3192a
SHA1

b0c94ae8fd6c6d85eea90ee3583e1a1e9d15f412
SHA256

98a8e8dcda6716bbae8544350aaba846de1e39639611489bdd559dbdda07d361
SHA512

82cfd5816102ffe12ddf41d8ce45f71b7311845edf4020266d08655910a215caeee67aeb6e1844bf4904efac3823434aba059ac229d4139f776c963e6e6318d2
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2672	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019438-12.dat	dcrat
behavioral1/memory/2852-13-0x0000000000D60000-0x0000000000E70000-memory.dmp	dcrat
behavioral1/memory/2788-55-0x0000000001160000-0x0000000001270000-memory.dmp	dcrat
behavioral1/memory/2700-180-0x0000000001210000-0x0000000001320000-memory.dmp	dcrat
behavioral1/memory/644-535-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2436-595-0x0000000000B50000-0x0000000000C60000-memory.dmp	dcrat
behavioral1/memory/1092-656-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/1848-716-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2100	powershell.exe
2052	powershell.exe
1028	powershell.exe
2312	powershell.exe
1916	powershell.exe
2332	powershell.exe
2504	powershell.exe
2064	powershell.exe
2984	powershell.exe
1592	powershell.exe
816	powershell.exe
2008	powershell.exe
3060	powershell.exe
2936	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2852	DllCommonsvc.exe
2788	WmiPrvSE.exe
2700	WmiPrvSE.exe
376	WmiPrvSE.exe
1656	WmiPrvSE.exe
2920	WmiPrvSE.exe
2552	WmiPrvSE.exe
2208	WmiPrvSE.exe
644	WmiPrvSE.exe
2436	WmiPrvSE.exe
1092	WmiPrvSE.exe
1848	WmiPrvSE.exe
448	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2804	cmd.exe
2804	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
41	raw.githubusercontent.com
34	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
4	raw.githubusercontent.com
38	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\it-IT\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\es-ES\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\es-ES\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Speech\Common\fr-FR\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98a8e8dcda6716bbae8544350aaba846de1e39639611489bdd559dbdda07d361.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2172	schtasks.exe
828	schtasks.exe
1384	schtasks.exe
2388	schtasks.exe
2868	schtasks.exe
2532	schtasks.exe
972	schtasks.exe
860	schtasks.exe
548	schtasks.exe
576	schtasks.exe
2228	schtasks.exe
1008	schtasks.exe
2368	schtasks.exe
1920	schtasks.exe
2436	schtasks.exe
2940	schtasks.exe
408	schtasks.exe
2384	schtasks.exe
1448	schtasks.exe
2212	schtasks.exe
2988	schtasks.exe
1428	schtasks.exe
2612	schtasks.exe
2816	schtasks.exe
928	schtasks.exe
356	schtasks.exe
1356	schtasks.exe
2912	schtasks.exe
2592	schtasks.exe
2540	schtasks.exe
264	schtasks.exe
2132	schtasks.exe
1764	schtasks.exe
1284	schtasks.exe
3016	schtasks.exe
1656	schtasks.exe
332	schtasks.exe
2264	schtasks.exe
2176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2852	DllCommonsvc.exe
1028	powershell.exe
2052	powershell.exe
2312	powershell.exe
3060	powershell.exe
2504	powershell.exe
2100	powershell.exe
816	powershell.exe
2936	powershell.exe
2332	powershell.exe
2984	powershell.exe
1916	powershell.exe
2008	powershell.exe
1592	powershell.exe
2064	powershell.exe
2788	WmiPrvSE.exe
2700	WmiPrvSE.exe
376	WmiPrvSE.exe
1656	WmiPrvSE.exe
2920	WmiPrvSE.exe
2552	WmiPrvSE.exe
2208	WmiPrvSE.exe
644	WmiPrvSE.exe
2436	WmiPrvSE.exe
1092	WmiPrvSE.exe
1848	WmiPrvSE.exe
448	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	DllCommonsvc.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	2788	WmiPrvSE.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2700	WmiPrvSE.exe
Token: SeDebugPrivilege	376	WmiPrvSE.exe
Token: SeDebugPrivilege	1656	WmiPrvSE.exe
Token: SeDebugPrivilege	2920	WmiPrvSE.exe
Token: SeDebugPrivilege	2552	WmiPrvSE.exe
Token: SeDebugPrivilege	2208	WmiPrvSE.exe
Token: SeDebugPrivilege	644	WmiPrvSE.exe
Token: SeDebugPrivilege	2436	WmiPrvSE.exe
Token: SeDebugPrivilege	1092	WmiPrvSE.exe
Token: SeDebugPrivilege	1848	WmiPrvSE.exe
Token: SeDebugPrivilege	448	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2808	2268	JaffaCakes118_98a8e8dcda6716bbae8544350aaba846de1e39639611489bdd559dbdda07d361.exe	31
PID 2268 wrote to memory of 2808	2268	JaffaCakes118_98a8e8dcda6716bbae8544350aaba846de1e39639611489bdd559dbdda07d361.exe	31
PID 2268 wrote to memory of 2808	2268	JaffaCakes118_98a8e8dcda6716bbae8544350aaba846de1e39639611489bdd559dbdda07d361.exe	31
PID 2268 wrote to memory of 2808	2268	JaffaCakes118_98a8e8dcda6716bbae8544350aaba846de1e39639611489bdd559dbdda07d361.exe	31
PID 2808 wrote to memory of 2804	2808	WScript.exe	32
PID 2808 wrote to memory of 2804	2808	WScript.exe	32
PID 2808 wrote to memory of 2804	2808	WScript.exe	32
PID 2808 wrote to memory of 2804	2808	WScript.exe	32
PID 2804 wrote to memory of 2852	2804	cmd.exe	34
PID 2804 wrote to memory of 2852	2804	cmd.exe	34
PID 2804 wrote to memory of 2852	2804	cmd.exe	34
PID 2804 wrote to memory of 2852	2804	cmd.exe	34
PID 2852 wrote to memory of 2504	2852	DllCommonsvc.exe	75
PID 2852 wrote to memory of 2504	2852	DllCommonsvc.exe	75
PID 2852 wrote to memory of 2504	2852	DllCommonsvc.exe	75
PID 2852 wrote to memory of 1028	2852	DllCommonsvc.exe	76
PID 2852 wrote to memory of 1028	2852	DllCommonsvc.exe	76
PID 2852 wrote to memory of 1028	2852	DllCommonsvc.exe	76
PID 2852 wrote to memory of 2100	2852	DllCommonsvc.exe	77
PID 2852 wrote to memory of 2100	2852	DllCommonsvc.exe	77
PID 2852 wrote to memory of 2100	2852	DllCommonsvc.exe	77
PID 2852 wrote to memory of 2064	2852	DllCommonsvc.exe	78
PID 2852 wrote to memory of 2064	2852	DllCommonsvc.exe	78
PID 2852 wrote to memory of 2064	2852	DllCommonsvc.exe	78
PID 2852 wrote to memory of 2984	2852	DllCommonsvc.exe	79
PID 2852 wrote to memory of 2984	2852	DllCommonsvc.exe	79
PID 2852 wrote to memory of 2984	2852	DllCommonsvc.exe	79
PID 2852 wrote to memory of 2312	2852	DllCommonsvc.exe	80
PID 2852 wrote to memory of 2312	2852	DllCommonsvc.exe	80
PID 2852 wrote to memory of 2312	2852	DllCommonsvc.exe	80
PID 2852 wrote to memory of 1592	2852	DllCommonsvc.exe	81
PID 2852 wrote to memory of 1592	2852	DllCommonsvc.exe	81
PID 2852 wrote to memory of 1592	2852	DllCommonsvc.exe	81
PID 2852 wrote to memory of 2052	2852	DllCommonsvc.exe	82
PID 2852 wrote to memory of 2052	2852	DllCommonsvc.exe	82
PID 2852 wrote to memory of 2052	2852	DllCommonsvc.exe	82
PID 2852 wrote to memory of 816	2852	DllCommonsvc.exe	83
PID 2852 wrote to memory of 816	2852	DllCommonsvc.exe	83
PID 2852 wrote to memory of 816	2852	DllCommonsvc.exe	83
PID 2852 wrote to memory of 2008	2852	DllCommonsvc.exe	84
PID 2852 wrote to memory of 2008	2852	DllCommonsvc.exe	84
PID 2852 wrote to memory of 2008	2852	DllCommonsvc.exe	84
PID 2852 wrote to memory of 2936	2852	DllCommonsvc.exe	85
PID 2852 wrote to memory of 2936	2852	DllCommonsvc.exe	85
PID 2852 wrote to memory of 2936	2852	DllCommonsvc.exe	85
PID 2852 wrote to memory of 3060	2852	DllCommonsvc.exe	86
PID 2852 wrote to memory of 3060	2852	DllCommonsvc.exe	86
PID 2852 wrote to memory of 3060	2852	DllCommonsvc.exe	86
PID 2852 wrote to memory of 1916	2852	DllCommonsvc.exe	87
PID 2852 wrote to memory of 1916	2852	DllCommonsvc.exe	87
PID 2852 wrote to memory of 1916	2852	DllCommonsvc.exe	87
PID 2852 wrote to memory of 2332	2852	DllCommonsvc.exe	88
PID 2852 wrote to memory of 2332	2852	DllCommonsvc.exe	88
PID 2852 wrote to memory of 2332	2852	DllCommonsvc.exe	88
PID 2852 wrote to memory of 2788	2852	DllCommonsvc.exe	103
PID 2852 wrote to memory of 2788	2852	DllCommonsvc.exe	103
PID 2852 wrote to memory of 2788	2852	DllCommonsvc.exe	103
PID 2788 wrote to memory of 2408	2788	WmiPrvSE.exe	104
PID 2788 wrote to memory of 2408	2788	WmiPrvSE.exe	104
PID 2788 wrote to memory of 2408	2788	WmiPrvSE.exe	104
PID 2408 wrote to memory of 1960	2408	cmd.exe	106
PID 2408 wrote to memory of 1960	2408	cmd.exe	106
PID 2408 wrote to memory of 1960	2408	cmd.exe	106
PID 2408 wrote to memory of 2700	2408	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98a8e8dcda6716bbae8544350aaba846de1e39639611489bdd559dbdda07d361.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98a8e8dcda6716bbae8544350aaba846de1e39639611489bdd559dbdda07d361.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\it-IT\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Chess\it-IT\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\es-ES\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1960
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"
        8⤵
        
        PID:2792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3024
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"
        10⤵
        
        PID:2500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2916
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"
        12⤵
        
        PID:644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2088
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"
        14⤵
        
        PID:1588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2532
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"
        16⤵
        
        PID:2332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2444
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat"
        18⤵
        
        PID:2856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2772
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDWALPrpmL.bat"
        20⤵
        
        PID:3012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2992
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JDh6J9oWuS.bat"
        22⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2216
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat"
        24⤵
        
        PID:676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2860
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"
        26⤵
        
        PID:272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2096
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\Chess\it-IT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Chess\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\System\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\System\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Prefetch\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08009de1daff6b6ea47152555da74f16

SHA1
867c84e058e6dff13be114d71571a702753711cb

SHA256
ae1dabe01d122d8a28087aff27bd03781de9b4c1cd95842b135eb9786272e315

SHA512
5f981d7f94d1751504affcaa3850b95906b83d91a6034ac8a35a2fe08563dc39a8bd82bdb56ca2bc5ee5ddd283576d587448073a0d8707e0caa04ede8b9f418c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc198b72331487a7f1ba06f31013c6c1

SHA1
24b499741c85ba502d7f5cfe76f5cc9af988aafd

SHA256
1a88755f8dcdf073586abdd77fbafd57d6f3cfdfa65076eb95fbe8ccafa237c4

SHA512
948d3f9e156033b7b655ad74ef2facea9cb8943ce55d669da070648d6850bc0293e1e15075f0ddde125bacb6b88f37bc71f40d0899fbd39cefbff7991bd7e8c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ffcd91218d5212453c28869851ea8b3

SHA1
25644dc4b2a171ef6e80240317029e5bd704f237

SHA256
438e59fef909018dec453eae25052e4504069bc9bdd19713a18b188502bdc88b

SHA512
d490d78f414bf6bb01feaa10e846556a0d83c1bca2d250162323870a9c9dcb1c4b9cd509d37739098ffa270d3a72e241dd55bab6444f0eafcf13984ce89204a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d51ca95e69acccc7f64c61fd3fcec3aa

SHA1
eeb5c74ddb7f3e45ae6c9d15da729219aaaa6218

SHA256
1aaf56e039d5e4b61630e4030668dd9802e0817df93c3d0f49ec215562202fb1

SHA512
76e94a75bedf1d7aa29620d53eca0af5df2b09435eaec38001bedc1ee81c5a93c14c8e0287470129a2288bcaa6c0bc620ba9c4969bcff7140a5f4b86e91b863b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fce1f9f2da0839f60748691f88182d44

SHA1
3e124040a3a8ae62df0c8c8d298c341845e2b8d4

SHA256
be84e34492c8d73af32ccc2a62a23b9c71571fe399b5d57a3b184638d59ac5ce

SHA512
04197dbe33162573bcd48776de29294f85ad411580038b5bc7b0f7ddb3cc4952b4b1a36672f098f370ee9bf0251b92ef2ef3e1bf92b4eed86a4b50be30f7ea4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d35aeda9a4f4dd2b119536f5632a18f4

SHA1
b6d369ba69af9c03dd6db889145189a01cfc2813

SHA256
579b1456c92b0cfe08f586b4f0a6e8ce99267f324a91f4c14d64f6eae631b8ca

SHA512
0dca069cdb0f71914eb30a8a260924db8077169689b468ce4046ffb9879a53aa36f31fae8631755a26b271ff051bf13bc5e13d2344c38215bb51257644ca9b63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d77879c92839e4d6715db103a98fbc5

SHA1
1961070855ff96b533026d888f90dc60d37ca97c

SHA256
9e91d1f24e2cdf4d95f5e68c718fe00a98e39c737f98d6b002a4ec86a1cd8013

SHA512
fad0d912fcd3ff5a01a5d7fa46f1ff3138a22906f7cae892afb1bd93d7b711d867db5867f9fdbbc5355ce750552af0daf46a1ccae28475f6fa4906ac3ef30d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
306c2324449943e0f04ffaee3d72b4a3

SHA1
aeee7bc5a739b355a204215fb04789d37bc4bf15

SHA256
29da645866b4fb4789d4d09b92178621ce713a00271ed099ba9a2fd64a84938d

SHA512
66afb335894142c3b27aa1c2818e5398be720f4802374b755915a824e732f0cddbf2a42d61834630f54def405d21c9b16b2b8817d5699fe8d4956c61faf64365

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b36a3c156e9d738b5bc71d16467dff4

SHA1
3627175c7b6af74f190c1bab81f3b7c0e9e628b2

SHA256
758716c75438a9e5191c162256276068117be9cbdf78e8cc3467c383b5fa245b

SHA512
ccc6c87f3a34cef02958bebc63bddd02af6382f6c6003228a828ccaa5d8d4f656587bed9ee0778be27ca9ed64fa8a3d5776a057429cc18defb0c7840ee616cdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d3c334c2c2183af2bd63232c791e7a7

SHA1
dcf47b3e2eac2aea833892ef2a098adeffab5910

SHA256
92187f70b6657d3d23fd4c30f180a68520dcea7ac2931665e7c9de1949968468

SHA512
9fd9ffdde6da9b21895c2910dc38139ee23afc859e237b3fde91c22cff78c2e990819e3d05dbc9182b1c2b4c334ccd9f4ff9c8379c7183d941e848a9b74dd39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat

Filesize
195B

MD5
9a58026d67e843e8faf5a9cd1b4d8767

SHA1
f3011ed4ec5dc4fa50d1d651049bba84c295cf4a

SHA256
58b986ca1a6ccedb309b636637c062e7cca6393ea73baf78ba10697c3f0874fd

SHA512
a17f0789d8705bce5c6ebeaeaff62a5f39cf5188f5a166ee39ab7f23370b25667ff052d2f94398f39188c753a842d711156098e9165a893058462733191e7461

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat

Filesize
195B

MD5
68e5356d3a1928302d1e413eee8e6a55

SHA1
b73697f7b0b297e23d02b150174783535b31d596

SHA256
d296baa01e4d64148614655679348b76f896754b618baff7c2aec3cb29bafb70

SHA512
f031b13249a0d2d9992f29b1e33d54942b8aa28d0bfd2b603bc2fd860d5b47be02580c612e7a262c20112575dfc986634fec1adf8dc1fa2f650100563fe3f4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab175A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat

Filesize
195B

MD5
43fcebed3706a2709304f528db683e3d

SHA1
3b6e31c066a99eac3ee3de3a0ff60d0aba834847

SHA256
0d2f0965d5326fc9542d149cf677e87eeabe729bea173338a0a9283464223e07

SHA512
737e9cfd4c5a8749f6429bdbff142dc027943956f913a5853fc3ccf40354e37a5b569b6f0bf2e902d40ae6395e4888d7c2cf75587593dab85cfad637be75e91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDh6J9oWuS.bat

Filesize
195B

MD5
fcb606accbbc2fd3bbcf2c7b0ffb1b6d

SHA1
4eb3e49b84023ec931aba0d2ca74339d20980928

SHA256
a7b1b925df61fbf208371a15f3c7b2425c4a885abe63a9da922d62f81097f2d9

SHA512
68e3fa4cdf1c694aa4e35debf92ef817b2cdd018754a979cb66ece432c1948bfb272e0091a65129e2bd67043a5f2e998865a5f25555b5d717b56b678738f0450

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat

Filesize
195B

MD5
7c90c6ede6b11cd09bfd05661c3970ae

SHA1
b4d884ec7e6b6fe3cb6426633d13bf4950d5c0b5

SHA256
a69d8427a39374549f88a61a0dda272164596f9aeb907bd1589bf21c787156c4

SHA512
0ccd0f0cec6711533081edaa0c5712796fef50b493a47ac78288c5c61d014dc19094fe55e093e4a254b108804a070db4a4bc9b06b8afeb38277b4bea16940762

Download Submit
C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat

Filesize
195B

MD5
41d7cb21af9c3af717325463eab800dc

SHA1
25cee7d6ee34786179bef5d81574fef6746e9fdd

SHA256
69c70274ea01ebd00c0dbc53b2d3cefad873672246766505508868e544096f9f

SHA512
5c0b1f38fe037f257112d6e0e589e9c79bedfe519be745c031b9ee75708e3c099cc682c3ec45ff66d277f0f2a6540b80787b24ccb6d635caf9fd84ada029652e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat

Filesize
195B

MD5
26f80d17a523a7550feb683fa9b1076e

SHA1
8bfb44af5313d2c873fe668f9834727988e6342e

SHA256
e599d21d2de46f61cf389fbcc3baa4b88badbbd51bd285499a59e523bfbaa4a6

SHA512
3fcf177c3c2e0f9ecabee0df3c4313438db96bd48a871410b17ba7177aaae702bdf4f221ab09d9f470d3daf676d5340a81f0494bc5472d8b0b3b6aa10076a978

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar176C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat

Filesize
195B

MD5
b7269dba3ad768fade44a4bcc550c8d2

SHA1
84c41fe46f7665590965b1702dafb960fa9e5df6

SHA256
fc7f69c1842600cfc098eeeed3a2b192d7f9bfaffbbd198707920ea0c5a9a1cf

SHA512
0e631666beae1596893640a709a8f94b8f0fb997192938d97da804ce92e14319d3632dad35ee229fbdc7401933b3fdc386f012e64345cd0bae8376694752938d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat

Filesize
195B

MD5
959eabcb23b47cd6c4f143c416e52ca7

SHA1
a5255c73ee116c0d14e011192236882a74107402

SHA256
a37a3b532323c612a3c9a1362e662d4018f3c65aacea03392f97b7c8c8b44a11

SHA512
d8370ccde238951664acf7d88ed79a6a8b277d4ce1c01cea9aabb63ec0b4fb8caff2321a64ae14d7369be19c953f13f06260dcca2397a19d03e9f41414a9606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat

Filesize
195B

MD5
25051703042ab1a323ba3e09e578f9e9

SHA1
2cd00e774d3db5209d6ebf429a180ab7d2429cfd

SHA256
822782212d8f1201061c552df0be7ba6b4b9b0c48546df5442e38dc79e002f59

SHA512
4c6f180a52330d251b74367861be1578ea4e3fe1314cd32c2b5d9631fd871a4b3867865599419923cedd92202875901d382e35ca07d1fc3e9164c01c5643f2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zDWALPrpmL.bat

Filesize
195B

MD5
d7984bf5bacfd2377098d609443e0768

SHA1
66086ee938a2d8f9843e81edcadcd9c8a178d99d

SHA256
db0ec15aefa3f95b8458f53ab8103d8df3abcc4ccd9e65a988789680e747c678

SHA512
33ab189eb02825b1b01fee6b6881ec2d7cb20a241a789e299bd23b249735cc9d1d9b60ec7945a91d53fc49a890a2cd8bdcbc070e3edcc8ff76b991b5399e954f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
556fe2321a247da6f4870126e4ab07fa

SHA1
6cc8855acd68c73f42f25d521a088fbcc2f026a9

SHA256
32c766c59bb238633fb5a5b7537b5d11b8bfcf2d83e631f96c7374321227da91

SHA512
b726f27a92ead5397dd9eac36f16b7e968691eb7edaccc4bbe7728a9f8cabde9847f1388d962bb8f56f61d6a3b9542183998abacc28646d23c8362b91a8c353c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/644-535-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/1028-57-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1028-56-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1092-656-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/1848-716-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/2436-595-0x0000000000B50000-0x0000000000C60000-memory.dmp

Filesize
1.1MB

Download
memory/2436-596-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2700-180-0x0000000001210000-0x0000000001320000-memory.dmp

Filesize
1.1MB

Download
memory/2788-55-0x0000000001160000-0x0000000001270000-memory.dmp

Filesize
1.1MB

Download
memory/2852-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2852-15-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2852-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2852-13-0x0000000000D60000-0x0000000000E70000-memory.dmp

Filesize
1.1MB

Download
memory/2852-17-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download