dcrat | 9fb4c2982f8b86bc0c969db4c2907b5e86596e73e556d68751f5d8077c807772

Analysis

max time kernel
940s
max time network
941s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NurikCrackNewVersion.exe
Size

1.1MB
MD5

4b39d2785f3041d673495ecc36a95074
SHA1

925f23e1e5b69b075728221874b54dc2ad2c7f65
SHA256

9fb4c2982f8b86bc0c969db4c2907b5e86596e73e556d68751f5d8077c807772
SHA512

44f75ea465ee52d9ead19330a9f4b82e7b2cc59d95e89547f85a5dc2af1139481fbeecb498edb7e68497820f1daf3c9f63d9a94fa536e91f63011603c9c31d4d
SSDEEP

24576:P2G/nvxW3Wayt05h/1NDQNxDL5rNx5bhpC6TZ:PbA37yC5GVz9

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2424	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2424	schtasks.exe

DCRat payload 18 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\netSvc\Msproviderserver.exe	dcrat
behavioral1/memory/2712-29-0x0000000000F20000-0x0000000000FF6000-memory.dmp	dcrat
behavioral1/memory/1696-75-0x0000000000260000-0x0000000000336000-memory.dmp	dcrat
behavioral1/memory/2984-198-0x0000000000250000-0x0000000000326000-memory.dmp	dcrat
behavioral1/memory/3032-201-0x00000000010E0000-0x00000000011B6000-memory.dmp	dcrat
behavioral1/memory/1540-203-0x0000000000200000-0x00000000002D6000-memory.dmp	dcrat
behavioral1/memory/2116-204-0x0000000000FF0000-0x00000000010C6000-memory.dmp	dcrat
behavioral1/memory/2400-315-0x0000000000E10000-0x0000000000EE6000-memory.dmp	dcrat
behavioral1/memory/2136-425-0x0000000000E90000-0x0000000000F66000-memory.dmp	dcrat
behavioral1/memory/492-537-0x0000000000EE0000-0x0000000000FB6000-memory.dmp	dcrat
behavioral1/memory/476-538-0x0000000000CF0000-0x0000000000DC6000-memory.dmp	dcrat
behavioral1/memory/1516-650-0x0000000000FD0000-0x00000000010A6000-memory.dmp	dcrat
behavioral1/memory/740-651-0x00000000013C0000-0x0000000001496000-memory.dmp	dcrat
behavioral1/memory/2404-768-0x0000000000350000-0x0000000000426000-memory.dmp	dcrat
behavioral1/memory/2996-766-0x0000000000F80000-0x0000000001056000-memory.dmp	dcrat
behavioral1/memory/2924-765-0x00000000002B0000-0x0000000000386000-memory.dmp	dcrat
behavioral1/memory/2908-761-0x0000000001080000-0x0000000001156000-memory.dmp	dcrat
behavioral1/memory/2888-877-0x00000000003C0000-0x0000000000496000-memory.dmp	dcrat

Executes dropped EXE 18 IoCs

Processes:

Msproviderserver.exedllhost.exewininit.exeaudiodg.exesmss.exedwm.exedllhost.execsrss.exespoolsv.exetaskhost.execonhost.exelsm.exewininit.exeaudiodg.exeSystem.exesmss.exedwm.exedllhost.exe

pid	process
2712	Msproviderserver.exe
1696	dllhost.exe
1540	wininit.exe
2984	audiodg.exe
3032	smss.exe
2116	dwm.exe
2400	dllhost.exe
2136	csrss.exe
492	spoolsv.exe
476	taskhost.exe
1516	conhost.exe
740	lsm.exe
2996	wininit.exe
2908	audiodg.exe
2924	System.exe
1852	smss.exe
2404	dwm.exe
2888	dllhost.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

3024 cmd.exe
3024 cmd.exe

pid	process
3024	cmd.exe
3024	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

Processes:

flow	ioc
61	pastebin.com
14	pastebin.com
22	pastebin.com
30	pastebin.com
38	pastebin.com
53	pastebin.com
4	pastebin.com
5	pastebin.com
15	pastebin.com
45	pastebin.com
54	pastebin.com

Drops file in Program Files directory 10 IoCs

Processes:

Msproviderserver.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\fr-FR\42af1c969fbb7b	Msproviderserver.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\taskhost.exe	Msproviderserver.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\dllhost.exe	Msproviderserver.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\088424020bedd6	Msproviderserver.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\System.exe	Msproviderserver.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\27d1bcfc3c54e0	Msproviderserver.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\5940a34987c991	Msproviderserver.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\conhost.exe	Msproviderserver.exe
File created	C:\Program Files\Windows Media Player\fr-FR\audiodg.exe	Msproviderserver.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\b75386f1303e64	Msproviderserver.exe

Drops file in Windows directory 4 IoCs

Processes:

Msproviderserver.exe

description	ioc	process
File created	C:\Windows\Logs\HomeGroup\smss.exe	Msproviderserver.exe
File created	C:\Windows\Logs\HomeGroup\69ddcba757bf72	Msproviderserver.exe
File created	C:\Windows\Help\conhost.exe	Msproviderserver.exe
File created	C:\Windows\Help\088424020bedd6	Msproviderserver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
588	schtasks.exe
2740	schtasks.exe
1576	schtasks.exe
2384	schtasks.exe
2216	schtasks.exe
1908	schtasks.exe
3000	schtasks.exe
2056	schtasks.exe
1348	schtasks.exe
3016	schtasks.exe
1492	schtasks.exe
1800	schtasks.exe
1540	schtasks.exe
1852	schtasks.exe
1764	schtasks.exe
3068	schtasks.exe
2656	schtasks.exe
2308	schtasks.exe
1772	schtasks.exe
2836	schtasks.exe
2188	schtasks.exe
3004	schtasks.exe
1420	schtasks.exe
2348	schtasks.exe
2404	schtasks.exe
2900	schtasks.exe
2912	schtasks.exe
2180	schtasks.exe
2124	schtasks.exe
2684	schtasks.exe
3060	schtasks.exe
2924	schtasks.exe
2256	schtasks.exe
2220	schtasks.exe
2012	schtasks.exe
2884	schtasks.exe
1732	schtasks.exe
1236	schtasks.exe
2032	schtasks.exe
2144	schtasks.exe
1084	schtasks.exe
2240	schtasks.exe
1096	schtasks.exe
1300	schtasks.exe
2988	schtasks.exe
2460	schtasks.exe
1072	schtasks.exe
868	schtasks.exe
2492	schtasks.exe
1932	schtasks.exe
1508	schtasks.exe
1552	schtasks.exe
1612	schtasks.exe
1308	schtasks.exe
2000	schtasks.exe
628	schtasks.exe
2564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

Msproviderserver.exedllhost.exesmss.exedllhost.execsrss.exespoolsv.execonhost.exeaudiodg.exedllhost.exe

pid	process
2712	Msproviderserver.exe
2712	Msproviderserver.exe
2712	Msproviderserver.exe
2712	Msproviderserver.exe
2712	Msproviderserver.exe
1696	dllhost.exe
3032	smss.exe
2400	dllhost.exe
2136	csrss.exe
492	spoolsv.exe
1516	conhost.exe
2908	audiodg.exe
2888	dllhost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

Msproviderserver.exedllhost.exesmss.exeaudiodg.exewininit.exedwm.exedllhost.execsrss.exespoolsv.exetaskhost.execonhost.exelsm.exeaudiodg.exeSystem.exewininit.exesmss.exedwm.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	2712	Msproviderserver.exe
Token: SeDebugPrivilege	1696	dllhost.exe
Token: SeDebugPrivilege	3032	smss.exe
Token: SeDebugPrivilege	2984	audiodg.exe
Token: SeDebugPrivilege	1540	wininit.exe
Token: SeDebugPrivilege	2116	dwm.exe
Token: SeDebugPrivilege	2400	dllhost.exe
Token: SeDebugPrivilege	2136	csrss.exe
Token: SeDebugPrivilege	492	spoolsv.exe
Token: SeDebugPrivilege	476	taskhost.exe
Token: SeDebugPrivilege	1516	conhost.exe
Token: SeDebugPrivilege	740	lsm.exe
Token: SeDebugPrivilege	2908	audiodg.exe
Token: SeDebugPrivilege	2924	System.exe
Token: SeDebugPrivilege	2996	wininit.exe
Token: SeDebugPrivilege	1852	smss.exe
Token: SeDebugPrivilege	2404	dwm.exe
Token: SeDebugPrivilege	2888	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NurikCrackNewVersion.execmd.exeWScript.execmd.exeMsproviderserver.execmd.exetaskeng.exe

description	pid	process	target process
PID 2872 wrote to memory of 2800	2872	NurikCrackNewVersion.exe	WScript.exe
PID 2872 wrote to memory of 2800	2872	NurikCrackNewVersion.exe	WScript.exe
PID 2872 wrote to memory of 2800	2872	NurikCrackNewVersion.exe	WScript.exe
PID 2872 wrote to memory of 2800	2872	NurikCrackNewVersion.exe	WScript.exe
PID 2872 wrote to memory of 2884	2872	NurikCrackNewVersion.exe	cmd.exe
PID 2872 wrote to memory of 2884	2872	NurikCrackNewVersion.exe	cmd.exe
PID 2872 wrote to memory of 2884	2872	NurikCrackNewVersion.exe	cmd.exe
PID 2872 wrote to memory of 2884	2872	NurikCrackNewVersion.exe	cmd.exe
PID 2884 wrote to memory of 2640	2884	cmd.exe	cmd.exe
PID 2884 wrote to memory of 2640	2884	cmd.exe	cmd.exe
PID 2884 wrote to memory of 2640	2884	cmd.exe	cmd.exe
PID 2884 wrote to memory of 2640	2884	cmd.exe	cmd.exe
PID 2800 wrote to memory of 3024	2800	WScript.exe	cmd.exe
PID 2800 wrote to memory of 3024	2800	WScript.exe	cmd.exe
PID 2800 wrote to memory of 3024	2800	WScript.exe	cmd.exe
PID 2800 wrote to memory of 3024	2800	WScript.exe	cmd.exe
PID 3024 wrote to memory of 2712	3024	cmd.exe	Msproviderserver.exe
PID 3024 wrote to memory of 2712	3024	cmd.exe	Msproviderserver.exe
PID 3024 wrote to memory of 2712	3024	cmd.exe	Msproviderserver.exe
PID 3024 wrote to memory of 2712	3024	cmd.exe	Msproviderserver.exe
PID 2712 wrote to memory of 2456	2712	Msproviderserver.exe	cmd.exe
PID 2712 wrote to memory of 2456	2712	Msproviderserver.exe	cmd.exe
PID 2712 wrote to memory of 2456	2712	Msproviderserver.exe	cmd.exe
PID 2456 wrote to memory of 2976	2456	cmd.exe	w32tm.exe
PID 2456 wrote to memory of 2976	2456	cmd.exe	w32tm.exe
PID 2456 wrote to memory of 2976	2456	cmd.exe	w32tm.exe
PID 2456 wrote to memory of 1696	2456	cmd.exe	dllhost.exe
PID 2456 wrote to memory of 1696	2456	cmd.exe	dllhost.exe
PID 2456 wrote to memory of 1696	2456	cmd.exe	dllhost.exe
PID 1704 wrote to memory of 3032	1704	taskeng.exe	smss.exe
PID 1704 wrote to memory of 3032	1704	taskeng.exe	smss.exe
PID 1704 wrote to memory of 3032	1704	taskeng.exe	smss.exe
PID 1704 wrote to memory of 1540	1704	taskeng.exe	wininit.exe
PID 1704 wrote to memory of 1540	1704	taskeng.exe	wininit.exe
PID 1704 wrote to memory of 1540	1704	taskeng.exe	wininit.exe
PID 1704 wrote to memory of 2984	1704	taskeng.exe	audiodg.exe
PID 1704 wrote to memory of 2984	1704	taskeng.exe	audiodg.exe
PID 1704 wrote to memory of 2984	1704	taskeng.exe	audiodg.exe
PID 1704 wrote to memory of 2116	1704	taskeng.exe	dwm.exe
PID 1704 wrote to memory of 2116	1704	taskeng.exe	dwm.exe
PID 1704 wrote to memory of 2116	1704	taskeng.exe	dwm.exe
PID 1704 wrote to memory of 2400	1704	taskeng.exe	dllhost.exe
PID 1704 wrote to memory of 2400	1704	taskeng.exe	dllhost.exe
PID 1704 wrote to memory of 2400	1704	taskeng.exe	dllhost.exe
PID 1704 wrote to memory of 2136	1704	taskeng.exe	csrss.exe
PID 1704 wrote to memory of 2136	1704	taskeng.exe	csrss.exe
PID 1704 wrote to memory of 2136	1704	taskeng.exe	csrss.exe
PID 1704 wrote to memory of 476	1704	taskeng.exe	taskhost.exe
PID 1704 wrote to memory of 476	1704	taskeng.exe	taskhost.exe
PID 1704 wrote to memory of 476	1704	taskeng.exe	taskhost.exe
PID 1704 wrote to memory of 492	1704	taskeng.exe	spoolsv.exe
PID 1704 wrote to memory of 492	1704	taskeng.exe	spoolsv.exe
PID 1704 wrote to memory of 492	1704	taskeng.exe	spoolsv.exe
PID 1704 wrote to memory of 1516	1704	taskeng.exe	conhost.exe
PID 1704 wrote to memory of 1516	1704	taskeng.exe	conhost.exe
PID 1704 wrote to memory of 1516	1704	taskeng.exe	conhost.exe
PID 1704 wrote to memory of 740	1704	taskeng.exe	lsm.exe
PID 1704 wrote to memory of 740	1704	taskeng.exe	lsm.exe
PID 1704 wrote to memory of 740	1704	taskeng.exe	lsm.exe
PID 1704 wrote to memory of 2996	1704	taskeng.exe	wininit.exe
PID 1704 wrote to memory of 2996	1704	taskeng.exe	wininit.exe
PID 1704 wrote to memory of 2996	1704	taskeng.exe	wininit.exe
PID 1704 wrote to memory of 1852	1704	taskeng.exe	smss.exe
PID 1704 wrote to memory of 1852	1704	taskeng.exe	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe
"C:\Users\Admin\AppData\Local\Temp\NurikCrackNewVersion.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\netSvc\oRGxNIscN7mzUEqEFjiOrNSCKy.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\netSvc\WsWYaVY80xOTEmwO5LX.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024

C:\netSvc\Msproviderserver.exe
"C:\netSvc\Msproviderserver.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SLb8koLC6A.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:2976

C:\netSvc\dllhost.exe
"C:\netSvc\dllhost.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\netSvc\1TCP8vvjtWtNky92sAt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\netSvc\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\netSvc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\netSvc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\fr-FR\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\netSvc\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\netSvc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\netSvc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Videos\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\HomeGroup\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\HomeGroup\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\netSvc\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\netSvc\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\netSvc\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Help\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\taskeng.exe
taskeng.exe {999CF4A1-918A-4125-8796-D850329CF9DE} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\Logs\HomeGroup\smss.exe
C:\Windows\Logs\HomeGroup\smss.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Program Files\Windows Media Player\fr-FR\audiodg.exe
"C:\Program Files\Windows Media Player\fr-FR\audiodg.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Users\Admin\Videos\dwm.exe
C:\Users\Admin\Videos\dwm.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Program Files (x86)\Windows Sidebar\es-ES\dllhost.exe
"C:\Program Files (x86)\Windows Sidebar\es-ES\dllhost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe
"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:492

C:\Program Files (x86)\Internet Explorer\ja-JP\taskhost.exe
"C:\Program Files (x86)\Internet Explorer\ja-JP\taskhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:476

C:\Windows\Help\conhost.exe
C:\Windows\Help\conhost.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\netSvc\lsm.exe
C:\netSvc\lsm.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\Logs\HomeGroup\smss.exe
C:\Windows\Logs\HomeGroup\smss.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Program Files\Windows Media Player\fr-FR\audiodg.exe
"C:\Program Files\Windows Media Player\fr-FR\audiodg.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Users\Admin\Videos\dwm.exe
C:\Users\Admin\Videos\dwm.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Program Files (x86)\Microsoft Office\Document Themes 14\System.exe
"C:\Program Files (x86)\Microsoft Office\Document Themes 14\System.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Program Files (x86)\Windows Sidebar\es-ES\dllhost.exe
"C:\Program Files (x86)\Windows Sidebar\es-ES\dllhost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5fa7c6cb69f43bd8c62326cfdfc6478e

SHA1
0c7d9802b69de1b145153aa9a5d7f64ed96055da

SHA256
c810324d9d4b1c8c0ff36bb0ebcc5fc865a3d7e45373c996e2f97976a5d4150d

SHA512
9124ba669923ef60ff02a42c06f677914ef37235694ee47a5715cb45d34de4d9ed09112a89c30966021004fcc2d7c581a22ec8c6d58e074e210f5c368e9b2a91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b430e0c9cbae63ae22c97747c4d38fc1

SHA1
3ba70b7fc9bafa5c183541325efdd379b9eeff88

SHA256
9e1578185a49139b500b6b98a580a207e17fa752b7aabb38de181d31110227a0

SHA512
4c347bb37a6d0ceb27545307a0d22930edad84b74e50fba111b7ee73b1f68c06063c9d15772ef7a051eb7a320a7932c47d2fc5a75615cee1c96071994f0c49a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
11d562c0c5622707a273cd38723e83d2

SHA1
9d5c8d66765de2ccb286a8cea54548b5c1ef11fe

SHA256
d49cd98afeb6cc19ee8c8fb093b84169088166742f66e756f46a8bfb4f04a59f

SHA512
72f192be6d86e5e75786e37b0d1cd5e7d20849412d7869fc8577cf7d6746679ed34095b13633febef36d6314d521f7c6dcba0abda2620ee56365cf0af963c9ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d4f2a6781d31228ea936c71725189529

SHA1
9d3de426b42cbe6292106e2bd99bb95635e03c9d

SHA256
dbd83880420778854754b67f0782c5f9e31e266e73d82d6c2c2d97151ce6b279

SHA512
92e6f9ac2a6834891d5949c94219ce7b0ff7ddd29f0f5cc4594dc160d928e4e3182cfa0a37525dc4ae0ae3d202b2b7f64a29affa2309afde72f8cd072a3884ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fde4e06e1cd9be40054affbfee21bb4a

SHA1
8e66729d50e184d2e99ec837bd8ec4e7aeff4415

SHA256
2a6abd43a62b30c2e33876af2b0d45cbabc8bacefb61b92422ce39e53cae6c06

SHA512
bb692a2226abf1c4b96114ef14c4da4538cf75d81c741bb2951dc5d62b596e9eaaffd81fa928b46d5f89ce09dc7c934ce60e45e087ddebf9e953d9ba768cfca1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e3d8629b083ae554c8f2f0e3916d54f8

SHA1
788a4e8a1c2537708e9d03d1d67e12a23cf85ed7

SHA256
60f2e16aec7c4467b2e36235c604375cdc5c0c3c8b04330f460967d8310b07ef

SHA512
0c09a196bc8b49608704d93aa6b3077ace462356cd6813d4ecfd3b6bf87ce560ef81443accff827809f414502a37c85210ef2fe91dc04f189f4b976116efe1b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3d25899998162f3207846e7ba7ffa031

SHA1
7fc86ce0bec570e45a4e29410732e95a1fd3b0a0

SHA256
998134a8ae4ca0b2eafa271015c3fd08401bbc07fd63bb3e23ad54d85f49a8de

SHA512
963a4cadfc6d3d816dbb5405ec2cae0b61fd1d7d551928bde526865e6327010493a048fa42dbf21f249f1d201a05cf93825ac2c14df5d65f271b0d33d8b46b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLb8koLC6A.bat
Filesize
186B

MD5
66402169aade6f72243485e314c6fb62

SHA1
f29e1e815bdb3365f49579b36ccacf80779fc70a

SHA256
80a1a7e46f7cc838dab3e57e4c301578f33451d94bf23be2e7259c29953dfef4

SHA512
8adb8b323d0f1ec3761f45523d71e237c095851a2bbe329df0a3a630e5ac5afcd0af7a8801791b165955bbb12141e8240e12354b7d7b47b72817097304c2e240

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar680D.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\netSvc\1TCP8vvjtWtNky92sAt.bat
Filesize
13B

MD5
9e97eb7b4fe7e7b2978f9ebdf6896f2d

SHA1
cdccef4e71f279347ff25fea52f53d5b640b0aea

SHA256
9d89a31f0e7b7d9fe52bf475b00ffb9fe24ea28d0905229467ee072246bb413b

SHA512
8a50d83ac64ed0c96a1a4db4e18a909e93d108b0d35481340e6a829d914fad604b9a0ef860d902b978a475fd15e4dca304db6952aa51fe8cf2010c2319887c91

Download Submit
C:\netSvc\WsWYaVY80xOTEmwO5LX.bat
Filesize
32B

MD5
e897bc8313657095107640d60d42da83

SHA1
803d583c033182a69af393bd1f239a2c23b76fb0

SHA256
5acdb6f1284aaa5e072c09bd68de498d21c344910ab2c2ccf83257305997c05f

SHA512
44d1d8ed11d4158cde19e7501fb2467e2c274f1a16f7e220d0ca163d8af8167582084954d5238b8c3485ebde903a24658dd608c9da1469a1864537f1cec26e1d

Download Submit
C:\netSvc\oRGxNIscN7mzUEqEFjiOrNSCKy.vbe
Filesize
202B

MD5
d443149e014f135240a9aeca27fbfe1e

SHA1
3f541782e2333dc7aced3e77732f198ea37113cc

SHA256
bf426dcc90e02082ddaeee361aaa3deadd6249eed5156be07bd763086887793b

SHA512
8d3a16b1b608928f31ab6f0db12449dbb07b449e8a25647ebfb2671d9f12eb661b33a11b03f0c4771615f1afde3c70bde350df06d17a3273b4f1f5c064d5d381

Download Submit
\netSvc\Msproviderserver.exe
Filesize
827KB

MD5
4e4088d5176e77688154f64545051d8b

SHA1
3020231a4134839b3970c3cb10ed5d87ea174459

SHA256
046956b1eb9b2fc738698aa8222744b07c11e104e20a94d764ed7b1ac133fac0

SHA512
49599228d257f18aa2c0931569ea4eb917d0e793e30906940e521be6a5280580aee57bc96c62645a61241fb2843103da26fa3f443d7a724ceaaa4486c401d2a5

Download Submit
memory/476-538-0x0000000000CF0000-0x0000000000DC6000-memory.dmp

Filesize
856KB

Download
memory/492-537-0x0000000000EE0000-0x0000000000FB6000-memory.dmp

Filesize
856KB

Download
memory/740-651-0x00000000013C0000-0x0000000001496000-memory.dmp

Filesize
856KB

Download
memory/1516-650-0x0000000000FD0000-0x00000000010A6000-memory.dmp

Filesize
856KB

Download
memory/1540-203-0x0000000000200000-0x00000000002D6000-memory.dmp

Filesize
856KB

Download
memory/1696-75-0x0000000000260000-0x0000000000336000-memory.dmp

Filesize
856KB

Download
memory/2116-204-0x0000000000FF0000-0x00000000010C6000-memory.dmp

Filesize
856KB

Download
memory/2136-425-0x0000000000E90000-0x0000000000F66000-memory.dmp

Filesize
856KB

Download
memory/2400-315-0x0000000000E10000-0x0000000000EE6000-memory.dmp

Filesize
856KB

Download
memory/2404-768-0x0000000000350000-0x0000000000426000-memory.dmp

Filesize
856KB

Download
memory/2712-29-0x0000000000F20000-0x0000000000FF6000-memory.dmp

Filesize
856KB

Download
memory/2888-877-0x00000000003C0000-0x0000000000496000-memory.dmp

Filesize
856KB

Download
memory/2908-761-0x0000000001080000-0x0000000001156000-memory.dmp

Filesize
856KB

Download
memory/2924-765-0x00000000002B0000-0x0000000000386000-memory.dmp

Filesize
856KB

Download
memory/2984-198-0x0000000000250000-0x0000000000326000-memory.dmp

Filesize
856KB

Download
memory/2996-766-0x0000000000F80000-0x0000000001056000-memory.dmp

Filesize
856KB

Download
memory/3032-201-0x00000000010E0000-0x00000000011B6000-memory.dmp

Filesize
856KB

Download