dcrat | 325c5c6bd3fe2c8bd7b0d6097f92700f0acd3cf7821ac15a64600232306e4a77

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_325c5c6bd3fe2c8bd7b0d6097f92700f0acd3cf7821ac15a64600232306e4a77.exe
Size

1.3MB
MD5

003e1c68eba20371dd6d52f8c0a4cd03
SHA1

968dac84f18e8744332606e5e63b877721b47329
SHA256

325c5c6bd3fe2c8bd7b0d6097f92700f0acd3cf7821ac15a64600232306e4a77
SHA512

0feaf044207a91a47c7a02aae36e360f8c55b5c359990552fbcbb36243794ebc68bd7404be1e186b4ad59572719038a53508b8664c9274b743754de90c2d01a8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2908	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016fc9-9.dat	dcrat
behavioral1/memory/2952-13-0x0000000001160000-0x0000000001270000-memory.dmp	dcrat
behavioral1/memory/2472-34-0x0000000000DF0000-0x0000000000F00000-memory.dmp	dcrat
behavioral1/memory/2276-118-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat
behavioral1/memory/592-296-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1968	powershell.exe
2916	powershell.exe
2236	powershell.exe
2076	powershell.exe
2568	powershell.exe
2364	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2952	DllCommonsvc.exe
2472	Idle.exe
2276	Idle.exe
1816	Idle.exe
956	Idle.exe
592	Idle.exe
1868	Idle.exe
2652	Idle.exe
548	Idle.exe
2148	Idle.exe
2020	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2960	cmd.exe
2960	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
23	raw.githubusercontent.com
31	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\OSPPSVC.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\1610b97d3ab4a7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_325c5c6bd3fe2c8bd7b0d6097f92700f0acd3cf7821ac15a64600232306e4a77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2808	schtasks.exe
2412	schtasks.exe
2652	schtasks.exe
1888	schtasks.exe
1868	schtasks.exe
3004	schtasks.exe
2756	schtasks.exe
1168	schtasks.exe
784	schtasks.exe
2588	schtasks.exe
2516	schtasks.exe
3048	schtasks.exe
1068	schtasks.exe
2792	schtasks.exe
2580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2952	DllCommonsvc.exe
2076	powershell.exe
1968	powershell.exe
2364	powershell.exe
2236	powershell.exe
2916	powershell.exe
2568	powershell.exe
2472	Idle.exe
2276	Idle.exe
1816	Idle.exe
956	Idle.exe
592	Idle.exe
1868	Idle.exe
2652	Idle.exe
548	Idle.exe
2148	Idle.exe
2020	Idle.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	DllCommonsvc.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2472	Idle.exe
Token: SeDebugPrivilege	2276	Idle.exe
Token: SeDebugPrivilege	1816	Idle.exe
Token: SeDebugPrivilege	956	Idle.exe
Token: SeDebugPrivilege	592	Idle.exe
Token: SeDebugPrivilege	1868	Idle.exe
Token: SeDebugPrivilege	2652	Idle.exe
Token: SeDebugPrivilege	548	Idle.exe
Token: SeDebugPrivilege	2148	Idle.exe
Token: SeDebugPrivilege	2020	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2260	1820	JaffaCakes118_325c5c6bd3fe2c8bd7b0d6097f92700f0acd3cf7821ac15a64600232306e4a77.exe	30
PID 1820 wrote to memory of 2260	1820	JaffaCakes118_325c5c6bd3fe2c8bd7b0d6097f92700f0acd3cf7821ac15a64600232306e4a77.exe	30
PID 1820 wrote to memory of 2260	1820	JaffaCakes118_325c5c6bd3fe2c8bd7b0d6097f92700f0acd3cf7821ac15a64600232306e4a77.exe	30
PID 1820 wrote to memory of 2260	1820	JaffaCakes118_325c5c6bd3fe2c8bd7b0d6097f92700f0acd3cf7821ac15a64600232306e4a77.exe	30
PID 2260 wrote to memory of 2960	2260	WScript.exe	31
PID 2260 wrote to memory of 2960	2260	WScript.exe	31
PID 2260 wrote to memory of 2960	2260	WScript.exe	31
PID 2260 wrote to memory of 2960	2260	WScript.exe	31
PID 2960 wrote to memory of 2952	2960	cmd.exe	33
PID 2960 wrote to memory of 2952	2960	cmd.exe	33
PID 2960 wrote to memory of 2952	2960	cmd.exe	33
PID 2960 wrote to memory of 2952	2960	cmd.exe	33
PID 2952 wrote to memory of 2364	2952	DllCommonsvc.exe	50
PID 2952 wrote to memory of 2364	2952	DllCommonsvc.exe	50
PID 2952 wrote to memory of 2364	2952	DllCommonsvc.exe	50
PID 2952 wrote to memory of 1968	2952	DllCommonsvc.exe	51
PID 2952 wrote to memory of 1968	2952	DllCommonsvc.exe	51
PID 2952 wrote to memory of 1968	2952	DllCommonsvc.exe	51
PID 2952 wrote to memory of 2916	2952	DllCommonsvc.exe	52
PID 2952 wrote to memory of 2916	2952	DllCommonsvc.exe	52
PID 2952 wrote to memory of 2916	2952	DllCommonsvc.exe	52
PID 2952 wrote to memory of 2236	2952	DllCommonsvc.exe	53
PID 2952 wrote to memory of 2236	2952	DllCommonsvc.exe	53
PID 2952 wrote to memory of 2236	2952	DllCommonsvc.exe	53
PID 2952 wrote to memory of 2568	2952	DllCommonsvc.exe	54
PID 2952 wrote to memory of 2568	2952	DllCommonsvc.exe	54
PID 2952 wrote to memory of 2568	2952	DllCommonsvc.exe	54
PID 2952 wrote to memory of 2076	2952	DllCommonsvc.exe	55
PID 2952 wrote to memory of 2076	2952	DllCommonsvc.exe	55
PID 2952 wrote to memory of 2076	2952	DllCommonsvc.exe	55
PID 2952 wrote to memory of 2472	2952	DllCommonsvc.exe	61
PID 2952 wrote to memory of 2472	2952	DllCommonsvc.exe	61
PID 2952 wrote to memory of 2472	2952	DllCommonsvc.exe	61
PID 2472 wrote to memory of 3064	2472	Idle.exe	63
PID 2472 wrote to memory of 3064	2472	Idle.exe	63
PID 2472 wrote to memory of 3064	2472	Idle.exe	63
PID 3064 wrote to memory of 2848	3064	cmd.exe	65
PID 3064 wrote to memory of 2848	3064	cmd.exe	65
PID 3064 wrote to memory of 2848	3064	cmd.exe	65
PID 3064 wrote to memory of 2276	3064	cmd.exe	66
PID 3064 wrote to memory of 2276	3064	cmd.exe	66
PID 3064 wrote to memory of 2276	3064	cmd.exe	66
PID 2276 wrote to memory of 364	2276	Idle.exe	67
PID 2276 wrote to memory of 364	2276	Idle.exe	67
PID 2276 wrote to memory of 364	2276	Idle.exe	67
PID 364 wrote to memory of 2488	364	cmd.exe	69
PID 364 wrote to memory of 2488	364	cmd.exe	69
PID 364 wrote to memory of 2488	364	cmd.exe	69
PID 364 wrote to memory of 1816	364	cmd.exe	70
PID 364 wrote to memory of 1816	364	cmd.exe	70
PID 364 wrote to memory of 1816	364	cmd.exe	70
PID 1816 wrote to memory of 1160	1816	Idle.exe	71
PID 1816 wrote to memory of 1160	1816	Idle.exe	71
PID 1816 wrote to memory of 1160	1816	Idle.exe	71
PID 1160 wrote to memory of 2724	1160	cmd.exe	73
PID 1160 wrote to memory of 2724	1160	cmd.exe	73
PID 1160 wrote to memory of 2724	1160	cmd.exe	73
PID 1160 wrote to memory of 956	1160	cmd.exe	74
PID 1160 wrote to memory of 956	1160	cmd.exe	74
PID 1160 wrote to memory of 956	1160	cmd.exe	74
PID 956 wrote to memory of 2572	956	Idle.exe	75
PID 956 wrote to memory of 2572	956	Idle.exe	75
PID 956 wrote to memory of 2572	956	Idle.exe	75
PID 2572 wrote to memory of 1592	2572	cmd.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_325c5c6bd3fe2c8bd7b0d6097f92700f0acd3cf7821ac15a64600232306e4a77.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_325c5c6bd3fe2c8bd7b0d6097f92700f0acd3cf7821ac15a64600232306e4a77.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
    - - C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2848
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2488
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2724
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1592
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"
        14⤵
        
        PID:1184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1124
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
        16⤵
        
        PID:784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1968
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"
        18⤵
        
        PID:1664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3048
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"
        20⤵
        
        PID:2508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1472
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat"
        22⤵
        
        PID:1084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1324
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
221815db238497e89e96f1cec38c9815

SHA1
4c384b38e72105e6a1c2cb93b983e88df8a5a225

SHA256
ca76270a75845e7208327e7fc6dd0ecd0d7871d63955b8ced87b673f6fac7d16

SHA512
03bd140b410ca6d28d42b510094e9deb9babf9771c37d24b33194d48452b2b1a0b527ca2b6e58ed593d61970e2888aace35efbed4332e3c798adb23a678d4364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3308db91a0c8717fcb96665618dada23

SHA1
fa75ae3303e5388f561286461d37573aae34cd6c

SHA256
37ffe26ed802e6e961b88541b928002a9a197c74143eecf65f2437685b42c949

SHA512
28792ad09c7a3c5658af7a544cbd058712fc3281c41f8384e44d3dd3f839c1fb4c82761aa1e83d1fd6f815246896e04dc266ad67fe4f8f09edeac67d7d92f534

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c0f3c904293d31bfb16e008b669723f

SHA1
bd539553217333223508c37111066d0e7b9a9fa5

SHA256
9852d701650d0604841a75fc323a202fcba77c14cc128d5a5962e8fd3a978ac4

SHA512
6182d9d4245425f8390500824769ab72b6a993678e1667880865de4671b6dfe278f15b057ac13bc5c95489831ad4d7d7a26958e4a4cc10c6f55b65f8ec2ba5d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db0f63e36627aed4a3fa2e6f56f4a01c

SHA1
34c0d6240b1b7e6eb2ea346412d7ce20749625a0

SHA256
cae66162c8dca01ecd815683745b16accb48a9b27db77f62d2a5186146c4845c

SHA512
ddc76937feb18db790eaec2fc5a4891ab66345260680e4ba9789e20a5a6d4b3e5c322817d17c9e5cf2fa4786562f9585d1820504870dc9a083451af17d22e034

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35c828dfba8a660583084d840524a77c

SHA1
72b5fd4c5572074b51701764e076843226663b09

SHA256
915e327c0d2a488b8dd7afb730ddcace6e0a45badfbdb74710fda3621d2287e8

SHA512
12162cad1e04b8c60c44afb7836dea3ad93ecdbbd7db9fc5c8c9d3e425baf7c6514bf12fd7c7d0aa6d9f7bd644d0221196e844593f622691bc3c5d8219b10654

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2ad331456f57d7ef36d787c655872ff

SHA1
b07bb14bfb87b54b85db08bbb956044f51336217

SHA256
6d46803a86419a59c95c8aa152de223211038603acf46d14addfb5a0f54a41f6

SHA512
0ee2bd3d6e0e6b618d83df2f5205eff337ca1b472283b4cfecb5797f583a73b3e64400aef78839c89f03536edb509b00f60c07507ec9b8e7a4f676c7854465aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17f11cef9302c909c8d256f93b775740

SHA1
191d8fdbfa8fec9dc30fa19b26528996630b1e2c

SHA256
09821af084ac27e05aaf9913f9409188fa36b8a02ee3df17d5d7e4c600974f5e

SHA512
bd269e8509eadab593615f4632674c20bb2325fb52b5ecfaabdfd6655b215684f12fa39a6e7bec2932cbe430ca5d997a434cd939aa969997b6a98eb8cc71fb80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c69472dafd5da1a5ac3af15664e0ca1

SHA1
954d0f0a47c128b03e4f5875f81e6fd1203ef69e

SHA256
c6b2849c468553057ae0151b98f9876c16b4feb8fa8b8d0f4adb02304ea38396

SHA512
fca49d898bd3ac163a0c7129dab0a8c90b378536b23cd08c5c6838d5428b28fb6b8ebaf6682070b797d4e317ba6934d1aaf39028bdc1402ad47cae701565ff8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat

Filesize
191B

MD5
fa993338bb35065bbba02b2ab5762b47

SHA1
b3ebe0254f420b25a80c9881b9254d7df9fefa93

SHA256
33a4cec4f9738850f34aa1e3163700adb403ee7d8620b99d3905caf8340aede7

SHA512
1b2f4e2b8fa30d898e1eec40275f60760c7d7ec346777317f02724abcb611b56721db9ac24591defb31e592051c6af9b8cd69c82a0b95c99fb436ba1a61032ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1650.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat

Filesize
191B

MD5
e1e1d3907b65bdaf27c33c75c9b934ef

SHA1
807c6df24c32cc08b55dd4edb1d8bedb19b30efe

SHA256
20b765593e7e763c51c2e7b50b22ed157043ed1d34f97869b605c87b18102729

SHA512
cb6577237ed1e8c0b2fdaca28d1e8630af917dc5551715068fca0c022a16ef159afb8f1eb9fe1cc879bc2e51f225c7f1a70b4acccf371322163f733e50b2f056

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

Filesize
191B

MD5
30ac1c5e9213b72e649a736ea6c63e4f

SHA1
74da6632c56eddf5484a8997210f18dba21de094

SHA256
537f8fdcdb45abbcd6f4cc98c25a2cf0ef3527f92985ee09a4896f3855a1c2a4

SHA512
c89f118f3684310a679dcd142b115008a6fbb6dc3e4843cbda5250ab0074e334b15684b3679cb200f708a3f0a2e80dcf8cc6be77801034ac577283e6327c1740

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1682.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat

Filesize
191B

MD5
36d9c2f91fc42873533a480db4455f52

SHA1
0da7816227a2d59d7261e586e3c2e360e978d496

SHA256
057e33d61839603c91736697f6e9bf115c039ff954a0d5bf42118f49d1a55b62

SHA512
93a3f2206734287fdaddc8ed8f5b5c810ecc7b05465d786c841ce7f0980b2015f38873cf36b409dc55e1749624ad652d7fae4bfebd3f871768b1c9bb57e30a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat

Filesize
191B

MD5
7265a4817d13cf578ae09c689bc6d11c

SHA1
fa0823028177415d2a7f617c540e02e50785c0ed

SHA256
650490ad565d98cea2769c7c58bbcedb4d98e44a58f5f6288755abc1bc301a88

SHA512
e56897ada576dad02d866420502fc9b7d49e880b8deef25f81508d83edc81fa8f288f4b6a172abcb805da8a049952968a82c2e406666dd5b6467d80f78e15b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat

Filesize
191B

MD5
722eb78c4caa428258e934113ea3ba2c

SHA1
9c52b6831c82a644fff9d50503dd3ab8a3decf9a

SHA256
2aba2c9630e6e7fb5b680a21bdf8340f6a25a84528a7d0b6335f6db3832a01e8

SHA512
ea27ba3ec746fcb483e04a718c1d4f67d89699430a895e512671f7673753c7ed3f106985ad6c9ae482e3569fd97a9c0f650d903b651fc640d40fd8ca5ae39aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat

Filesize
191B

MD5
740023b8d9676ee7caa0a18923bc46bb

SHA1
8f2de7b124ec1fb840a1c88e85055bc6bf511640

SHA256
bfc357f9830ce7db3166addea1738f628413ee707e37b05ca0528981f177e12e

SHA512
4ade5800d558dde43339a81ff18a7a548991e157f96b0bd2bc2e1483fb32f5a39b337e723b6c19a4f572b8d402e4ee2d3c031e19d24d842e1b44bcb1cb686787

Download Submit
C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat

Filesize
191B

MD5
2a642854fed924d6cd2f5462410dfde7

SHA1
8febc6a5ac1c15ec03c8b8c7156af2dce3c63e5f

SHA256
6a215956fb43f75406f0a83d7a6f3bc22b820c03b0b27d6677df919bcac8f393

SHA512
3ccbc88d1830a78f51ea2867baae893265bd2fe59118c6ed7c17ba8af1e4ad79d4b2054a0625a1140b862c682a1ae8404d39fb87748f50593db5a9da64b60304

Download Submit
C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat

Filesize
191B

MD5
49eb27d7d32f9dd3ea753e65632b2e76

SHA1
7bd622d8a106ffedded06fa924b9a9bd3b5a2106

SHA256
68d4cd9e984f311e252093ef049326632a15bc2d352cd110b92408376953ca4b

SHA512
7bef021a99c068ae02124aa8332b910c8a00e68e41ffcd9cff336f4236afa1b1e875789e1e4bde0d1f5a3d18ca5a82c9dc590fb68f33c6ec10a1095f0d4af69e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TUC0VYLLPSEK6JV35WVR.temp

Filesize
7KB

MD5
1c169ed1a113519ade005dc2844c6eb6

SHA1
c3c1000a70c226c571e25097ccc24c58649f0b26

SHA256
2b2480b8a6b713a7446f9e7c76f43109fbd0612017ca5bcbffd40acd19699c26

SHA512
0aae442a832e42a296f92e406a7aebafdf760dcc5fc418cba70082c50f24bd39d85bb88995be922604ccfb57945235491154325b071bd8fb306b00a257bd3376

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/592-296-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/592-297-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1968-48-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/2076-49-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/2276-118-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download
memory/2472-34-0x0000000000DF0000-0x0000000000F00000-memory.dmp

Filesize
1.1MB

Download
memory/2952-15-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2952-17-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2952-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2952-13-0x0000000001160000-0x0000000001270000-memory.dmp

Filesize
1.1MB

Download
memory/2952-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download