dcrat | 874447ea916aafeb6d46ecf8f0ebd69c0779f55ccd4d2622d8b421297fdbf57d

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_874447ea916aafeb6d46ecf8f0ebd69c0779f55ccd4d2622d8b421297fdbf57d.exe
Size

1.3MB
MD5

bfedebc7302862da60380cfdebb6aac2
SHA1

de970fbd7df0f04bda36eea936b80abf14269e7f
SHA256

874447ea916aafeb6d46ecf8f0ebd69c0779f55ccd4d2622d8b421297fdbf57d
SHA512

280ee8d12842df58ad78a17a120c9d238e77d048c91ff8bad46497a496d30e73f3bd3e8fc80b9136bd2e32ceffbfb2069d430c6dda4395760fd5616e71bc8fba
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2992	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019605-9.dat	dcrat
behavioral1/memory/3060-13-0x0000000000900000-0x0000000000A10000-memory.dmp	dcrat
behavioral1/memory/2428-32-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/1644-104-0x0000000000E60000-0x0000000000F70000-memory.dmp	dcrat
behavioral1/memory/2744-164-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/3012-224-0x00000000009F0000-0x0000000000B00000-memory.dmp	dcrat
behavioral1/memory/2952-284-0x0000000000E10000-0x0000000000F20000-memory.dmp	dcrat
behavioral1/memory/2800-403-0x0000000000E90000-0x0000000000FA0000-memory.dmp	dcrat
behavioral1/memory/808-464-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat
behavioral1/memory/2984-583-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1144	powershell.exe
2636	powershell.exe
2024	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
3060	DllCommonsvc.exe
2428	Idle.exe
1644	Idle.exe
2744	Idle.exe
3012	Idle.exe
2952	Idle.exe
1696	Idle.exe
2800	Idle.exe
808	Idle.exe
1312	Idle.exe
2984	Idle.exe
2164	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2928	cmd.exe
2928	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
38	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\a76d7bf15d8370	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\en-US\Idle.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\en-US\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_874447ea916aafeb6d46ecf8f0ebd69c0779f55ccd4d2622d8b421297fdbf57d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1388	schtasks.exe
2696	schtasks.exe
1428	schtasks.exe
2820	schtasks.exe
1756	schtasks.exe
2664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3060	DllCommonsvc.exe
2636	powershell.exe
1144	powershell.exe
2024	powershell.exe
2428	Idle.exe
1644	Idle.exe
2744	Idle.exe
3012	Idle.exe
2952	Idle.exe
1696	Idle.exe
2800	Idle.exe
808	Idle.exe
1312	Idle.exe
2984	Idle.exe
2164	Idle.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	DllCommonsvc.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2428	Idle.exe
Token: SeDebugPrivilege	1644	Idle.exe
Token: SeDebugPrivilege	2744	Idle.exe
Token: SeDebugPrivilege	3012	Idle.exe
Token: SeDebugPrivilege	2952	Idle.exe
Token: SeDebugPrivilege	1696	Idle.exe
Token: SeDebugPrivilege	2800	Idle.exe
Token: SeDebugPrivilege	808	Idle.exe
Token: SeDebugPrivilege	1312	Idle.exe
Token: SeDebugPrivilege	2984	Idle.exe
Token: SeDebugPrivilege	2164	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2028	2300	JaffaCakes118_874447ea916aafeb6d46ecf8f0ebd69c0779f55ccd4d2622d8b421297fdbf57d.exe	30
PID 2300 wrote to memory of 2028	2300	JaffaCakes118_874447ea916aafeb6d46ecf8f0ebd69c0779f55ccd4d2622d8b421297fdbf57d.exe	30
PID 2300 wrote to memory of 2028	2300	JaffaCakes118_874447ea916aafeb6d46ecf8f0ebd69c0779f55ccd4d2622d8b421297fdbf57d.exe	30
PID 2300 wrote to memory of 2028	2300	JaffaCakes118_874447ea916aafeb6d46ecf8f0ebd69c0779f55ccd4d2622d8b421297fdbf57d.exe	30
PID 2028 wrote to memory of 2928	2028	WScript.exe	31
PID 2028 wrote to memory of 2928	2028	WScript.exe	31
PID 2028 wrote to memory of 2928	2028	WScript.exe	31
PID 2028 wrote to memory of 2928	2028	WScript.exe	31
PID 2928 wrote to memory of 3060	2928	cmd.exe	33
PID 2928 wrote to memory of 3060	2928	cmd.exe	33
PID 2928 wrote to memory of 3060	2928	cmd.exe	33
PID 2928 wrote to memory of 3060	2928	cmd.exe	33
PID 3060 wrote to memory of 2636	3060	DllCommonsvc.exe	41
PID 3060 wrote to memory of 2636	3060	DllCommonsvc.exe	41
PID 3060 wrote to memory of 2636	3060	DllCommonsvc.exe	41
PID 3060 wrote to memory of 2024	3060	DllCommonsvc.exe	42
PID 3060 wrote to memory of 2024	3060	DllCommonsvc.exe	42
PID 3060 wrote to memory of 2024	3060	DllCommonsvc.exe	42
PID 3060 wrote to memory of 1144	3060	DllCommonsvc.exe	43
PID 3060 wrote to memory of 1144	3060	DllCommonsvc.exe	43
PID 3060 wrote to memory of 1144	3060	DllCommonsvc.exe	43
PID 3060 wrote to memory of 2428	3060	DllCommonsvc.exe	47
PID 3060 wrote to memory of 2428	3060	DllCommonsvc.exe	47
PID 3060 wrote to memory of 2428	3060	DllCommonsvc.exe	47
PID 2428 wrote to memory of 552	2428	Idle.exe	48
PID 2428 wrote to memory of 552	2428	Idle.exe	48
PID 2428 wrote to memory of 552	2428	Idle.exe	48
PID 552 wrote to memory of 1488	552	cmd.exe	50
PID 552 wrote to memory of 1488	552	cmd.exe	50
PID 552 wrote to memory of 1488	552	cmd.exe	50
PID 552 wrote to memory of 1644	552	cmd.exe	51
PID 552 wrote to memory of 1644	552	cmd.exe	51
PID 552 wrote to memory of 1644	552	cmd.exe	51
PID 1644 wrote to memory of 1484	1644	Idle.exe	52
PID 1644 wrote to memory of 1484	1644	Idle.exe	52
PID 1644 wrote to memory of 1484	1644	Idle.exe	52
PID 1484 wrote to memory of 2300	1484	cmd.exe	54
PID 1484 wrote to memory of 2300	1484	cmd.exe	54
PID 1484 wrote to memory of 2300	1484	cmd.exe	54
PID 1484 wrote to memory of 2744	1484	cmd.exe	55
PID 1484 wrote to memory of 2744	1484	cmd.exe	55
PID 1484 wrote to memory of 2744	1484	cmd.exe	55
PID 2744 wrote to memory of 1840	2744	Idle.exe	56
PID 2744 wrote to memory of 1840	2744	Idle.exe	56
PID 2744 wrote to memory of 1840	2744	Idle.exe	56
PID 1840 wrote to memory of 2152	1840	cmd.exe	58
PID 1840 wrote to memory of 2152	1840	cmd.exe	58
PID 1840 wrote to memory of 2152	1840	cmd.exe	58
PID 1840 wrote to memory of 3012	1840	cmd.exe	59
PID 1840 wrote to memory of 3012	1840	cmd.exe	59
PID 1840 wrote to memory of 3012	1840	cmd.exe	59
PID 3012 wrote to memory of 884	3012	Idle.exe	60
PID 3012 wrote to memory of 884	3012	Idle.exe	60
PID 3012 wrote to memory of 884	3012	Idle.exe	60
PID 884 wrote to memory of 1680	884	cmd.exe	62
PID 884 wrote to memory of 1680	884	cmd.exe	62
PID 884 wrote to memory of 1680	884	cmd.exe	62
PID 884 wrote to memory of 2952	884	cmd.exe	63
PID 884 wrote to memory of 2952	884	cmd.exe	63
PID 884 wrote to memory of 2952	884	cmd.exe	63
PID 2952 wrote to memory of 804	2952	Idle.exe	64
PID 2952 wrote to memory of 804	2952	Idle.exe	64
PID 2952 wrote to memory of 804	2952	Idle.exe	64
PID 804 wrote to memory of 1612	804	cmd.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_874447ea916aafeb6d46ecf8f0ebd69c0779f55ccd4d2622d8b421297fdbf57d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_874447ea916aafeb6d46ecf8f0ebd69c0779f55ccd4d2622d8b421297fdbf57d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\en-US\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
    - - C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        "C:\Windows\PolicyDefinitions\en-US\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1488
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        "C:\Windows\PolicyDefinitions\en-US\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2300
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        "C:\Windows\PolicyDefinitions\en-US\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2152
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        "C:\Windows\PolicyDefinitions\en-US\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1680
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        "C:\Windows\PolicyDefinitions\en-US\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1612
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        "C:\Windows\PolicyDefinitions\en-US\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat"
        16⤵
        
        PID:1388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3000
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        "C:\Windows\PolicyDefinitions\en-US\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat"
        18⤵
        
        PID:1192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2492
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        "C:\Windows\PolicyDefinitions\en-US\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"
        20⤵
        
        PID:352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2016
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        "C:\Windows\PolicyDefinitions\en-US\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat"
        22⤵
        
        PID:2904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2968
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        "C:\Windows\PolicyDefinitions\en-US\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"
        24⤵
        
        PID:2140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2188
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        "C:\Windows\PolicyDefinitions\en-US\Idle.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a723a98a4d987228f749eea1f6ae9dbb

SHA1
2826dcf483aad776abc41c089a0c4a967018c8ab

SHA256
37dc908025b74e471b947ba1f36c3442b373cf6100f47bce7606a47a19d239fa

SHA512
39dcac5e3a682fd688ab189a487fce9bcef0ddb38ee457ad7b4a015a464e44ad2cb31cbe2e2a36fb6a3b57d79933d3ced8bdd3b8286136d0c7a808feb38f9568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88b21b91858b9d0749fc75712bc07b15

SHA1
cbc68a668f1318003a70db14357dc6b4ba2ffe1a

SHA256
f331ab5aac696ff782cfaf004de0452b32154774e00d0aa8b9735eb37afe73a1

SHA512
1b1c019863798792b9040c86f6c4b8f3faacdaf51ae5025a3af1085fd924252d627fba1cbf848992988cff2c4bb6a0db86c0b92f23bbbcc7809ab10c47a07c77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9b85d8a9cc9ce1f98a7c7a5462d966e

SHA1
cf7a36dfa3b5b96dbc2d734a70ee2628fd5aabba

SHA256
6029b69cb2bf7f6d30a90e68303ef2e42c8bdddb450ebf902871ab62b6e06e54

SHA512
be8ce0df4a7711dc2da600add21a527b9707a75487b7e758e462145d1f218f2ac2632e5646ac08daaf9f6301afa74b81208262ef110e83a991bfdb8d426a53a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eca675985663a20a4cfffaa2fbe7f3ed

SHA1
9f13f2ee8132c9181b78fe7625abe4fd25ea3e1b

SHA256
1c232ce0148a7bc92891266d714d6ec3b583e53b70368abd8421161506da08e3

SHA512
a489657a92f0ef397054c4d643d59f9a60fe86a320751aa6fa559bc3c52a8a0021f84103bfada6fea804d2add335854f91c99217b8748ef4b8407f30d0e7341b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d8a736961d532cba59fd62e29f0e061

SHA1
cac2cf2d5b01815a80414f7079846c4067b655c8

SHA256
6e0ccd31c7a9690c679ede917a729e1047541f1436f6742f55c4691ef1a2033a

SHA512
88d7edcbb862725e9d0d84a5de23d51aaafd95e147b45a96878fca488492a07f1edc902e9defc2698004d8c0e74428ad043e67bb2dc76642e3ad9c7827217c0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc31a3ad9922bb8f6ee98f65b71ce101

SHA1
c59f474e42d1a65b347f4ecdf97110d6d1adda87

SHA256
688b551101fbd984b102216f96b530196ab8f89bbf871197bb1bf3abede8f6b0

SHA512
3c1ba793ba195a5ce823f9bab2983ac8f6a0b4b9c3df57fc74bfe322c0adfd5ad1ecff1465f1ca8eff9ba19a183f72cbeb7aa6c864c67a170cfdf268a553a9aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6752e368ccb9b291a3ecbacaca110a75

SHA1
ed17b9091314af7eeafec39676e718d7aee539d9

SHA256
11d575eb8116507d8eb98bd73700f4c86a97489d8a522adc3c67bb2aa92f6da5

SHA512
b3e570aa79633d884802011ded71eb819743e12ffffcb05b19d35db46b76a2d61d2c7e8a5532165824b6202dce83f1c345eb08449136733c1e99ee8cc156031f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c279c768dee1fe016d57447972d9906f

SHA1
cd5fc8a5d355628844fa01928ef9aefe5e59c094

SHA256
89643b541edf149bcc07a2d5f659251c493cb8465107b565490a4c9575766bb6

SHA512
106d88603370ed14128997e03dff0fe80d586536bc5c696ccff3d8d58831db00f4511ad123e00771370d5fbea433d189c2772a7332be9270663702a154910d26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffdfa7033093450393493f1ec3964a63

SHA1
88dd2a0d98e2dcd7cccfc620bdf9becf3c4a3fbd

SHA256
c5e2b77437c0f98e1f0ce4d87a88edbab8c359da77e8f8a6d3f60898867fea2b

SHA512
9bcf7a573bc4213c4a5b049b934ac4c8f9935e5976e03ee62f85b25989164c03e50dadb1a758472c767c15bd108e9c393eeaed4d1592128f6156ec3d769dee8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat

Filesize
208B

MD5
72b5d55e06aa107b4bf6391333e6bd33

SHA1
177fbfae8a8ac5bfae647a57d1c94cc03f3bf157

SHA256
373cc454df46e6b66832d323c76bb27fa7d285f34d43ef63dbaea037ff568b0b

SHA512
39a334b35edcf899c9b734a853df1d941223217a1b8ce87d0fda6b2edc00b5b08f61614e825fa744c2d46f4fd4ac6a873f9b916b6446ef933c4761ca3d563136

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEC35.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat

Filesize
208B

MD5
dfb59a74e7e59b5e7ce83bd58bbbcd34

SHA1
c9b83306e490962b2d71491251873f8f5d057e4a

SHA256
381ba1eb813db9c442c05f90a71bed7621da5fe3e2c672872d27722020984957

SHA512
1ef1115112e56a6fc8faec34b02770f7eb4aa84a4ad3c7aee776c73685bd1a4168fb734895933c5b581d1b3e812cf15b55798ef9bdf6f75340f47590594fd6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat

Filesize
208B

MD5
3a44a6af5b310ce3eec255f6bae86e94

SHA1
c95fd44f248db95b1d70aff02f0057e4f6852b8d

SHA256
c2ff9d320825721b7af4ed18ed754d1e6fd1f5a097502b7d506e276453e0ce6f

SHA512
2d0a10380b76956ae3251de78f5d340dfa52670c3bb564495849dc65a2bcdb0c1adf5088b6be98f4494cb7923eb27d5fc075bee858e7ee41a8b5739ef4b9fe2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat

Filesize
208B

MD5
a40f259d9fbb38ecea2f147605ee30e3

SHA1
ea174d410d89042ccdc7b03f1f57b68774c902d8

SHA256
dd888fe82329ec99c6ea735877fd5c21588bc1deab347e4de98db53db3dc303d

SHA512
12a898c6925aef871820615fedf124f7f069e6c7c7148f9a650b728aae9dc308e4e004c41070556fc689ab487e35a9a3671d3bfacf942794cb1e5c9b5b36fdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat

Filesize
208B

MD5
5d1c8c2b92e87f6578a1c26d62000efb

SHA1
97f1442916013f719b0b00ea5798e925aed81f3a

SHA256
e00b7e2f94ca23b8a4268675ae1a3a80e8f17c85f8afddac1f2b57fffaff8dc3

SHA512
c5aff7bf41416be24c66648380cbb6eb4a268ad40a788731bdc980fcc2aa3ce50f2d7bbdb3e9d275beddc4b50c05f14fe63247636ebfe17da198a505b8206394

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEC47.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat

Filesize
208B

MD5
6b92f180bff5cf272e95288d81164959

SHA1
d7a99848d93323b40229409b317410dc131a34c7

SHA256
301c441c8c3ab09f00e410133a386f55f52c4b02b52fcdbacf62b761fc62a87e

SHA512
2a2fdb85c19050d068e1a49239f512d049a374fdd803c09d87ca02e116ac9ba4bed143524a07b65de943b9b789a297257a1f24eca9b3aa9b998fdd057c6da04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat

Filesize
208B

MD5
4cf7f3cd08123fab0fb0167ba416602e

SHA1
053204fe58f5ba970286f87649fa2cc034709442

SHA256
b98295c1b685e2c75204c02d50e323528ef49ff54cb36eaf3a91d7982c0f4b6b

SHA512
3c7c3e1153527b9d03601fd482053e7a6a67dcf4f175cf838624e4ce8243a6b06b7f36f5f391a013fffeff0966ba5d27efd820347f8297754f5877c1e7997fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat

Filesize
208B

MD5
b2ee8d733deea3f69edc8513db50265f

SHA1
28747b58b4a8de6a69fc87fe8b91dbeb4e637c50

SHA256
95df8c7be6e57d37295ced391264518331bec742798670ca006e52a9565f7c55

SHA512
c7d06f52d3e56bd8417c8acc5c7bce426a8a9bfe647326dae93eaf60d5da204253edb251da6861ee1a9e4d863675b5d17aa4778a6d75f851905f97da87f0569d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat

Filesize
208B

MD5
9f6315603ff87f5d796a685a4ee70047

SHA1
3905d1cd76179371574c16ea39b62b77af8049fd

SHA256
37610a885d84d36334e24e951e13e9f7fd9439f8614ba5f646fdb23dc2aefb96

SHA512
84320669321cdfb40fe29ce48cee5455aa59c81cc075bd0105dd9b12684048f0959c82e2d62ddb312b55fa640fa2b32ce7b69c7ae5ee17db9de9f358c8c01866

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat

Filesize
208B

MD5
6f9aaca4cadbe02c6612444b43ac9e9d

SHA1
0591383654bb3220b52e8e6e86b6d029807f6ca2

SHA256
f3bf170604cec091f70a91d4e2c28991f73c673c2cba1eeb9b115c6608af2438

SHA512
5a604edc9d3f5f9c0fa7b155593f05f2e6ec0a50a05f5e287c71706bf42b2b38c85965aa6384931908a9e8699dd9d73f216dadac3d3064088f0976a9354161d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5cc43c303598a18fbf7ee602cca6856f

SHA1
3e4a9f22f94df9bc0ecaafce5f31242f3cbb59de

SHA256
b19e7e68927975f65457c29b72ea4ee30214a22501c9cf62d3b180fc33894beb

SHA512
5206f98f2706f8cea1410907cc5025eda973426cfa386d0f66348ec86245a89cdf3712fa9b3c15f4caee1ec4d237e861e4762f807666592478deca16a73b76f8

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/808-464-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/1144-34-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1644-104-0x0000000000E60000-0x0000000000F70000-memory.dmp

Filesize
1.1MB

Download
memory/2164-644-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2428-32-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/2428-45-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2636-40-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2744-164-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/2800-404-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2800-403-0x0000000000E90000-0x0000000000FA0000-memory.dmp

Filesize
1.1MB

Download
memory/2952-284-0x0000000000E10000-0x0000000000F20000-memory.dmp

Filesize
1.1MB

Download
memory/2984-583-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/2984-584-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/3012-224-0x00000000009F0000-0x0000000000B00000-memory.dmp

Filesize
1.1MB

Download
memory/3060-17-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/3060-16-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/3060-15-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/3060-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/3060-13-0x0000000000900000-0x0000000000A10000-memory.dmp

Filesize
1.1MB

Download