dcrat | c9c6c9e274579345cf63a1580fd4a9531e19009effebedcccd32689947af6289

Analysis

max time kernel
142s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c9c6c9e274579345cf63a1580fd4a9531e19009effebedcccd32689947af6289.exe
Size

1.3MB
MD5

530fb704eea09083c4c69c018a6e0773
SHA1

bc7c020fb3b4d0739b0290ecc41a814f89a27d71
SHA256

c9c6c9e274579345cf63a1580fd4a9531e19009effebedcccd32689947af6289
SHA512

5c8f1afd1076273643e2b2991c24995d59dd86328add7893e7bfc59910cdacb5ceec8c48ad24b138ab2af693a00cf82156440112e2349432797b26b24f106859
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2620	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016b86-9.dat	dcrat
behavioral1/memory/2780-13-0x0000000000090000-0x00000000001A0000-memory.dmp	dcrat
behavioral1/memory/2396-45-0x0000000000B00000-0x0000000000C10000-memory.dmp	dcrat
behavioral1/memory/2940-163-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/2112-224-0x0000000000C10000-0x0000000000D20000-memory.dmp	dcrat
behavioral1/memory/1040-284-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/2700-344-0x0000000001060000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/2364-463-0x0000000000270000-0x0000000000380000-memory.dmp	dcrat
behavioral1/memory/1884-523-0x0000000000BF0000-0x0000000000D00000-memory.dmp	dcrat
behavioral1/memory/2116-583-0x0000000001170000-0x0000000001280000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1220	powershell.exe
300	powershell.exe
664	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2780	DllCommonsvc.exe
2396	WmiPrvSE.exe
2412	WmiPrvSE.exe
2940	WmiPrvSE.exe
2112	WmiPrvSE.exe
1040	WmiPrvSE.exe
2700	WmiPrvSE.exe
2704	WmiPrvSE.exe
2364	WmiPrvSE.exe
1884	WmiPrvSE.exe
2116	WmiPrvSE.exe
2076	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	cmd.exe
2824	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\WmiPrvSE.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\AppCompat\Programs\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\AppCompat\Programs\24dbde2999530e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c9c6c9e274579345cf63a1580fd4a9531e19009effebedcccd32689947af6289.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
348	schtasks.exe
2288	schtasks.exe
1632	schtasks.exe
2068	schtasks.exe
3028	schtasks.exe
1012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2780	DllCommonsvc.exe
1220	powershell.exe
664	powershell.exe
300	powershell.exe
2396	WmiPrvSE.exe
2412	WmiPrvSE.exe
2940	WmiPrvSE.exe
2112	WmiPrvSE.exe
1040	WmiPrvSE.exe
2700	WmiPrvSE.exe
2704	WmiPrvSE.exe
2364	WmiPrvSE.exe
1884	WmiPrvSE.exe
2116	WmiPrvSE.exe
2076	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	DllCommonsvc.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	300	powershell.exe
Token: SeDebugPrivilege	2396	WmiPrvSE.exe
Token: SeDebugPrivilege	2412	WmiPrvSE.exe
Token: SeDebugPrivilege	2940	WmiPrvSE.exe
Token: SeDebugPrivilege	2112	WmiPrvSE.exe
Token: SeDebugPrivilege	1040	WmiPrvSE.exe
Token: SeDebugPrivilege	2700	WmiPrvSE.exe
Token: SeDebugPrivilege	2704	WmiPrvSE.exe
Token: SeDebugPrivilege	2364	WmiPrvSE.exe
Token: SeDebugPrivilege	1884	WmiPrvSE.exe
Token: SeDebugPrivilege	2116	WmiPrvSE.exe
Token: SeDebugPrivilege	2076	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2816	1204	JaffaCakes118_c9c6c9e274579345cf63a1580fd4a9531e19009effebedcccd32689947af6289.exe	30
PID 1204 wrote to memory of 2816	1204	JaffaCakes118_c9c6c9e274579345cf63a1580fd4a9531e19009effebedcccd32689947af6289.exe	30
PID 1204 wrote to memory of 2816	1204	JaffaCakes118_c9c6c9e274579345cf63a1580fd4a9531e19009effebedcccd32689947af6289.exe	30
PID 1204 wrote to memory of 2816	1204	JaffaCakes118_c9c6c9e274579345cf63a1580fd4a9531e19009effebedcccd32689947af6289.exe	30
PID 2816 wrote to memory of 2824	2816	WScript.exe	31
PID 2816 wrote to memory of 2824	2816	WScript.exe	31
PID 2816 wrote to memory of 2824	2816	WScript.exe	31
PID 2816 wrote to memory of 2824	2816	WScript.exe	31
PID 2824 wrote to memory of 2780	2824	cmd.exe	33
PID 2824 wrote to memory of 2780	2824	cmd.exe	33
PID 2824 wrote to memory of 2780	2824	cmd.exe	33
PID 2824 wrote to memory of 2780	2824	cmd.exe	33
PID 2780 wrote to memory of 664	2780	DllCommonsvc.exe	41
PID 2780 wrote to memory of 664	2780	DllCommonsvc.exe	41
PID 2780 wrote to memory of 664	2780	DllCommonsvc.exe	41
PID 2780 wrote to memory of 1220	2780	DllCommonsvc.exe	42
PID 2780 wrote to memory of 1220	2780	DllCommonsvc.exe	42
PID 2780 wrote to memory of 1220	2780	DllCommonsvc.exe	42
PID 2780 wrote to memory of 300	2780	DllCommonsvc.exe	43
PID 2780 wrote to memory of 300	2780	DllCommonsvc.exe	43
PID 2780 wrote to memory of 300	2780	DllCommonsvc.exe	43
PID 2780 wrote to memory of 2156	2780	DllCommonsvc.exe	46
PID 2780 wrote to memory of 2156	2780	DllCommonsvc.exe	46
PID 2780 wrote to memory of 2156	2780	DllCommonsvc.exe	46
PID 2156 wrote to memory of 2220	2156	cmd.exe	49
PID 2156 wrote to memory of 2220	2156	cmd.exe	49
PID 2156 wrote to memory of 2220	2156	cmd.exe	49
PID 2156 wrote to memory of 2396	2156	cmd.exe	50
PID 2156 wrote to memory of 2396	2156	cmd.exe	50
PID 2156 wrote to memory of 2396	2156	cmd.exe	50
PID 2396 wrote to memory of 1932	2396	WmiPrvSE.exe	51
PID 2396 wrote to memory of 1932	2396	WmiPrvSE.exe	51
PID 2396 wrote to memory of 1932	2396	WmiPrvSE.exe	51
PID 1932 wrote to memory of 1248	1932	cmd.exe	53
PID 1932 wrote to memory of 1248	1932	cmd.exe	53
PID 1932 wrote to memory of 1248	1932	cmd.exe	53
PID 1932 wrote to memory of 2412	1932	cmd.exe	54
PID 1932 wrote to memory of 2412	1932	cmd.exe	54
PID 1932 wrote to memory of 2412	1932	cmd.exe	54
PID 2412 wrote to memory of 2676	2412	WmiPrvSE.exe	55
PID 2412 wrote to memory of 2676	2412	WmiPrvSE.exe	55
PID 2412 wrote to memory of 2676	2412	WmiPrvSE.exe	55
PID 2676 wrote to memory of 2808	2676	cmd.exe	57
PID 2676 wrote to memory of 2808	2676	cmd.exe	57
PID 2676 wrote to memory of 2808	2676	cmd.exe	57
PID 2676 wrote to memory of 2940	2676	cmd.exe	58
PID 2676 wrote to memory of 2940	2676	cmd.exe	58
PID 2676 wrote to memory of 2940	2676	cmd.exe	58
PID 2940 wrote to memory of 1396	2940	WmiPrvSE.exe	59
PID 2940 wrote to memory of 1396	2940	WmiPrvSE.exe	59
PID 2940 wrote to memory of 1396	2940	WmiPrvSE.exe	59
PID 1396 wrote to memory of 1656	1396	cmd.exe	61
PID 1396 wrote to memory of 1656	1396	cmd.exe	61
PID 1396 wrote to memory of 1656	1396	cmd.exe	61
PID 1396 wrote to memory of 2112	1396	cmd.exe	62
PID 1396 wrote to memory of 2112	1396	cmd.exe	62
PID 1396 wrote to memory of 2112	1396	cmd.exe	62
PID 2112 wrote to memory of 2108	2112	WmiPrvSE.exe	63
PID 2112 wrote to memory of 2108	2112	WmiPrvSE.exe	63
PID 2112 wrote to memory of 2108	2112	WmiPrvSE.exe	63
PID 2108 wrote to memory of 876	2108	cmd.exe	65
PID 2108 wrote to memory of 876	2108	cmd.exe	65
PID 2108 wrote to memory of 876	2108	cmd.exe	65
PID 2108 wrote to memory of 1040	2108	cmd.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9c6c9e274579345cf63a1580fd4a9531e19009effebedcccd32689947af6289.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9c6c9e274579345cf63a1580fd4a9531e19009effebedcccd32689947af6289.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yAg1i3HYFu.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2156
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2220
      - C:\Windows\AppCompat\Programs\WmiPrvSE.exe
        
        "C:\Windows\AppCompat\Programs\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1248
        
        C:\Windows\AppCompat\Programs\WmiPrvSE.exe
        
        "C:\Windows\AppCompat\Programs\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2808
        
        C:\Windows\AppCompat\Programs\WmiPrvSE.exe
        
        "C:\Windows\AppCompat\Programs\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1656
        
        C:\Windows\AppCompat\Programs\WmiPrvSE.exe
        
        "C:\Windows\AppCompat\Programs\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:876
        
        C:\Windows\AppCompat\Programs\WmiPrvSE.exe
        
        "C:\Windows\AppCompat\Programs\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"
        15⤵
        
        PID:2996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1948
        
        C:\Windows\AppCompat\Programs\WmiPrvSE.exe
        
        "C:\Windows\AppCompat\Programs\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat"
        17⤵
        
        PID:2568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2712
        
        C:\Windows\AppCompat\Programs\WmiPrvSE.exe
        
        "C:\Windows\AppCompat\Programs\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat"
        19⤵
        
        PID:676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2724
        
        C:\Windows\AppCompat\Programs\WmiPrvSE.exe
        
        "C:\Windows\AppCompat\Programs\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat"
        21⤵
        
        PID:1404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3004
        
        C:\Windows\AppCompat\Programs\WmiPrvSE.exe
        
        "C:\Windows\AppCompat\Programs\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat"
        23⤵
        
        PID:2244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1392
        
        C:\Windows\AppCompat\Programs\WmiPrvSE.exe
        
        "C:\Windows\AppCompat\Programs\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"
        25⤵
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2168
        
        C:\Windows\AppCompat\Programs\WmiPrvSE.exe
        
        "C:\Windows\AppCompat\Programs\WmiPrvSE.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\AppCompat\Programs\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a3a06857adc3dc855c2780a7b9f8a70

SHA1
914fd0da03e6c16e707b6b2c98389f995dd67cf5

SHA256
ad2051d49265e6701a222e6781320670a0c3527d7a1009d21c97a7ca2045a0e8

SHA512
5365d6878dc51201e4f74d159241bf539a3df9ffe3e5e5a38b863d39a76717e9fb210b28448d926a70e19df8825bd5cf1b8aab584eec7cf5a4d0ab4ca326020d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b62f4cc79111db386e0b3145c49eeda

SHA1
f5f372af287707a4edf34efff06b7e7710d94671

SHA256
123d0a8f6851953eba08040fd712d2ff369250f82716a38ad0eaec47f76b5475

SHA512
2272fe55535158d50589046ac35150c42ed08f0dd7d571fc44f02c16082b828f4f536203814d1791d4bbe992375babff9af4e02f782f8733ea9d9c887153fc69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e8d31cfaaece7385caf9785478051fa

SHA1
344f4a951cb4e0446fe1ee5a3a1279d5ca3dd28a

SHA256
5f7dfcb547afb089af0496d2234ff486899568772b7fb2980c72b7b1839c299f

SHA512
026cbeb8bdab2f604804d9bafa883057c35751dee3bbcfecb29c2a2ae1b983b5fdb1a50e4b41b542f2c4457a4ddbe1585eac7faa37bbba906aa3c7cddf18d9ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
827d0b593bae3e6281d413adbdb6c40f

SHA1
e6d29f2736720926adba4804133715856bb846b5

SHA256
a7f3790e75598e1bbf190a6b8ec778ce2285bff538f6e58ca709bd8cef6802fd

SHA512
a93fd46430b6daa13ab6ae62cb96b291a188dca70119e4d28e85765252797e3d4459d7a3f5fea67021d6a89f682d4eb80b6bcec1b9e0b2e64a351c042c03b49f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
637698b97584a84ed705d76f132b92bc

SHA1
93e1d9afe98c3cbf7574cb86ba93150a47cc2fa6

SHA256
a2cbd71634f639f37e6171f1e41b6442e7c41b157fc1220261ca5b2f325378a5

SHA512
118337e6fd5c0e42fe096486b7520867b71b5cb983ab36ef659d7c7343e64a0d1d5c2fd081f2023fcb1f5eb2bbfb3987421a36a04e5a4dbc10f2f5b3700604e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3e7e3167c669f1431ae317d7b361937

SHA1
1fd806a9e7e99a1dd1fa475b6ce9f531f6881ab8

SHA256
24c2d48641276df1ba4e1b98f2ac5356c6ba61b310717c5e143d92196d430a8e

SHA512
9b379b5ab3e6c570e86f98d390b56a04978218ca9e1bd85dd9cb6d79e694286f06fd590639c58044e594172d7377005f79c85987f50ae1a30d4dbf5e13cde2ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea4a49b3bbc037068d0564d1499dad9c

SHA1
5e1aba43413724d1ea2796f9e313564b061769dc

SHA256
d8c69ccc7f48a0e747a361dde298413243bc8d3fd35400438ae39469de664a5f

SHA512
0d54cc00fd695fef5ac1e05c05ee3a06a1ad4a7ed0da650a750c2c7617c107a544624288c62d2edddae8b1d0580050f63e19770ef7fcc135543726fd11069363

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31bf7f6d5bd3bfcc80db3785f3e0f159

SHA1
162784cfb596fb220d68122a309929ddc60fd166

SHA256
fc069038b64377bccaafd4002015f7214e31c3c5c34e65096366d077ad244d91

SHA512
1f52988c4f743a2ef7ec4d916186fd70b3c3d6cf16ca69f1f06262716e1e811591ed267aeef418dcd75d42af3b79f503ac27c386161f7ef4ef66575a433517a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c085b129566c869a2915f062eb31128

SHA1
5bc6a1f55199edf9eb5d309e937fa001cce26a88

SHA256
e4ba4f2e6179a73fee62eb5d4417c8a051ab555011cc0dbfc4d44b4ad1ecd135

SHA512
76247c4610a45b53ae687623c742c6ae2d042137450198d69e0de1b1c0c0d5ec41e1dce6865d1c33eb95654cc6ba01fa832c7fb9fd3fd342d8a7269309d4eeec

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat

Filesize
207B

MD5
992479d0fd6e14e5cd33a98e8d41de1c

SHA1
04de7e7285a6019ec9cca18c2e6ab53e4d27e87b

SHA256
eb33c7cf5d4c8bd396bf6b7b8f22f882085d76aa58e53834cbed402f24f866f9

SHA512
5343e6ab5ee91e2347d934a5978ea41b055405491c44962dd280b50e3676e7f2caeac618e979d9baecd0e326cfde378d8bb97bab7ff638c5dfb10e86e7c5a5fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat

Filesize
207B

MD5
179502306f4d34878f598e019cdcb7ca

SHA1
cec0dbfed7719d7d6a4b441ac8c76a6a0ebfe775

SHA256
6cee2a9552d356aec40ac10a7a165dba795a15b0624bf1e07fb0041129a3d2cc

SHA512
98d86de36c095982026ad90dbd9e6644a22d8077c2402a7121cd18383f0fad45486a59aaebbe71ccd566899bd03d506fa8468931ec115820d47a4d2eff28e657

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab844F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat

Filesize
207B

MD5
392b010ca23ce041d03114b7180f0b69

SHA1
8cda2d0ff66b67197de01887b78973ce65c3b7ec

SHA256
e8572bac820ab074aa32526799533a3f857a4183e66526c3c74e560f006feca0

SHA512
ffd83cbf38d5fc67bebc460b9be42b18bda9e63881fd0fec83f01cfd62d17ebe021152990f5ffdd97d6bfaa7300e7dd007cee5a43368b143732b812bb40ad60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

Filesize
207B

MD5
18ed791bd04d81ccc69d7998c6d694bd

SHA1
4a8e53a35cab71091ed5022dca11e38204915373

SHA256
062a45712146859b7a5261d061d346250e32dc3087cb07cf836894b346b3cf9c

SHA512
c6a0fc724a7a1362b62cd56482ad06cfa8cb01ea08ad4b201a0f40805ede90c532043e2986ac55c08104bd8731c09405723af504ad9e252107e46644ed72339e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat

Filesize
207B

MD5
8bf8eeb9b8b917f03e4d41f8b44c1f51

SHA1
fa33d61af18a74a49905cfb845e744c8f7ec07f1

SHA256
1bb31ec7f42f6d4e27357132e2296758f6ffee2c1b53229133c235fdd90b2346

SHA512
116bf80cb169bfbec04e832ba05c8f5aa7ef8385783f15f58ea7f3da6b66d2a1235d2f68d2bd992bc6ab32f2d778ef6311eec9288e815437186d00a6bb14b866

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8461.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat

Filesize
207B

MD5
860e903c69f71f0dbf4da21c33b66213

SHA1
8c2d5861fa9c626df44f835e8597b63cd80a9017

SHA256
662ad68c23d9b4ee4b40d810ad091f86744efee28d5b9ad38bd2789b14ad9600

SHA512
2d4fd8d309751af1a1dd1b10c44990c9cd0c896314bff4eeb9b5eed7f2a4cbe5d7f26fc20784868e6f36a0a8dee87fb3b3142f6b304d3e0365aa00c6e7e548d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat

Filesize
207B

MD5
0e27784103d44dc01a18bea7d4654f91

SHA1
d3fe2aa02d2b99d2a3ac7e4d5654e253763d4e68

SHA256
ae19c6dcb9ed66a7a24ecaf3777a533aacd8e7ebc80a122ab896f0c1cbc27e8c

SHA512
1fa9ee8873b3a3ab5c9358364364cf5ea379c3bd6814f1d349876c4d50528fd8aa0fcf36969b9151e18474b6c9aff49fe13f3950636aaa2a314cef4a7a97d764

Download Submit
C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat

Filesize
207B

MD5
d0c2d0ffe21b35f6dcb5d396d36e634a

SHA1
c5d31d11d7d4ec170b0eab4e0e5e7a09050e144f

SHA256
d93b757f7b04b9493e092cf450dbd32a7ce85af61f065c59a047301223b62500

SHA512
fb02f322d87257792a90d8ca3fe97a4924c1bab21e31a215675c99010643357955f3486fefa46ab3c2f0309d6a6dbffbed057ad658ecd3026bd3d673954c40db

Download Submit
C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat

Filesize
207B

MD5
ec49659f18c6f1cb4309bf658785245a

SHA1
de8001677b8ae8ccf8cd18220f84b5d11514027e

SHA256
7f7bdfc027a5cb31fd73a77771aa98b9ac33f0b28c3cab5459e0fba5ffdd45f3

SHA512
3dcb8a74be16050d3f9ea295805c1b08b9b1821c2bfbf873c25c45c450604cec98ee45fe74feeb86b1728bf5091040f4786f12f494e7a246bf79c27592989655

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAg1i3HYFu.bat

Filesize
207B

MD5
113194f535f88b1bb8ae70073cb9268d

SHA1
21e5ea3bfa32ccdc7c209d9d88c3761d90da8808

SHA256
7d58d6970ab3fc99834c24022a1d0960f57e487652760aaab682d189ad861935

SHA512
98a7a5b80cd8291f84d83e8c058750dc59b905f60981068b7c2f7a24bed84254f5c4d19ed29f23b3e5c3b9f06692462e1ef085439c22ecce23b432be82e97a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat

Filesize
207B

MD5
ee57609b33ea7a01c1b1e143c7a403c7

SHA1
01093ef69c45b08e0e2cddb2e81d0a5e6ba38c3d

SHA256
9bea4ed6d0d3de4216471b62a8654a6bb3706c145f99295135d938ccfdf7be54

SHA512
043ef460474fb28ec63b61b834b65f5d485b0419edca42d9a444560769b842261070c51be3007f41f97e524d06abb49966eb3b921ba6c5712300c48c7cab3592

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NYS0YYBL62I37GR3TW0T.temp

Filesize
7KB

MD5
5782468c6bbf584ec739507d03a7cb84

SHA1
db3fd60aa036a62b2c4559d403ebb69d21801a0d

SHA256
7b968ebdaaef406bbe0397c81a15475ee406e045f72bc5cfe47bfb4eb59e1ace

SHA512
753d0e01ee923e8c9abd06e3239eda157eb4f87af8543b9b1b983fa1bf0bd1bb37b82911d64dbbdc149f5298e3df489cec5afdac45e6f1c35748f8426c5e9937

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/664-40-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/1040-284-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/1220-41-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/1884-523-0x0000000000BF0000-0x0000000000D00000-memory.dmp

Filesize
1.1MB

Download
memory/2112-224-0x0000000000C10000-0x0000000000D20000-memory.dmp

Filesize
1.1MB

Download
memory/2116-583-0x0000000001170000-0x0000000001280000-memory.dmp

Filesize
1.1MB

Download
memory/2364-463-0x0000000000270000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download
memory/2396-45-0x0000000000B00000-0x0000000000C10000-memory.dmp

Filesize
1.1MB

Download
memory/2700-344-0x0000000001060000-0x0000000001170000-memory.dmp

Filesize
1.1MB

Download
memory/2780-17-0x0000000000710000-0x000000000071C000-memory.dmp

Filesize
48KB

Download
memory/2780-13-0x0000000000090000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download
memory/2780-14-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/2780-15-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2780-16-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2940-164-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2940-163-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download