dcrat | 3376f3cbd3a3ef9d63a14180450a545b15c8902b754e95ad286c03b6ccc8e90c

Analysis

max time kernel
37s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3376f3cbd3a3ef9d63a14180450a545b15c8902b754e95ad286c03b6ccc8e90c.exe
Size

1.3MB
MD5

688116f1624756162afdf674c5772cba
SHA1

d4377e18b0a53ebbde981d8fa60d79086a2d9367
SHA256

3376f3cbd3a3ef9d63a14180450a545b15c8902b754e95ad286c03b6ccc8e90c
SHA512

2348b49235eef1fe57788a31ce2474134d814033df0d6b7c5c1b5d4ad61350c10ea2d28023bbadf2a6186aa25c67f51d084b95d606836755c2330905daaa1897
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	1044	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4548-139-0x0000000000BC0000-0x0000000000CD0000-memory.dmp	dcrat
C:\providercommon\conhost.exe	dcrat
C:\providercommon\conhost.exe	dcrat
C:\providercommon\conhost.exe	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3376f3cbd3a3ef9d63a14180450a545b15c8902b754e95ad286c03b6ccc8e90c.exeWScript.exeDllCommonsvc.execonhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	3376f3cbd3a3ef9d63a14180450a545b15c8902b754e95ad286c03b6ccc8e90c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 2 IoCs

Processes:

DllCommonsvc.execonhost.exe

pid process

4548 DllCommonsvc.exe
3320 conhost.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\ModifiableWindowsApps\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\SearchApp.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\38384e6a620884	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\5b884080fd4f94	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4760	schtasks.exe
1408	schtasks.exe
4136	schtasks.exe
640	schtasks.exe
1316	schtasks.exe
1528	schtasks.exe
3468	schtasks.exe
884	schtasks.exe
4880	schtasks.exe
2044	schtasks.exe
3312	schtasks.exe
4752	schtasks.exe
4108	schtasks.exe
396	schtasks.exe
1652	schtasks.exe
4840	schtasks.exe
4296	schtasks.exe
5052	schtasks.exe
1664	schtasks.exe
4276	schtasks.exe
3364	schtasks.exe
1580	schtasks.exe
1296	schtasks.exe
3316	schtasks.exe
1340	schtasks.exe
1864	schtasks.exe
3432	schtasks.exe

Modifies registry class 3 IoCs

Processes:

3376f3cbd3a3ef9d63a14180450a545b15c8902b754e95ad286c03b6ccc8e90c.exeDllCommonsvc.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	3376f3cbd3a3ef9d63a14180450a545b15c8902b754e95ad286c03b6ccc8e90c.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	conhost.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exe

pid	process
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4456	powershell.exe
4456	powershell.exe
416	powershell.exe
416	powershell.exe
4456	powershell.exe
2076	powershell.exe
2076	powershell.exe
4384	powershell.exe
4384	powershell.exe
4664	powershell.exe
4664	powershell.exe
4352	powershell.exe
4352	powershell.exe
3524	powershell.exe
3524	powershell.exe
1284	powershell.exe
1284	powershell.exe
4128	powershell.exe
4128	powershell.exe
4908	powershell.exe
4908	powershell.exe
3524	powershell.exe
2076	powershell.exe
416	powershell.exe
4384	powershell.exe
1284	powershell.exe
4352	powershell.exe
4664	powershell.exe
4128	powershell.exe
4908	powershell.exe
3320	conhost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	4548	DllCommonsvc.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	416	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	3320	conhost.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

3376f3cbd3a3ef9d63a14180450a545b15c8902b754e95ad286c03b6ccc8e90c.exeWScript.execmd.exeDllCommonsvc.execmd.execonhost.execmd.exe

description	pid	process	target process
PID 3640 wrote to memory of 4812	3640	3376f3cbd3a3ef9d63a14180450a545b15c8902b754e95ad286c03b6ccc8e90c.exe	WScript.exe
PID 3640 wrote to memory of 4812	3640	3376f3cbd3a3ef9d63a14180450a545b15c8902b754e95ad286c03b6ccc8e90c.exe	WScript.exe
PID 3640 wrote to memory of 4812	3640	3376f3cbd3a3ef9d63a14180450a545b15c8902b754e95ad286c03b6ccc8e90c.exe	WScript.exe
PID 4812 wrote to memory of 3488	4812	WScript.exe	cmd.exe
PID 4812 wrote to memory of 3488	4812	WScript.exe	cmd.exe
PID 4812 wrote to memory of 3488	4812	WScript.exe	cmd.exe
PID 3488 wrote to memory of 4548	3488	cmd.exe	DllCommonsvc.exe
PID 3488 wrote to memory of 4548	3488	cmd.exe	DllCommonsvc.exe
PID 4548 wrote to memory of 416	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 416	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 4456	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 4456	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 4384	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 4384	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 2076	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 2076	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 4664	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 4664	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 3524	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 3524	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 1284	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 1284	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 4352	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 4352	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 4128	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 4128	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 4908	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 4908	4548	DllCommonsvc.exe	powershell.exe
PID 4548 wrote to memory of 4804	4548	DllCommonsvc.exe	cmd.exe
PID 4548 wrote to memory of 4804	4548	DllCommonsvc.exe	cmd.exe
PID 4804 wrote to memory of 632	4804	cmd.exe	w32tm.exe
PID 4804 wrote to memory of 632	4804	cmd.exe	w32tm.exe
PID 4804 wrote to memory of 3320	4804	cmd.exe	conhost.exe
PID 4804 wrote to memory of 3320	4804	cmd.exe	conhost.exe
PID 3320 wrote to memory of 3620	3320	conhost.exe	cmd.exe
PID 3320 wrote to memory of 3620	3320	conhost.exe	cmd.exe
PID 3620 wrote to memory of 5012	3620	cmd.exe	w32tm.exe
PID 3620 wrote to memory of 5012	3620	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\3376f3cbd3a3ef9d63a14180450a545b15c8902b754e95ad286c03b6ccc8e90c.exe
"C:\Users\Admin\AppData\Local\Temp\3376f3cbd3a3ef9d63a14180450a545b15c8902b754e95ad286c03b6ccc8e90c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\SearchApp.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b2ZDOwWxT5.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4804
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:632
      - C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5012
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        8⤵
        
        PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Videos\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cc9f25c74f717f2bb8065898e98b20c3

SHA1
2c3e17c83588f8680213e42b1ac32b8b19b15c43

SHA256
1098ef5f0796c654cffad1f0fed498ee4e3a36ee8d639657f452009e945f234a

SHA512
36c17d0718b9151c15ca4dff8e36715e59cc42fe5c03653433fa253ee8d8f303148e61118a99f06ec0f1b8fa99d91f99ee57ae652b00b1f73d169b63de101818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cc9f25c74f717f2bb8065898e98b20c3

SHA1
2c3e17c83588f8680213e42b1ac32b8b19b15c43

SHA256
1098ef5f0796c654cffad1f0fed498ee4e3a36ee8d639657f452009e945f234a

SHA512
36c17d0718b9151c15ca4dff8e36715e59cc42fe5c03653433fa253ee8d8f303148e61118a99f06ec0f1b8fa99d91f99ee57ae652b00b1f73d169b63de101818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1dcb7bfaeb4366d864b639a15ade5cb4

SHA1
6110b20d300aa2014243e9caae14c169bbf974c4

SHA256
8549131617806b1ecf4e1069715b914c2b52e0a6e66ac9f986c0684e60b8fe51

SHA512
fd581b42967ded11bcce59215edbc7250e75ca32c710c4ccb28f5e36f0bbbfc4068b289b61189adf0ed7fe8310076a213f0d80921c79ecf76f446f72db735d01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
85733214ef9e21ad3ab0fecc61a9b6a0

SHA1
8dcdf4e060446ffb74818c9f4d5e14d0500a8d2e

SHA256
bafdc56f8d9d17e2c3692876ff5b685f997da74987c22b4444c0768331ba0f7c

SHA512
2a353671bb60c52ee079cb8d2c5831f9ecd11fd20574b71138fa930910189b61b4210ea3562bd18a0ff5a025a63ca801a47d24861cc3bd46efdf4762736917b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
85733214ef9e21ad3ab0fecc61a9b6a0

SHA1
8dcdf4e060446ffb74818c9f4d5e14d0500a8d2e

SHA256
bafdc56f8d9d17e2c3692876ff5b685f997da74987c22b4444c0768331ba0f7c

SHA512
2a353671bb60c52ee079cb8d2c5831f9ecd11fd20574b71138fa930910189b61b4210ea3562bd18a0ff5a025a63ca801a47d24861cc3bd46efdf4762736917b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
85733214ef9e21ad3ab0fecc61a9b6a0

SHA1
8dcdf4e060446ffb74818c9f4d5e14d0500a8d2e

SHA256
bafdc56f8d9d17e2c3692876ff5b685f997da74987c22b4444c0768331ba0f7c

SHA512
2a353671bb60c52ee079cb8d2c5831f9ecd11fd20574b71138fa930910189b61b4210ea3562bd18a0ff5a025a63ca801a47d24861cc3bd46efdf4762736917b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
85733214ef9e21ad3ab0fecc61a9b6a0

SHA1
8dcdf4e060446ffb74818c9f4d5e14d0500a8d2e

SHA256
bafdc56f8d9d17e2c3692876ff5b685f997da74987c22b4444c0768331ba0f7c

SHA512
2a353671bb60c52ee079cb8d2c5831f9ecd11fd20574b71138fa930910189b61b4210ea3562bd18a0ff5a025a63ca801a47d24861cc3bd46efdf4762736917b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
85733214ef9e21ad3ab0fecc61a9b6a0

SHA1
8dcdf4e060446ffb74818c9f4d5e14d0500a8d2e

SHA256
bafdc56f8d9d17e2c3692876ff5b685f997da74987c22b4444c0768331ba0f7c

SHA512
2a353671bb60c52ee079cb8d2c5831f9ecd11fd20574b71138fa930910189b61b4210ea3562bd18a0ff5a025a63ca801a47d24861cc3bd46efdf4762736917b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat

Filesize
194B

MD5
530ba60cb8f8268c34c6bf69b6d45319

SHA1
91375e762214f533ac8491b05c72f09f05feef5e

SHA256
e37bed2fd3c5590eaa42be7c150f01019a13d9a904ff27b6be082c6ae7469117

SHA512
4ba14aa52c68ca8dda2051a2349519ef0fcde95411476435b1aef0796e0b15c041d606c98ab59b692fa5dc45134b429e11f4cc1de3ca12d0e32c3d6a5ae42daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2ZDOwWxT5.bat

Filesize
194B

MD5
06bf2741ba03c21d217568185ab5f44c

SHA1
ed8a79302a32a26849f21428ad9fb94fe5b5a357

SHA256
765880c546a73403fe43bec551e9ca542d466437e85ca574f30ed33ec35b0c04

SHA512
8eb67201cff2c00fbce292af66dbdd0578f2744c6ceede68e2c447e383d69d25ecd32a93175e6fb886c54e28c82e74c4947336f02371eff2708a5ca81ed417de

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/416-152-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/416-141-0x0000000000000000-mapping.dmp

Download
memory/416-173-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/632-166-0x0000000000000000-mapping.dmp

Download
memory/1108-194-0x0000000000000000-mapping.dmp

Download
memory/1108-197-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/1284-147-0x0000000000000000-mapping.dmp

Download
memory/1284-159-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/1284-182-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/2076-144-0x0000000000000000-mapping.dmp

Download
memory/2076-172-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/2076-155-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/3320-191-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/3320-189-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/3320-186-0x0000000000000000-mapping.dmp

Download
memory/3488-135-0x0000000000000000-mapping.dmp

Download
memory/3524-158-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/3524-146-0x0000000000000000-mapping.dmp

Download
memory/3524-169-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/3620-190-0x0000000000000000-mapping.dmp

Download
memory/4128-149-0x0000000000000000-mapping.dmp

Download
memory/4128-161-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/4128-184-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/4352-181-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/4352-148-0x0000000000000000-mapping.dmp

Download
memory/4352-167-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/4384-175-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/4384-143-0x0000000000000000-mapping.dmp

Download
memory/4384-157-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/4456-153-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/4456-142-0x0000000000000000-mapping.dmp

Download
memory/4456-160-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/4456-151-0x000001EA8E020000-0x000001EA8E042000-memory.dmp

Filesize
136KB

Download
memory/4548-136-0x0000000000000000-mapping.dmp

Download
memory/4548-156-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/4548-139-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

Filesize
1.1MB

Download
memory/4548-140-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/4664-185-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/4664-165-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/4664-145-0x0000000000000000-mapping.dmp

Download
memory/4804-154-0x0000000000000000-mapping.dmp

Download
memory/4812-132-0x0000000000000000-mapping.dmp

Download
memory/4908-150-0x0000000000000000-mapping.dmp

Download
memory/4908-183-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/4908-163-0x00007FFD833D0000-0x00007FFD83E91000-memory.dmp

Filesize
10.8MB

Download
memory/5012-193-0x0000000000000000-mapping.dmp

Download