dcrat | a2f3182bf84720c8cc14e033380d6a6081418177f1e2b66d0303a539d96c04cc

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21/12/2024, 22:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a2f3182bf84720c8cc14e033380d6a6081418177f1e2b66d0303a539d96c04cc.exe
Size

1.3MB
MD5

471b02c430b756e0550bacdcd6621948
SHA1

1c7794f8e8d81885b8fc52350f0441cf1c7bbf94
SHA256

a2f3182bf84720c8cc14e033380d6a6081418177f1e2b66d0303a539d96c04cc
SHA512

a765d4dffe2b217202c838294c572b4236477d49cca03749ffe79e3d72822be04f9fbfc1a82e902b10129e55bc9d42bacd30a0a4aef64ba7452a094835ec302d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2660	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2660	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2660	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2660	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2660	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2660	schtasks.exe	32

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001727e-12.dat	dcrat
behavioral1/memory/2948-13-0x0000000000CB0000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/memory/2028-45-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/memory/1836-223-0x0000000000F70000-0x0000000001080000-memory.dmp	dcrat
behavioral1/memory/2600-283-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/2448-343-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/444-403-0x0000000000B20000-0x0000000000C30000-memory.dmp	dcrat
behavioral1/memory/1788-463-0x0000000000090000-0x00000000001A0000-memory.dmp	dcrat
behavioral1/memory/1008-523-0x0000000000D80000-0x0000000000E90000-memory.dmp	dcrat
behavioral1/memory/2260-583-0x0000000000F90000-0x00000000010A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1772	powershell.exe
2560	powershell.exe
2552	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2948	DllCommonsvc.exe
2028	services.exe
1344	services.exe
668	services.exe
1836	services.exe
2600	services.exe
2448	services.exe
444	services.exe
1788	services.exe
1008	services.exe
2260	services.exe
788	services.exe

Loads dropped DLL 2 IoCs

pid	Process
1816	cmd.exe
1816	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
26	raw.githubusercontent.com
40	raw.githubusercontent.com
4	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a2f3182bf84720c8cc14e033380d6a6081418177f1e2b66d0303a539d96c04cc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2648	schtasks.exe
2736	schtasks.exe
2664	schtasks.exe
2532	schtasks.exe
2864	schtasks.exe
2748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2948	DllCommonsvc.exe
2552	powershell.exe
2560	powershell.exe
1772	powershell.exe
2028	services.exe
1344	services.exe
668	services.exe
1836	services.exe
2600	services.exe
2448	services.exe
444	services.exe
1788	services.exe
1008	services.exe
2260	services.exe
788	services.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	DllCommonsvc.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2028	services.exe
Token: SeDebugPrivilege	1344	services.exe
Token: SeDebugPrivilege	668	services.exe
Token: SeDebugPrivilege	1836	services.exe
Token: SeDebugPrivilege	2600	services.exe
Token: SeDebugPrivilege	2448	services.exe
Token: SeDebugPrivilege	444	services.exe
Token: SeDebugPrivilege	1788	services.exe
Token: SeDebugPrivilege	1008	services.exe
Token: SeDebugPrivilege	2260	services.exe
Token: SeDebugPrivilege	788	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1280	848	JaffaCakes118_a2f3182bf84720c8cc14e033380d6a6081418177f1e2b66d0303a539d96c04cc.exe	28
PID 848 wrote to memory of 1280	848	JaffaCakes118_a2f3182bf84720c8cc14e033380d6a6081418177f1e2b66d0303a539d96c04cc.exe	28
PID 848 wrote to memory of 1280	848	JaffaCakes118_a2f3182bf84720c8cc14e033380d6a6081418177f1e2b66d0303a539d96c04cc.exe	28
PID 848 wrote to memory of 1280	848	JaffaCakes118_a2f3182bf84720c8cc14e033380d6a6081418177f1e2b66d0303a539d96c04cc.exe	28
PID 1280 wrote to memory of 1816	1280	WScript.exe	29
PID 1280 wrote to memory of 1816	1280	WScript.exe	29
PID 1280 wrote to memory of 1816	1280	WScript.exe	29
PID 1280 wrote to memory of 1816	1280	WScript.exe	29
PID 1816 wrote to memory of 2948	1816	cmd.exe	31
PID 1816 wrote to memory of 2948	1816	cmd.exe	31
PID 1816 wrote to memory of 2948	1816	cmd.exe	31
PID 1816 wrote to memory of 2948	1816	cmd.exe	31
PID 2948 wrote to memory of 2552	2948	DllCommonsvc.exe	39
PID 2948 wrote to memory of 2552	2948	DllCommonsvc.exe	39
PID 2948 wrote to memory of 2552	2948	DllCommonsvc.exe	39
PID 2948 wrote to memory of 1772	2948	DllCommonsvc.exe	40
PID 2948 wrote to memory of 1772	2948	DllCommonsvc.exe	40
PID 2948 wrote to memory of 1772	2948	DllCommonsvc.exe	40
PID 2948 wrote to memory of 2560	2948	DllCommonsvc.exe	41
PID 2948 wrote to memory of 2560	2948	DllCommonsvc.exe	41
PID 2948 wrote to memory of 2560	2948	DllCommonsvc.exe	41
PID 2948 wrote to memory of 2012	2948	DllCommonsvc.exe	45
PID 2948 wrote to memory of 2012	2948	DllCommonsvc.exe	45
PID 2948 wrote to memory of 2012	2948	DllCommonsvc.exe	45
PID 2012 wrote to memory of 2848	2012	cmd.exe	47
PID 2012 wrote to memory of 2848	2012	cmd.exe	47
PID 2012 wrote to memory of 2848	2012	cmd.exe	47
PID 2012 wrote to memory of 2028	2012	cmd.exe	48
PID 2012 wrote to memory of 2028	2012	cmd.exe	48
PID 2012 wrote to memory of 2028	2012	cmd.exe	48
PID 2028 wrote to memory of 1092	2028	services.exe	49
PID 2028 wrote to memory of 1092	2028	services.exe	49
PID 2028 wrote to memory of 1092	2028	services.exe	49
PID 1092 wrote to memory of 2900	1092	cmd.exe	51
PID 1092 wrote to memory of 2900	1092	cmd.exe	51
PID 1092 wrote to memory of 2900	1092	cmd.exe	51
PID 1092 wrote to memory of 1344	1092	cmd.exe	52
PID 1092 wrote to memory of 1344	1092	cmd.exe	52
PID 1092 wrote to memory of 1344	1092	cmd.exe	52
PID 1344 wrote to memory of 1744	1344	services.exe	53
PID 1344 wrote to memory of 1744	1344	services.exe	53
PID 1344 wrote to memory of 1744	1344	services.exe	53
PID 1744 wrote to memory of 2468	1744	cmd.exe	55
PID 1744 wrote to memory of 2468	1744	cmd.exe	55
PID 1744 wrote to memory of 2468	1744	cmd.exe	55
PID 1744 wrote to memory of 668	1744	cmd.exe	56
PID 1744 wrote to memory of 668	1744	cmd.exe	56
PID 1744 wrote to memory of 668	1744	cmd.exe	56
PID 668 wrote to memory of 2532	668	services.exe	57
PID 668 wrote to memory of 2532	668	services.exe	57
PID 668 wrote to memory of 2532	668	services.exe	57
PID 2532 wrote to memory of 2736	2532	cmd.exe	59
PID 2532 wrote to memory of 2736	2532	cmd.exe	59
PID 2532 wrote to memory of 2736	2532	cmd.exe	59
PID 2532 wrote to memory of 1836	2532	cmd.exe	60
PID 2532 wrote to memory of 1836	2532	cmd.exe	60
PID 2532 wrote to memory of 1836	2532	cmd.exe	60
PID 1836 wrote to memory of 332	1836	services.exe	61
PID 1836 wrote to memory of 332	1836	services.exe	61
PID 1836 wrote to memory of 332	1836	services.exe	61
PID 332 wrote to memory of 2276	332	cmd.exe	63
PID 332 wrote to memory of 2276	332	cmd.exe	63
PID 332 wrote to memory of 2276	332	cmd.exe	63
PID 332 wrote to memory of 2600	332	cmd.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2f3182bf84720c8cc14e033380d6a6081418177f1e2b66d0303a539d96c04cc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2f3182bf84720c8cc14e033380d6a6081418177f1e2b66d0303a539d96c04cc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cJ0G5QAkfh.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2848
      - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2900
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2468
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2736
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2276
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"
        15⤵
        
        PID:3060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2152
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"
        17⤵
        
        PID:2760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2824
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat"
        19⤵
        
        PID:1016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1500
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
        21⤵
        
        PID:1656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2900
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"
        23⤵
        
        PID:1684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2920
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat"
        25⤵
        
        PID:2416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1644
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat"
        27⤵
        
        PID:1324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a139d19e5a70bc1c2c1e09dca777f3f3

SHA1
d029ba418f2d89b737ea918733cabd793910ce97

SHA256
78c5642a5939d1f1e11d174ae93cf9667b0e0b3fd30ca639923e90e7d35492e6

SHA512
ff784afb27769271cc0c0e1772c19bc0dd43be77e49009f9fab408d1ac5b698905d1765c13fe82aca954435fc81a9d60b5d991ad7b8e2f7efea173e4dd3abad8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
377e22660f76f4ff35f42e20be752fac

SHA1
2c2b74e1e1f57f22baf9b1e50e46db79a84a87d8

SHA256
371ac84bdd87a577c4dcd25a65238ffbf7e21d4fc02fb4f6eb5387e3f725a5f1

SHA512
c8808dd05a93837bc0423df3b4cd2e42b4cd4644676eabcb33b0c6d067106251013dcfb620d3979a9e474e3f5cc2f98bcaa1fe1cf9ab37cd87c0ee4315a6f191

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9c1261ad8e2382ae27be4ecf3134729

SHA1
30e6afdc272498bf355c31437ecba980ff990639

SHA256
1fb49dfa1fe6f780f7be71169986a8cb2e8aa1538b97194c9a9d9c92c258af9f

SHA512
64b092b095f71c6bc25d20c46d32c189e4399d263f20469fbc5d72b7f03eb6475f012dd7745fd7aa6427372184f6e46f04a4e5ad6da2011de76f4de33f577564

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d74529fd88dd795bb79b11cc38a0da8d

SHA1
9b02e618ce389436052b46c4916a0f743b368e85

SHA256
f383c36e721750e43ed00afb8314f95b3202e111f738cce728183e1c4f3749d5

SHA512
2ea810ee7a2d8210d6aa6585bec425eb2b499538037a87ffbeba06e284ae3fa70586dcabd471b29d33bac960a5b9744052d932cc9464a95e12d15dfa34863624

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0cd4b4b0bdf7ea77161d6c44459a09e

SHA1
f206f790ca369494850fc322bd7d4237e92d2e15

SHA256
083ebd7462892515782dc7a6860526c3acb1c70019dc4a79cdedec440d296a8f

SHA512
43669258cab68223a138b585684ef63c61887628a8d6bd1b617fce147a9c923c0d22e2f6a1f10590a3df9e86b297c9de980bce44baae76a2fb4a6f7f14e7da0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffa634edfaf9ac4816cf4d00fc24af5b

SHA1
e6f49e9b346be2042c7bde5becdaa1e58532f057

SHA256
c42d2ed81d88458a5dc35e565403abe4aff0cdbc70513678b7cffa5ff4ef33e5

SHA512
a7e9e1ef030ff3f81a7668b021985d5acf0b9a1398f28dd6dd594f1b13e091624901cc4ff94c769ee97320b1a1202c13f2120b83766b9f43d22f379fc00d66b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5b5e2d796abf78a93edff968e1f7690

SHA1
d9eddfaf4bc85a6d66986be19420123cf9d5e3a6

SHA256
ac504d0d4bc4edb8c44cf4e3175c7170eb2f04cf6377e1e7882f152f83ac3323

SHA512
9d493989f643196b2bd23d19867baaf9bc8409bbdc6f32c17e44e9fbb8126bb132594cd00ac93acba23158d7fc9c4c2dea7a7e32d8e73f635eccfe2ce4ef528f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9e5052d3b82a10447e22bc0b9630983

SHA1
17f18fc51fbaf9325fa409c5ff4e9dd0fc5c41ee

SHA256
b08fb4bcebda648cb28e7e32cbbabc7fd255e72cbf9fc9f363d07cc6c74f55d7

SHA512
ad4b58fbccc5ce28c3a97c51b31d14842ed9e17f8ffffe75c2fb6243c1b41596c283b68e58d31250651caa478c3f6f8311360eaab61780d22215fe3437f0355f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0561ea0e91bda0765723223cc0bce9b

SHA1
75621973e7ad170bc20894c68cb89aeb0fa1caf4

SHA256
13a0b54e2a46e84b670f4ec74b105e76d771c6b48da379c19b73a5cec6601bef

SHA512
20049505e549cd3e956fd034ed0c8aee8af78edaa5972821ced7e3d052f49e6d0a95bc0d3c9d31819364d79849e9ee54137058c8e47edf4d77a16f28441f8fa7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63bfcce398c81aea294632853abc4402

SHA1
2e2b91e643d9ac11bc12dea93e45c58414df7a84

SHA256
7b841fe7a977eccf7f0a6d43c7133437ee42df08cf2680b92d9c183e63923b8d

SHA512
a3213e6cc0750bc282a06ed73d7b5cdad2a4faf29b0e3e59b5b4c569ccf5f68e3eb8e4a90a8532e241a11669f24cc97c69b43d2dd0b6b01ed1f92b6ddea85374

Download Submit
C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat

Filesize
240B

MD5
37c64fab7a807cfdef42bfb2fdd40a80

SHA1
c770e08f8e3079dce3d210901a5a8fceacedb515

SHA256
2ca52a68fdedbb8c893902b079bdb83adab00f164b83746f573920705ba1ab98

SHA512
b05845870ad1dec550412b1c41f8ab96c3055eb8ed10ebffe0bdc749a96f2dd47ae471c600aa66984350ba284c01857e1b656be69e78e676f2cc97baeed14cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab20DB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat

Filesize
240B

MD5
eef5327ee5395a34ddcae1eb6e2dcead

SHA1
8e7b013a4361c6a8032a1119531608ce63c38141

SHA256
957e311bf82d50bbef1e10923078f6da30318ee64ad80fd2da98c1c16230a5eb

SHA512
617beefdfe0451573ff3bcd1dcdc7026140b4dd02e0b76903291d166b9f0cf6378291530094acfbd03aed0d4dd3c505e019b2d7c4c433e1eac228488e0ae4560

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat

Filesize
240B

MD5
6a8bd87a8efa413b410ef4b7d2996980

SHA1
1f0a23d4b074149cbc777b27ee42decbf1136da3

SHA256
7343ff049a945c0721b3c95a92e720d43fd546c6510573188436fca0a1f3204b

SHA512
9c3c66fb6b782b18eb5ab04d03d52a888c2965cd36792aca4f252b2e12acde4a71b24d90c8ecd56624ed7ceed56169aedc23e2f9478787d176ae15e2c840a6ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat

Filesize
240B

MD5
e8b884870efdd13c28c29fcccbad46f7

SHA1
83312ad899d3d73df0a7ce50142fab2d355bb015

SHA256
0fec076b61abd3d599276a24c3b6fd7a8a95b30be207ac159b35ff66d048e9d8

SHA512
4a6e6e66aed1ccd93c1fa389960636c252df2a92fcc488e4b7beb4c184615ab183d6385c10b949dbb2632d6a0934044d530806fac8b63d71e21ec4deeeec5f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat

Filesize
240B

MD5
ea351944b005016b1cb5908b5da22b5a

SHA1
3faf141855f99064184dcfb86979df047ebf85ac

SHA256
5523657e5c1289735daad17df0dab0c034db5764a3855cd523c673459c870d9d

SHA512
16eefb731090a8ec2a93c1075dc0517ea8f75ce696131d1a939a675105f2bb1a0e65528342477927e01fd65e60d7c60842d3182808ae5f3aca4a80e5d8bf95da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar20FD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat

Filesize
240B

MD5
e22d2654b672ded64d82cb9f2c4bcb6b

SHA1
4115168b7c45ecce6de71a8922e44a0d582929b9

SHA256
981db69a6c823e25bb2c1d7d68e2a694686dc59a62da8c8e95577399ec9fec99

SHA512
01f7520d8c0f2ef93c04918a4e133ab11ea910c5611ed35a9556449c20e91cc48dd6b48139228c9f4e3a55615810d0e0397a86709a490c5c5946d8976fcde527

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat

Filesize
240B

MD5
f3b2a960ac3857f81cb605c366387566

SHA1
809f23067ebf64c5e252fcc56b2880ffd1e1e06a

SHA256
7f89c02fa026c7077b30764f4276073a32645fb728c00ccef149e941ebaee804

SHA512
be1f86dd36e66a2a9b9ec8d557f4ce2afe8609c335c52970f45810a00ffff3bf7416df28a8505d4e8bdaf4251b1f7edcf050705e066e095d4e4a4a10808ececa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cJ0G5QAkfh.bat

Filesize
240B

MD5
d6c0cf704abc4ff13f8dabc08b0450f3

SHA1
d4c43644fb721f9b26df0aa6dc748e5c7be81d69

SHA256
c4fca9b8ef0330ba8268b87bcf272d297c80b32e2ee38b2d4b286976c85f3ed4

SHA512
e99fa99b0dd531130037851e5a07cc99c60cd7e070cb29cd3dc14ce4156b3debbfcc0f2eb183d664fd26d8c062fedfcb1b8273344102e0861b81eef3d208da77

Download Submit
C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat

Filesize
240B

MD5
e5871446cac717e3dd6df593c238e361

SHA1
47b5b92571b7b0388fb125940e3fc65673eb32d7

SHA256
f6089599da841e6c4af26e777192a2df58a74955722e2c410c211c8d3f7d2811

SHA512
44634e134db524a5a8f8e001187eb79415fb4148e085e87f4db8d943c4e98aa6d1470ee23ba492d4feacc491e1809a9f180a9797ee840f2277060764d8e65128

Download Submit
C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat

Filesize
240B

MD5
907d910c2a4dfb1291d50625f80af2b0

SHA1
ea3364ae3f7f6548acc48e4a9d75fb4ec3f6a650

SHA256
c32b88762800121f18b8245ce4bee015287b4f2c9118020f46a12bb1f62a7224

SHA512
19d1ec22b2e2b2b0122dac6ea9eb2fbc70ef293f560cdde03e5c62498a623d0e8614828653fdf59bba836ff1a1f05bff4b1e3d65611c131cfd5fc1f9fa19d788

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat

Filesize
240B

MD5
16193cfdd03b918b0ebd3d8236e0ab63

SHA1
3c577b03005dbefef18c0e55e3a3088204295daa

SHA256
5af81c6e0b00171e77b34c78be76818edd3a0373fdbed38d26769de5ddaa6682

SHA512
1042728b3075ac607b6b94b9dea843b514a581bdf7f7b8e8f4888f1f216f5228670059b8502a86ba449bfbcb541687d4ee6b41f690b04137224198fbb4a0ce6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat

Filesize
240B

MD5
008922dcde751f3c544ce93e6f3d27c8

SHA1
449e791144d8d14d49a0846c621e496d47c2dd82

SHA256
e987d2c53656325dd1983fed8f154d0265636e9ce4e1ad2f09f496f5774593f2

SHA512
fec206bca82394a96ddf63c5af3f36d5f241eabf6f52d4fe28b4e2dcc5f85e6b8b9875b17d0e594595dbad6e2e7dec7b7288d8585ceb891631b9a99dabfbffac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ec8bc047b425a9e57019cd4681dd1f8b

SHA1
306620447534001f08803bd4cf039c3a68ab2e7c

SHA256
c385ec4a8f67e61d44839433d0b01be338593c73e7554f768f6d0a6488c803ef

SHA512
6992e182b2f8cfe4631eec3e33c38ad40c8d81a6623ed195f94d534797661f0525c24b64c6c1c2aaa5d09dce90825582a1e27c1cfa338025ab85c0865bbe6d7f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/444-403-0x0000000000B20000-0x0000000000C30000-memory.dmp

Filesize
1.1MB

Download
memory/1008-523-0x0000000000D80000-0x0000000000E90000-memory.dmp

Filesize
1.1MB

Download
memory/1788-463-0x0000000000090000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download
memory/1836-223-0x0000000000F70000-0x0000000001080000-memory.dmp

Filesize
1.1MB

Download
memory/2028-46-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2028-45-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download
memory/2260-584-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2260-583-0x0000000000F90000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download
memory/2448-343-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/2552-42-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2552-37-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2600-283-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/2948-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2948-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2948-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2948-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2948-13-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

Filesize
1.1MB

Download