dcrat | 4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449.exe
Size

1.3MB
MD5

a1cf5062e5faf2371cfcb53d29e09464
SHA1

2a50ffad16c528707a7ebf453f9c0d91258ac132
SHA256

4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449
SHA512

8a14c9bcdb08770c742c52987d80d34d23da772255086c3a73515084355d72e361f39262bd6171900eabf9c71aee1985886ce04af8ac930dcf607db58c2d87e8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2804	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2804	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2804	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2804	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2804	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2804	schtasks.exe	35

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001949d-9.dat	dcrat
behavioral1/memory/2752-13-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/2676-45-0x00000000008B0000-0x00000000009C0000-memory.dmp	dcrat
behavioral1/memory/1368-105-0x0000000000E50000-0x0000000000F60000-memory.dmp	dcrat
behavioral1/memory/2776-165-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/1336-464-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2692	powershell.exe
2088	powershell.exe
660	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2752	DllCommonsvc.exe
2676	WMIADAP.exe
1368	WMIADAP.exe
2776	WMIADAP.exe
1336	WMIADAP.exe
872	WMIADAP.exe
1808	WMIADAP.exe
2476	WMIADAP.exe
1336	WMIADAP.exe
2100	WMIADAP.exe
2740	WMIADAP.exe
2620	WMIADAP.exe

Loads dropped DLL 2 IoCs

pid	Process
1796	cmd.exe
1796	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
33	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
36	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2992	schtasks.exe
2936	schtasks.exe
2684	schtasks.exe
2640	schtasks.exe
2688	schtasks.exe
1700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2752	DllCommonsvc.exe
660	powershell.exe
2692	powershell.exe
2088	powershell.exe
2676	WMIADAP.exe
1368	WMIADAP.exe
2776	WMIADAP.exe
1336	WMIADAP.exe
872	WMIADAP.exe
1808	WMIADAP.exe
2476	WMIADAP.exe
1336	WMIADAP.exe
2100	WMIADAP.exe
2740	WMIADAP.exe
2620	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	DllCommonsvc.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2676	WMIADAP.exe
Token: SeDebugPrivilege	1368	WMIADAP.exe
Token: SeDebugPrivilege	2776	WMIADAP.exe
Token: SeDebugPrivilege	1336	WMIADAP.exe
Token: SeDebugPrivilege	872	WMIADAP.exe
Token: SeDebugPrivilege	1808	WMIADAP.exe
Token: SeDebugPrivilege	2476	WMIADAP.exe
Token: SeDebugPrivilege	1336	WMIADAP.exe
Token: SeDebugPrivilege	2100	WMIADAP.exe
Token: SeDebugPrivilege	2740	WMIADAP.exe
Token: SeDebugPrivilege	2620	WMIADAP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2300	2292	JaffaCakes118_4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449.exe	31
PID 2292 wrote to memory of 2300	2292	JaffaCakes118_4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449.exe	31
PID 2292 wrote to memory of 2300	2292	JaffaCakes118_4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449.exe	31
PID 2292 wrote to memory of 2300	2292	JaffaCakes118_4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449.exe	31
PID 2300 wrote to memory of 1796	2300	WScript.exe	32
PID 2300 wrote to memory of 1796	2300	WScript.exe	32
PID 2300 wrote to memory of 1796	2300	WScript.exe	32
PID 2300 wrote to memory of 1796	2300	WScript.exe	32
PID 1796 wrote to memory of 2752	1796	cmd.exe	34
PID 1796 wrote to memory of 2752	1796	cmd.exe	34
PID 1796 wrote to memory of 2752	1796	cmd.exe	34
PID 1796 wrote to memory of 2752	1796	cmd.exe	34
PID 2752 wrote to memory of 2692	2752	DllCommonsvc.exe	42
PID 2752 wrote to memory of 2692	2752	DllCommonsvc.exe	42
PID 2752 wrote to memory of 2692	2752	DllCommonsvc.exe	42
PID 2752 wrote to memory of 2088	2752	DllCommonsvc.exe	43
PID 2752 wrote to memory of 2088	2752	DllCommonsvc.exe	43
PID 2752 wrote to memory of 2088	2752	DllCommonsvc.exe	43
PID 2752 wrote to memory of 660	2752	DllCommonsvc.exe	44
PID 2752 wrote to memory of 660	2752	DllCommonsvc.exe	44
PID 2752 wrote to memory of 660	2752	DllCommonsvc.exe	44
PID 2752 wrote to memory of 2824	2752	DllCommonsvc.exe	48
PID 2752 wrote to memory of 2824	2752	DllCommonsvc.exe	48
PID 2752 wrote to memory of 2824	2752	DllCommonsvc.exe	48
PID 2824 wrote to memory of 2700	2824	cmd.exe	50
PID 2824 wrote to memory of 2700	2824	cmd.exe	50
PID 2824 wrote to memory of 2700	2824	cmd.exe	50
PID 2824 wrote to memory of 2676	2824	cmd.exe	51
PID 2824 wrote to memory of 2676	2824	cmd.exe	51
PID 2824 wrote to memory of 2676	2824	cmd.exe	51
PID 2676 wrote to memory of 560	2676	WMIADAP.exe	52
PID 2676 wrote to memory of 560	2676	WMIADAP.exe	52
PID 2676 wrote to memory of 560	2676	WMIADAP.exe	52
PID 560 wrote to memory of 2232	560	cmd.exe	54
PID 560 wrote to memory of 2232	560	cmd.exe	54
PID 560 wrote to memory of 2232	560	cmd.exe	54
PID 560 wrote to memory of 1368	560	cmd.exe	55
PID 560 wrote to memory of 1368	560	cmd.exe	55
PID 560 wrote to memory of 1368	560	cmd.exe	55
PID 1368 wrote to memory of 2208	1368	WMIADAP.exe	56
PID 1368 wrote to memory of 2208	1368	WMIADAP.exe	56
PID 1368 wrote to memory of 2208	1368	WMIADAP.exe	56
PID 2208 wrote to memory of 2788	2208	cmd.exe	58
PID 2208 wrote to memory of 2788	2208	cmd.exe	58
PID 2208 wrote to memory of 2788	2208	cmd.exe	58
PID 2208 wrote to memory of 2776	2208	cmd.exe	59
PID 2208 wrote to memory of 2776	2208	cmd.exe	59
PID 2208 wrote to memory of 2776	2208	cmd.exe	59
PID 2776 wrote to memory of 1312	2776	WMIADAP.exe	60
PID 2776 wrote to memory of 1312	2776	WMIADAP.exe	60
PID 2776 wrote to memory of 1312	2776	WMIADAP.exe	60
PID 1312 wrote to memory of 2708	1312	cmd.exe	62
PID 1312 wrote to memory of 2708	1312	cmd.exe	62
PID 1312 wrote to memory of 2708	1312	cmd.exe	62
PID 1312 wrote to memory of 1336	1312	cmd.exe	63
PID 1312 wrote to memory of 1336	1312	cmd.exe	63
PID 1312 wrote to memory of 1336	1312	cmd.exe	63
PID 1336 wrote to memory of 2876	1336	WMIADAP.exe	64
PID 1336 wrote to memory of 2876	1336	WMIADAP.exe	64
PID 1336 wrote to memory of 2876	1336	WMIADAP.exe	64
PID 2876 wrote to memory of 900	2876	cmd.exe	66
PID 2876 wrote to memory of 900	2876	cmd.exe	66
PID 2876 wrote to memory of 900	2876	cmd.exe	66
PID 2876 wrote to memory of 872	2876	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4cbfb546ac8cfb8306a45cdbad351086702e848a39287c1a307b7b61a9b87449.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jj5vXeamkL.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2700
      - C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2232
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2788
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2708
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:900
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat"
        15⤵
        
        PID:2340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:752
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat"
        17⤵
        
        PID:604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2868
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"
        19⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2492
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xdvgpfy6bM.bat"
        21⤵
        
        PID:2260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1560
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"
        23⤵
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:308
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat"
        25⤵
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:624
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c07331ddc24b0307ff26cc1d242e8c8

SHA1
51403a99e1697ca4f196597f92e93f23b42ec551

SHA256
6b288cc92690da3055c799f6c56001e253e65818430fe5002d6fa21ecb32cb14

SHA512
85088a4842e55a71ddd1da3f7041db7c6b0206e29c1b9cc05f739d6fc1014db2c7f0bd1de9311b069232362ee68288e8b46c8efe05ef27cb92eeedbe62c1cbe9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d6a2849b472a0ded25622dad2182bdc

SHA1
bd7e58f7e34fef34d2ffed10afdfdf2506fd7aa3

SHA256
c6eb63bc48ad1924bb22ac1843c96daa68681bebe7ea524b5cc14bda76748086

SHA512
cdc49bed88a0fe954996854a95f521170770386bd6037f09579eb8cc0de3a73bde2fe3bbfb9ffb64145c6bf517cca5b326e61e21b56b17cbe386634bd5c7070f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9eb149c5ac6c1d3294e623ceda63173d

SHA1
89eb7c1645b5f8c0756959696625718b934fe38a

SHA256
e15b0792e74548978cb7324b40bbb903895b60022c46e45a05da2739208ba3ee

SHA512
fd27c23a29744f7f49cad71851210deffb2032aa5cb1486db12710e4eac44bfcc0c8bd15c3425f34330ee1a4b734049eb30f2c9a34e1370f12e081bb4895f061

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2046e7e100b52015566080b87e47e5fb

SHA1
dab449073e6a75e916df747c55fae9949d90b82a

SHA256
dfa3ec0c8cd2dad13424347f79e6959301650a2ad3222fa34888bd60d928160b

SHA512
df24e6319b5240e41e5364a14291b1e4a79760a52237871816c7eff5eaa412b3f5ea5ea9d499d1d5398251e672c65a6afafa790114d60858aa52c373705af94e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e828f62d6662520fa126faf691dc7d5

SHA1
25a2388f2e7ea6a04079599fee5e176564e23b1e

SHA256
e5cd1ebe49634af04cdc16537ab47a120ac0310068e128d5d462813dea35ea25

SHA512
203f03e59dc826c8590972bbbbc4f4d63662662e6c4f65dd544c141c276da83538703f9559bbc7bc5738b1a74c59282d0c6ad77e6618a116ace2fb827acbceba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abad4fa3eb8cdd7b70c72091df1a15fe

SHA1
f8a8e45b5bead0c6744886d6b57efe4455edecc8

SHA256
3c24a531da55f6ecda342057bbabb11be62b0db0d35cd224a496e3d28c269358

SHA512
dd2a1c44f043a0b86dd3e3a2bd5ff1c486c2a588c7e1b929a01e2ece5f0a6f994ab33bc9f45567c5599b5206173c5dcd85376567038982454a500579200eb3e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec5fa5a291087393a1c5b611b0469607

SHA1
570359ccd617ad6deaf4bfe9d2bee68557764eb3

SHA256
1a4bc2a7b4f4d44c93b10abefc87f461fc215e3c427c8384e8389d173b3443c0

SHA512
8e058bf9953bfe583897d1933c828595fbc801b27a970fe0d62bfc2b28bff5feb115580961ccf1e376c8227d3b13f64b20ec10fc9ce85aac795a609abaaafeac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69dfb113220a9c3a148d989eec2307e1

SHA1
f8bf4884c58339321a7521feca125f966b521476

SHA256
8f5a316fc4866a4d33b2add8b1890d04a4cd5c25c4bcfe2ad6498aae73e6662c

SHA512
4c50338db5ee4815c68b44fee5a51d43252984dd562a1023cce1d8bfaf053977dab530ee7854a9b24c7bc239676b101e2a029dfe5a7f9a3fdc40dd61813e0ce7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf04988e52d61fbc3104fd0beea5927a

SHA1
b1dbac08098e0ae969ce2324444ebcfd5ca01097

SHA256
87a0712f317256086c7aa4c5658321b472dab5e1f76971a11a055bd0432cd800

SHA512
eb00dbb364938e3b5d190b936f18f0781dc7ff37eedc88f4544d53363586c1ed1b25541bddee37cc68850116a60d0de412000d31bbd46cc35b4f5fb869b20398

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEC2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat

Filesize
225B

MD5
86995b7e95ad92d3f688f30f1df635ce

SHA1
cf49a32a2975dcb5d321fc9bf95b35f3284bd4fe

SHA256
5901d81c0a0ca1bd302212afe12004cddb63c4a6f0fde42ab8eba74d1ff589f4

SHA512
eab6ee9279c6d624d6f2fe6d821c40e56da2384102c7fc337c483c84c0d044d7637df3f1d3a79479d9b8f59d8498a77b0886c2433884ca40f31e9e711e8748d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEF4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat

Filesize
225B

MD5
f47570fbf5b9c9a83bfec0031ad99f40

SHA1
f2ffae6ef6c4df4e3712d249fb5e26c4f0f24507

SHA256
3280c196de99f673ab26c28ac42d00e1129db2f0185e770c2db4ae0c4345385b

SHA512
c2f2fd108f72cc9fb0e8f4b3117c00bf65ab54385bf281da7762e5120540ca97aafbf4e56b8ff271436b26fd5dd63e68b3b8bac75f1db0e4122234d6ef8d8005

Download Submit
C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

Filesize
225B

MD5
707d365d3c5e6356eb7d1211afa0f502

SHA1
8096f29fec9b683146e0e5c25df3d9d31bb0230e

SHA256
8775d7b003c19393a991c502a86ac005c2d937034cba76d2f1e769c3df97d164

SHA512
aa2279b20c5318398f27b5354565a4d627bdfbb840ecfc5a40cd89a3f45fad033a6af22292c258612d17ec3289e78a6ace2e40c620691a57971a5ee4ad0dc4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat

Filesize
225B

MD5
e4bdc81c7618619179c69ce536a7e925

SHA1
3b773c37c403c297f4f0b73501be765f3685cb9b

SHA256
e15738022001070d7179bf34891ab117fa2bb807792eae7ff3c435d39ea9ef72

SHA512
bfc9e1937398d0dfc18be78228966f2d29390edc2c74825006e9006e7c1aa2fa5f6bb2461bd714fde1e2e26c214f60f0e4bdfd49546a48684777baf4149cb0b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

Filesize
225B

MD5
23e00285983efc1718e0f78087bf8e35

SHA1
ce08d38d13201683ca3ecb78df61cb558037e327

SHA256
e48e8926f32a983acd9eee78764cd09199ad6a2da8423f1271f8dff94d7578f4

SHA512
0a2c14d2455c6802d6448472f2939b3925f0b9ed9bce4562c1ddb827e961f06a85a5e2009f113f5986a70fee5c5673a47092a3d7b6549479e44f972a7bc1a97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jj5vXeamkL.bat

Filesize
225B

MD5
9188a384ab3773f875b6b07c83666b72

SHA1
f6beeb75ed5b411d143f4906227e15ae1b8a40d1

SHA256
36bb195d551304efb94a47bf3cca564c8b026e5b92b05757e329941278e486ce

SHA512
ac28b778cb032a7ec79683830ab65946870bff4db81a115ff4a82d0b08de5f76e45ba3de409de336ee5666befb77d907db5269f57f0b9b3253f1e3d4d78a74ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

Filesize
225B

MD5
ef623b7b2098b398bdd9173d3250e777

SHA1
d4b0c91c1f8075f8e1b76e94dde99580b6d7c135

SHA256
5cd7498cee777bbdd2a5ce1b159a781e6614235ec398bd8a44ccc1a2b07ab4f1

SHA512
704de7fe4bd1ba1e5f830d7565168b70f5e48d5565e73213ea590afe2d5effb2cf39c8dbf0d47ea85e2e961ff1aa30876a53477780930c5f76f9a98ca8a95252

Download Submit
C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat

Filesize
225B

MD5
990d3ad8596215e73dfc7a9e068edcd8

SHA1
48e5cddc4b9f3658da46421e9018ebae93bd52e1

SHA256
24e078d308d98834b902f4ca076cc3990e9932a7b8f33ce3d80544e893db6c23

SHA512
7f04f311053e9fffb8be711a9b3d071c61ee633f8f63b4e663cdec0d4542bb0f4c0037e671ae1e20534be1fd53be7d9301761c4424d807ef1d7de2a2072a4972

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat

Filesize
225B

MD5
04eaee5a3b63dfb7bfd2db32e1ee94d5

SHA1
9f7cef0ccb40362a46acfee2235d135aab59a064

SHA256
12c9a4119520273e813b4dcc1b352ce240d2f63ba7e9cc2ab387db3cedd75db6

SHA512
1bb3081f4f714c94c0764582a4dda0e3a31aced34e2f496de3718b8d57c84270d50049ceb42dd9bedf6ee7cea9fd54296a7ea7cf111be24c8cdd3cd051e6bbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

Filesize
225B

MD5
e16268d5d9844f7f74b9b82fc2ce7149

SHA1
000aaec35155f7f42399f138b70c3eb09dead045

SHA256
fd5c9e27a351b3095d3a1b2c4074774e6e8c8918c5843a08449de689b9c322c0

SHA512
9630e6caa66354adf31d9e311b5a16934ad059c6edb3b48a5b1d7fc33ef38287dda4dfc7f8c8e5dea84c66f3ef404da46682f57f767e2453b51ec129a3379603

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdvgpfy6bM.bat

Filesize
225B

MD5
61d8d1eea7c86f0e2be250c8c86548b8

SHA1
e0eefa34916da4aa98bd16e90d0a66c2ac9dcbd2

SHA256
cf38334a34ea2b9fe5bf910cbd0cad193560b8997cefb4648153c6ce5cf23290

SHA512
9f2d4b45adcbca692b4c972ca7876ae2dc37e17b7a7bf380cd48d701e525e559b9203edb02da5409ad55012f53aa6d1a10a2b1da3e2eac1d82a64ba56e642081

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0WBK8SZ1WMO3PWU80SOQ.temp

Filesize
7KB

MD5
a54224346cd59cd70172c1a7677d7981

SHA1
579137a7be831c8ea65697462ee91668723025a4

SHA256
07f35bb59efacc8651bbe22a32e6fe6be65fd87cc41d00715f3e49066a0054d6

SHA512
8ef9b21659491ca5b6860dcc22b583050bad6d3003eb61d8c1990b4041474b8a30b1a7ffaab289f4dc92a1ddb85967724ea7e0b001f200c1643a035ebd7473fd

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/660-35-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/1336-225-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1336-464-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download
memory/1368-105-0x0000000000E50000-0x0000000000F60000-memory.dmp

Filesize
1.1MB

Download
memory/1808-344-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2476-404-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2676-45-0x00000000008B0000-0x00000000009C0000-memory.dmp

Filesize
1.1MB

Download
memory/2676-46-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2692-36-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2740-583-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2752-17-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2752-16-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2752-15-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2752-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2752-13-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/2776-165-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download