dcrat | 801c7e565701b2dc1ca91ca869c0bf497f4931c0f35ed32907df6f9e292af2f6

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_801c7e565701b2dc1ca91ca869c0bf497f4931c0f35ed32907df6f9e292af2f6.exe
Size

1.3MB
MD5

235fb4bd4981ee982f7a2ff224fb1d2f
SHA1

c9ec274e820e9d3d7f3dd0a9ac765b856d57e10d
SHA256

801c7e565701b2dc1ca91ca869c0bf497f4931c0f35ed32907df6f9e292af2f6
SHA512

bf48d6c720e4ed975aa7afc38f8985d585810a2f51fbb0e2b214be238f97ff19c2e5b802db61646b29da658c3fde545c1a7e07a745787863a916a9463989a1db
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1496	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d79-12.dat	dcrat
behavioral1/memory/1268-13-0x0000000000990000-0x0000000000AA0000-memory.dmp	dcrat
behavioral1/memory/1100-28-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/3020-163-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/2784-400-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/676-460-0x0000000000A80000-0x0000000000B90000-memory.dmp	dcrat
behavioral1/memory/1992-521-0x0000000000B90000-0x0000000000CA0000-memory.dmp	dcrat
behavioral1/memory/2592-582-0x0000000000DE0000-0x0000000000EF0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2768	powershell.exe
1936	powershell.exe
2528	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1268	DllCommonsvc.exe
1100	dllhost.exe
1680	dllhost.exe
3020	dllhost.exe
1816	dllhost.exe
1508	dllhost.exe
2432	dllhost.exe
2784	dllhost.exe
676	dllhost.exe
1992	dllhost.exe
2592	dllhost.exe
296	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1856	cmd.exe
1856	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
35	raw.githubusercontent.com
38	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\services.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_801c7e565701b2dc1ca91ca869c0bf497f4931c0f35ed32907df6f9e292af2f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2736	schtasks.exe
3028	schtasks.exe
2728	schtasks.exe
2716	schtasks.exe
2860	schtasks.exe
2692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1268	DllCommonsvc.exe
2768	powershell.exe
2528	powershell.exe
1936	powershell.exe
1100	dllhost.exe
1680	dllhost.exe
3020	dllhost.exe
1816	dllhost.exe
1508	dllhost.exe
2432	dllhost.exe
2784	dllhost.exe
676	dllhost.exe
1992	dllhost.exe
2592	dllhost.exe
296	dllhost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	DllCommonsvc.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1100	dllhost.exe
Token: SeDebugPrivilege	1680	dllhost.exe
Token: SeDebugPrivilege	3020	dllhost.exe
Token: SeDebugPrivilege	1816	dllhost.exe
Token: SeDebugPrivilege	1508	dllhost.exe
Token: SeDebugPrivilege	2432	dllhost.exe
Token: SeDebugPrivilege	2784	dllhost.exe
Token: SeDebugPrivilege	676	dllhost.exe
Token: SeDebugPrivilege	1992	dllhost.exe
Token: SeDebugPrivilege	2592	dllhost.exe
Token: SeDebugPrivilege	296	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2452	2156	JaffaCakes118_801c7e565701b2dc1ca91ca869c0bf497f4931c0f35ed32907df6f9e292af2f6.exe	30
PID 2156 wrote to memory of 2452	2156	JaffaCakes118_801c7e565701b2dc1ca91ca869c0bf497f4931c0f35ed32907df6f9e292af2f6.exe	30
PID 2156 wrote to memory of 2452	2156	JaffaCakes118_801c7e565701b2dc1ca91ca869c0bf497f4931c0f35ed32907df6f9e292af2f6.exe	30
PID 2156 wrote to memory of 2452	2156	JaffaCakes118_801c7e565701b2dc1ca91ca869c0bf497f4931c0f35ed32907df6f9e292af2f6.exe	30
PID 2452 wrote to memory of 1856	2452	WScript.exe	31
PID 2452 wrote to memory of 1856	2452	WScript.exe	31
PID 2452 wrote to memory of 1856	2452	WScript.exe	31
PID 2452 wrote to memory of 1856	2452	WScript.exe	31
PID 1856 wrote to memory of 1268	1856	cmd.exe	33
PID 1856 wrote to memory of 1268	1856	cmd.exe	33
PID 1856 wrote to memory of 1268	1856	cmd.exe	33
PID 1856 wrote to memory of 1268	1856	cmd.exe	33
PID 1268 wrote to memory of 2768	1268	DllCommonsvc.exe	41
PID 1268 wrote to memory of 2768	1268	DllCommonsvc.exe	41
PID 1268 wrote to memory of 2768	1268	DllCommonsvc.exe	41
PID 1268 wrote to memory of 1936	1268	DllCommonsvc.exe	42
PID 1268 wrote to memory of 1936	1268	DllCommonsvc.exe	42
PID 1268 wrote to memory of 1936	1268	DllCommonsvc.exe	42
PID 1268 wrote to memory of 2528	1268	DllCommonsvc.exe	43
PID 1268 wrote to memory of 2528	1268	DllCommonsvc.exe	43
PID 1268 wrote to memory of 2528	1268	DllCommonsvc.exe	43
PID 1268 wrote to memory of 1100	1268	DllCommonsvc.exe	47
PID 1268 wrote to memory of 1100	1268	DllCommonsvc.exe	47
PID 1268 wrote to memory of 1100	1268	DllCommonsvc.exe	47
PID 1100 wrote to memory of 1304	1100	dllhost.exe	49
PID 1100 wrote to memory of 1304	1100	dllhost.exe	49
PID 1100 wrote to memory of 1304	1100	dllhost.exe	49
PID 1304 wrote to memory of 1984	1304	cmd.exe	51
PID 1304 wrote to memory of 1984	1304	cmd.exe	51
PID 1304 wrote to memory of 1984	1304	cmd.exe	51
PID 1304 wrote to memory of 1680	1304	cmd.exe	52
PID 1304 wrote to memory of 1680	1304	cmd.exe	52
PID 1304 wrote to memory of 1680	1304	cmd.exe	52
PID 1680 wrote to memory of 620	1680	dllhost.exe	53
PID 1680 wrote to memory of 620	1680	dllhost.exe	53
PID 1680 wrote to memory of 620	1680	dllhost.exe	53
PID 620 wrote to memory of 2096	620	cmd.exe	55
PID 620 wrote to memory of 2096	620	cmd.exe	55
PID 620 wrote to memory of 2096	620	cmd.exe	55
PID 620 wrote to memory of 3020	620	cmd.exe	56
PID 620 wrote to memory of 3020	620	cmd.exe	56
PID 620 wrote to memory of 3020	620	cmd.exe	56
PID 3020 wrote to memory of 1828	3020	dllhost.exe	57
PID 3020 wrote to memory of 1828	3020	dllhost.exe	57
PID 3020 wrote to memory of 1828	3020	dllhost.exe	57
PID 1828 wrote to memory of 2952	1828	cmd.exe	59
PID 1828 wrote to memory of 2952	1828	cmd.exe	59
PID 1828 wrote to memory of 2952	1828	cmd.exe	59
PID 1828 wrote to memory of 1816	1828	cmd.exe	60
PID 1828 wrote to memory of 1816	1828	cmd.exe	60
PID 1828 wrote to memory of 1816	1828	cmd.exe	60
PID 1816 wrote to memory of 1820	1816	dllhost.exe	61
PID 1816 wrote to memory of 1820	1816	dllhost.exe	61
PID 1816 wrote to memory of 1820	1816	dllhost.exe	61
PID 1820 wrote to memory of 940	1820	cmd.exe	63
PID 1820 wrote to memory of 940	1820	cmd.exe	63
PID 1820 wrote to memory of 940	1820	cmd.exe	63
PID 1820 wrote to memory of 1508	1820	cmd.exe	64
PID 1820 wrote to memory of 1508	1820	cmd.exe	64
PID 1820 wrote to memory of 1508	1820	cmd.exe	64
PID 1508 wrote to memory of 1672	1508	dllhost.exe	65
PID 1508 wrote to memory of 1672	1508	dllhost.exe	65
PID 1508 wrote to memory of 1672	1508	dllhost.exe	65
PID 1672 wrote to memory of 1284	1672	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_801c7e565701b2dc1ca91ca869c0bf497f4931c0f35ed32907df6f9e292af2f6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_801c7e565701b2dc1ca91ca869c0bf497f4931c0f35ed32907df6f9e292af2f6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1100
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1984
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2096
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2952
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:940
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1284
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
        16⤵
        
        PID:2692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1336
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat"
        18⤵
        
        PID:1248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1860
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat"
        20⤵
        
        PID:2104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2360
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat"
        22⤵
        
        PID:3028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1152
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat"
        24⤵
        
        PID:2172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2780
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Cursors\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a70d0232ce9f28a8cb6ab5109d687d49

SHA1
971cb38a79b424dde5fa33f0d4e5179443c4e7e9

SHA256
309cada394e2d73c73a7b8679bf6b07f241304de6da9b3fdcafce67f6cbdb027

SHA512
bc3800fc18567591398d9fd093388feadf978f7b811348f0f26873897b6344b3106d84ce3e5d01218eadbedd1672e00fe945e8dbb07123ccdd4178ba1b003d6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
282d460a233ff53e010c7bcd6525cf8c

SHA1
1825d111d40d2c9ca47e1a2fddbd2b4c19ecec31

SHA256
d004a030a306e88078714ff960924ea42aaf06a2e3680094867482cbda035358

SHA512
cbea52d99cb9a523b145e5698d263da55d09528be1dd7ee1b09669737ad7b3795465b4428f228526c6f4c51caef69bec8ab4337e9032bc5a2705c4f2d444ff91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7147c5fbf961a3f350b710a07098e0f8

SHA1
45b81169f771c739950f87978cddfddd08a93899

SHA256
85d2f6b6eb985b4ffff7aa26494aded4dd7466ff21a0531ee932e832342157d3

SHA512
3adc5eb0d40495731c89f5909fa78358160b450270e45e73918584be8aaca7ecbb0c3e357bd67f7793ad72e22961aac33dfe6f02296ded24bfebd69d612a24fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e6394043f0ade94970b02c2f1159ebc

SHA1
417cbe77028145cec1e798670e654433ad1d57b1

SHA256
4396320def7ee5b4109af4a9ac14b813fce6f90459a7dc7e843c005280e8c9bc

SHA512
4b9ea8ffae68d8f6c17ee02d554620794199ce7abea1dd81f2daa532c0e8df26caebf1f803f8215bdb67b102ac9271d500079395fc356d717a447fc528269863

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a40eef338476cdd506842a9b088c190e

SHA1
be96d659b95c5d0cae916d72aafbfe86e79470f0

SHA256
d025fc652ad95183486d9568bfd2913d78e784803f260477dc82cde73c0857f1

SHA512
88bee8d69efac54ba44a1ed48aa054322488e25a03a691381375a10fddbb569c58edb95ca3d856ba953e87524d8283e735e859be90d88cbfa8ab0e85b3e2344d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d6834981411d0f4b3ed3d82a2322ad1

SHA1
adc3d79f11353e43342b1a0a9753b4f5128209e5

SHA256
4ca2571c714fba96d9baddfc56022b1c62a462e1b1fbfc9a5822a6891d6f7c14

SHA512
9bc80a358c749ad6b9ccb8ef999bf686b5224b0702401f427ffb7b65ec15fd5e84d0b30bfdfe5377b81bc1c8b30ca080d5368c873fe2f3ab0cd20ef823acb8c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c306f58468f46e13126fc977fa4290ac

SHA1
11efc5fa9e2b146fb957b106408cd084a66ba33c

SHA256
fa793e56a56aeea5c543504d40b52ca87cc3a0a520d50315594b7b98ed35e545

SHA512
783897b39b63b61d0f93b7c6590b4770d702f71c8d94cf8257811dfb3e20a8f99971c9786ffd50306cb8741b61e8a12f88df2915f04868d9e33735be130a5910

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d7494c3724496beffc9a92f00642dff

SHA1
fc70c6cf6ad9a24cda205ab4882f10fdfc32556e

SHA256
2f0ffd945f8098116e2d6f37f6373168388a2dd0844d007ba0975320688021dd

SHA512
fcce832c0883b1c495886d1a52b229034b21ae7fa98213d2141ab31438f8cd34bb7988bb7aa915bb5e3ea27d96ae3aefdf3e409c4d0f080a1da67dbd926705a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
615be2b14706d4fd2e64b42849d46dd4

SHA1
09f65567288f208cbdcf5b6bed37222740a8cc4b

SHA256
6d02f3d7e7098ee048f9869c4e0c659de00584f0c4872db9c515bb7f3b06c70c

SHA512
20015b23a03f90ab05647afec1ceddb3a0bd28de450c0d0da69eac3ee8fee32b2613be93fe1f7b6876dbd6ac026b10c79a5befe4cbd207f9c78a50f6f902d9a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ee56b982b05a7fab5004560668a0ee5

SHA1
e973f5f0efec03d432cf498943513ad8bc8701f9

SHA256
3cde3456fc2dc533783344281638063359c51cbf821769e8c76b0ff7f2d88d07

SHA512
af2e788822ffd16f1e93c9d906a75899c6c54d4fc6ec85aee101599b69938586cfd69dfcaeddc25a9e9d1229b9661b33a33690a573baaf79f653e7f5d1dfc438

Download Submit
C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat

Filesize
236B

MD5
a44f74cf3a1df7acaa43fc4b3fcfde7e

SHA1
45fc7984bcc22ed19e8305e8c2b4fc672b55eef7

SHA256
48a6914007d9e6df9bcc6eca23a41a7f641673800a38922c51ed328aa9f79ddc

SHA512
329a80a1435874ef97a4dbe406016b2096f45e0d4a5381a4bd385b2077758221e1c6bbc029cdf5758872b5c54b14cbcc825118aee5ee90905e107b52992fbcd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat

Filesize
236B

MD5
c99e7d5f434b63411709a95b125f4d87

SHA1
b9a8cbfbe5883e758a72f384f828509a20acf08a

SHA256
30dd674c7cab692186bf6cd14583d86458fc4f7604ed82e8e0878a698df5ba4f

SHA512
07d95bb16303fddaf0a2fad542e9bc6ccc88d923f0fa42201c3bd8b90766ddb4f3ae7c643b430b2a33c330d2874699ae270ca236a974a0ce985afc609a6f1ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

Filesize
236B

MD5
95731a0795d2cbc3aeaf63c168f597dc

SHA1
469d40d1b4a8681909de6d0fd70e781ad868e1d5

SHA256
0d1f447c28816b18c4bff3bb1485066a3c57bec848f2744e2a193e9823027269

SHA512
cb76fa30ace2b607c0796de25c794a8363e8fc49647b944f8ff4f53e717dcb78ea7ae81d60d14dfeb62e67cf5b1409d1479e55e872ed0e214dcaed1c681f5a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat

Filesize
236B

MD5
792e3531fc47df7ac1176dbe7ffb1c8f

SHA1
20944f98b5080c861a994dd989f8cc6a976949b3

SHA256
53f369054e88536b118780e060b19bb268c85f51cf60059ab9ab78ab22019f1c

SHA512
1d6a752d9e3096fb76f48b14a97ce166e2ed783d2170833611f52666b09a09e7cdf2f4805c72f4a9210897845bd0e982567c2983d83b1e1b7331e4dfaa82d60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE3DC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat

Filesize
236B

MD5
a57bed3d1ca241797359abd4224cbdb1

SHA1
3851a6a0bc526829236141c09158ad1b357d0702

SHA256
bd0c62fbd1f8fc55f38e9b097f583c4b4b42a2b7066c6e61a43168c23b08bc5a

SHA512
6787b38e2cdd0ad0abaa3e2dd8315adaf55a46de61b9e151bb9e4b77095794a37fa63d92391c98e4a532a2b5c0b2ea5f93f13a100d90c8f9ee65dc9c6ab2b71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat

Filesize
236B

MD5
1e64dfcda3129680dbe65fa1f187e43c

SHA1
a3751a4b4a446b5fd449bf90420c1d56e99e012d

SHA256
909a788e93878769e3da1eb87312aecb019944b03a4a4173ba526f77c670d0be

SHA512
fde450ffec48d926a926d99fd1776877f3b961f7ca6d5086c25189708e8eb5fa294cf6821ee5937f988f087cb071073749ba253d5519b14ce3ab28f125bb4d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE3FE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat

Filesize
236B

MD5
3bd22c7e9f25ed9c1ac96bf67642b1ff

SHA1
d34b63c72d633ff5cd9cd2756b9a7ade4ad99cdb

SHA256
f77ea0c4515c3c68a8e2b70ef53cb39eb4f43e6bb46163b2728be3710c9c52c0

SHA512
ad9bc1b00bcd8c1cd17ce35119aefec368dff7231fa5afee572128dfe7c345d01c3731e8432fddd75a22406a84593625e0ae740719d9dcfd6e6ab767502fed5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat

Filesize
236B

MD5
217495f62a3e60532e0915de880868ac

SHA1
30a144e2059686ac2a9df14e74d67f7142c6a233

SHA256
27de69cab83e5c6503aa11e71e67b3d0707171d1239760ddf40e5fc3fb534065

SHA512
186ea9e6fb7b2273d3e899d88ff642df3fd2dcf0a4208ef862b1d77f99569bff24e292f87190ec1c2a440cabda8df321af125004abac0ce44cfafe49fc68584e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat

Filesize
236B

MD5
7537dd77eb6f1f510a86081bab6590ef

SHA1
063e40a51b8c5055f7db2c82cbccfd7bdb99f62d

SHA256
587759b6f09bfebc0889ac687b16eb220b5d307e926b4e65508ac0e27697f5ca

SHA512
2691b6f8504077b111e99c2a6563d53203c6ef6a52de8779bd7fffa8acefb4485c9a3f0da414d2bb40351b69c13ffff916d2c34fa2910090d813637a254c9076

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat

Filesize
236B

MD5
08674b88a51b19a7656a91050fff57f2

SHA1
9f7b04a603f93bd39803d736b1c70926f77c5e5f

SHA256
a4092ac09cace3116622638d8e75a35ca4cd57ef0a00f8cec89073659b2e6425

SHA512
3aa5872343137367cbabfeac92851075241a65edf17d854eeaef937feb99ddf5b3a140ec793446390f082aad3740603137ecb71b354cf5d88f5eff83bea40bfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1e1eec3d196c083c46e376f2e2d9b287

SHA1
6e74363c811a3d5873c317d32e178162cc7237ba

SHA256
8a77ce9bf62f2ab7879234c59e1cc97acf51d26770a272c88846dd0d64fd2b96

SHA512
816b62d248dabd8d58210bbff0aaa82bb578b5c5e1c048cd7100bcee706aecfa218e0433df3a9a0c5769df0340bf6c5f1e829e172adf539db66e8c6d41c8f743

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/676-460-0x0000000000A80000-0x0000000000B90000-memory.dmp

Filesize
1.1MB

Download
memory/676-461-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1100-28-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/1268-17-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/1268-16-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/1268-15-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/1268-14-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/1268-13-0x0000000000990000-0x0000000000AA0000-memory.dmp

Filesize
1.1MB

Download
memory/1680-103-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1992-521-0x0000000000B90000-0x0000000000CA0000-memory.dmp

Filesize
1.1MB

Download
memory/1992-522-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2528-43-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2528-44-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2592-582-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

Filesize
1.1MB

Download
memory/2784-400-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/3020-163-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download