dcrat | ca946449611a11d48b3494b7c45e60392e0097e2cf2a03b4a1ccbe6c1a7beac6

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ca946449611a11d48b3494b7c45e60392e0097e2cf2a03b4a1ccbe6c1a7beac6.exe
Size

1.3MB
MD5

d534a6e829a3870c8d7c7412d81bf3ae
SHA1

854331f62c77b20add9c88312ff9cad359131e9e
SHA256

ca946449611a11d48b3494b7c45e60392e0097e2cf2a03b4a1ccbe6c1a7beac6
SHA512

556d0b0e6f07c805281e28279117f52182d2349ad4250ec07e4cf23ed5b0fa42b0f264a5d055baf78e7b7da139eea476e6ca71b43ea7e3dd3cbafdf4b8e521f6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2748	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000186bf-12.dat	dcrat
behavioral1/memory/2700-13-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/memory/1292-33-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/1664-103-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/3000-163-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/2980-223-0x0000000000B90000-0x0000000000CA0000-memory.dmp	dcrat
behavioral1/memory/2764-284-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/2368-344-0x0000000000A60000-0x0000000000B70000-memory.dmp	dcrat
behavioral1/memory/2976-404-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/2824-524-0x0000000001190000-0x00000000012A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2060	powershell.exe
2260	powershell.exe
1796	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2700	DllCommonsvc.exe
1292	dwm.exe
1664	dwm.exe
3000	dwm.exe
2980	dwm.exe
2764	dwm.exe
2368	dwm.exe
2976	dwm.exe
3008	dwm.exe
2824	dwm.exe
2504	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2916	cmd.exe
2916	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\ebf1f9fa8afd6d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ca946449611a11d48b3494b7c45e60392e0097e2cf2a03b4a1ccbe6c1a7beac6.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2056	schtasks.exe
2204	schtasks.exe
1456	schtasks.exe
844	schtasks.exe
648	schtasks.exe
1496	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2700	DllCommonsvc.exe
1796	powershell.exe
2060	powershell.exe
2260	powershell.exe
1292	dwm.exe
1664	dwm.exe
3000	dwm.exe
2980	dwm.exe
2764	dwm.exe
2368	dwm.exe
2976	dwm.exe
3008	dwm.exe
2824	dwm.exe
2504	dwm.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	DllCommonsvc.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	1292	dwm.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1664	dwm.exe
Token: SeDebugPrivilege	3000	dwm.exe
Token: SeDebugPrivilege	2980	dwm.exe
Token: SeDebugPrivilege	2764	dwm.exe
Token: SeDebugPrivilege	2368	dwm.exe
Token: SeDebugPrivilege	2976	dwm.exe
Token: SeDebugPrivilege	3008	dwm.exe
Token: SeDebugPrivilege	2824	dwm.exe
Token: SeDebugPrivilege	2504	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 2900	1604	JaffaCakes118_ca946449611a11d48b3494b7c45e60392e0097e2cf2a03b4a1ccbe6c1a7beac6.exe	30
PID 1604 wrote to memory of 2900	1604	JaffaCakes118_ca946449611a11d48b3494b7c45e60392e0097e2cf2a03b4a1ccbe6c1a7beac6.exe	30
PID 1604 wrote to memory of 2900	1604	JaffaCakes118_ca946449611a11d48b3494b7c45e60392e0097e2cf2a03b4a1ccbe6c1a7beac6.exe	30
PID 1604 wrote to memory of 2900	1604	JaffaCakes118_ca946449611a11d48b3494b7c45e60392e0097e2cf2a03b4a1ccbe6c1a7beac6.exe	30
PID 2900 wrote to memory of 2916	2900	WScript.exe	31
PID 2900 wrote to memory of 2916	2900	WScript.exe	31
PID 2900 wrote to memory of 2916	2900	WScript.exe	31
PID 2900 wrote to memory of 2916	2900	WScript.exe	31
PID 2916 wrote to memory of 2700	2916	cmd.exe	33
PID 2916 wrote to memory of 2700	2916	cmd.exe	33
PID 2916 wrote to memory of 2700	2916	cmd.exe	33
PID 2916 wrote to memory of 2700	2916	cmd.exe	33
PID 2700 wrote to memory of 2060	2700	DllCommonsvc.exe	41
PID 2700 wrote to memory of 2060	2700	DllCommonsvc.exe	41
PID 2700 wrote to memory of 2060	2700	DllCommonsvc.exe	41
PID 2700 wrote to memory of 2260	2700	DllCommonsvc.exe	42
PID 2700 wrote to memory of 2260	2700	DllCommonsvc.exe	42
PID 2700 wrote to memory of 2260	2700	DllCommonsvc.exe	42
PID 2700 wrote to memory of 1796	2700	DllCommonsvc.exe	43
PID 2700 wrote to memory of 1796	2700	DllCommonsvc.exe	43
PID 2700 wrote to memory of 1796	2700	DllCommonsvc.exe	43
PID 2700 wrote to memory of 1292	2700	DllCommonsvc.exe	47
PID 2700 wrote to memory of 1292	2700	DllCommonsvc.exe	47
PID 2700 wrote to memory of 1292	2700	DllCommonsvc.exe	47
PID 1292 wrote to memory of 944	1292	dwm.exe	48
PID 1292 wrote to memory of 944	1292	dwm.exe	48
PID 1292 wrote to memory of 944	1292	dwm.exe	48
PID 944 wrote to memory of 1868	944	cmd.exe	50
PID 944 wrote to memory of 1868	944	cmd.exe	50
PID 944 wrote to memory of 1868	944	cmd.exe	50
PID 944 wrote to memory of 1664	944	cmd.exe	52
PID 944 wrote to memory of 1664	944	cmd.exe	52
PID 944 wrote to memory of 1664	944	cmd.exe	52
PID 1664 wrote to memory of 3060	1664	dwm.exe	53
PID 1664 wrote to memory of 3060	1664	dwm.exe	53
PID 1664 wrote to memory of 3060	1664	dwm.exe	53
PID 3060 wrote to memory of 2828	3060	cmd.exe	55
PID 3060 wrote to memory of 2828	3060	cmd.exe	55
PID 3060 wrote to memory of 2828	3060	cmd.exe	55
PID 3060 wrote to memory of 3000	3060	cmd.exe	56
PID 3060 wrote to memory of 3000	3060	cmd.exe	56
PID 3060 wrote to memory of 3000	3060	cmd.exe	56
PID 3000 wrote to memory of 2956	3000	dwm.exe	57
PID 3000 wrote to memory of 2956	3000	dwm.exe	57
PID 3000 wrote to memory of 2956	3000	dwm.exe	57
PID 2956 wrote to memory of 1812	2956	cmd.exe	59
PID 2956 wrote to memory of 1812	2956	cmd.exe	59
PID 2956 wrote to memory of 1812	2956	cmd.exe	59
PID 2956 wrote to memory of 2980	2956	cmd.exe	60
PID 2956 wrote to memory of 2980	2956	cmd.exe	60
PID 2956 wrote to memory of 2980	2956	cmd.exe	60
PID 2980 wrote to memory of 1204	2980	dwm.exe	61
PID 2980 wrote to memory of 1204	2980	dwm.exe	61
PID 2980 wrote to memory of 1204	2980	dwm.exe	61
PID 1204 wrote to memory of 1376	1204	cmd.exe	63
PID 1204 wrote to memory of 1376	1204	cmd.exe	63
PID 1204 wrote to memory of 1376	1204	cmd.exe	63
PID 1204 wrote to memory of 2764	1204	cmd.exe	64
PID 1204 wrote to memory of 2764	1204	cmd.exe	64
PID 1204 wrote to memory of 2764	1204	cmd.exe	64
PID 2764 wrote to memory of 2888	2764	dwm.exe	65
PID 2764 wrote to memory of 2888	2764	dwm.exe	65
PID 2764 wrote to memory of 2888	2764	dwm.exe	65
PID 2888 wrote to memory of 2928	2888	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca946449611a11d48b3494b7c45e60392e0097e2cf2a03b4a1ccbe6c1a7beac6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca946449611a11d48b3494b7c45e60392e0097e2cf2a03b4a1ccbe6c1a7beac6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
    - - C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1868
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2828
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1812
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1376
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2928
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"
        16⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2660
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"
        18⤵
        
        PID:2548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2536
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"
        20⤵
        
        PID:1720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1680
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"
        22⤵
        
        PID:1940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2840
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d7f0dcaac03776c523a7ce8fc93a4d9

SHA1
e8136b0ee3b31cfd8ed95e3b2da985454a56fbd4

SHA256
e7b597142cc54a8f168ee1771c240ad2631f40e481960ef76b971e107e3f4dcb

SHA512
dcc2ce76fbe54be6e82912422c534631150e759eeb58e6e7b7bd95c147304bbabf67d9254c2944fa565d4497e260762c5a0c9807c986594d9656734b28785720

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6301c4a3c82a8a58c11ea857afb042b8

SHA1
de1725f8cacdf49518640b715cdae7708da5c2ed

SHA256
d6d5585e35355f0f5bf78dc3a8df850d7374acb6f05322e83ef82006e38504c7

SHA512
d01f9d370788e8e1f56c7784d76e42bdc4900696472c7f21de68f6ddd72a24b2ceafa51b25d9b43fc33cf8a5b69765c23a096fb559db0515aedcd5963e11918d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6001f77c195a1f020fc262952350003d

SHA1
f95b4e22d7975df2020d2c72e7167a070680d6f3

SHA256
ea585b876815df3ebd3d8a6cfa73e6eb0368be719f8fe4b3f3166bbf3efd8482

SHA512
2b4134441d39ffa9fd2877688f97e97a82a2c24422365b1495ede29d779933a909dc25ce6b16d3d8a01750fafe24ad886b3753cfff40bf75b9b48044d22b4b4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0cca80ebf5eb79b05319388e485d8c1

SHA1
9d606649f4016fd080460f0e7ad4d4305d007bd6

SHA256
3642a5a000a4269c5a6ee70ce45f6026e209356b40e26a9fd0f43aec76f4fd9e

SHA512
0b788bc97edf8ab397dbacb2e4e2cacf1dda084cd6b81b59314d9efee05d8102023c1fc1ebd1d357cb1afd61db707e0cc2befda47c4e7fa5c1ace1c89031d51a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96b76f0aaf7f7ca7ecfb2fd5e5f99ec5

SHA1
56f0c785ecb511c73731dcf5f58ce4b4557b11e7

SHA256
3cec6565dc1dad22214ec23ea6906f4720226793ca5f1c73d8a51708994fa814

SHA512
801e4f0114f1e53a7186feb75b436ddcae9f2c0d02d8eba97a8732d0ddc193eb066b2199ce4af1a3e67ca73f9685731d0da831486746246fcb62604339b84262

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dc631dbea49fd532d8d642680a9d1b8

SHA1
0ef9b1421f3c94f238746fe9e9731dd0873b2674

SHA256
4a619ce24a5057c6212409c57e01086a5f929f98d2958a896dc9653653397c9a

SHA512
197ee26627fc914c778b1dfa3bbf129158e75e649150ca14ceba84c0952fbe780c178726f469f1811cf31712b450ae6fe3b6793735a2dbab776f9b401d1f5bd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
440a5f2207bca754eff483b4472b0272

SHA1
b4a4da993a62cc88776193281ea8369f895a9dd4

SHA256
61822333132f7bc08edce7e0b1572497545a1078499ce0a15682ab34fe051815

SHA512
c5687b63f4049b403b8b20bd86bceae621ad5b110e0aea95a82dce03349e20dc8c2f8beff3318e5543c5733565b228adef69c40b661fbd46d43d9e4a6860539e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f00ba3857987437bec768736d99f44bd

SHA1
d392cbbb0c455374b784ee99f482d6f9b5d854d1

SHA256
1b39100300ede83749715de08e2660df4853a38fefba16e5eea19237fa6d922c

SHA512
8792780482327283a228693557a8da9fca09a1285df6a77f49d558be6d9e32dee0ed6f014c3cafa02a5a4bfbdc799c73de75a774d2a670d21b91ac1434241c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat

Filesize
220B

MD5
3bc828e7684415254e149f276a115e4d

SHA1
0543ff1af0f59315299c93dc827d503b4ba296da

SHA256
1a3a310be62552456900d335bcb1baeb617848ff9fc761ed17d1334aa8acb48d

SHA512
0bc9e866804bda67835b558b82ab57dee175c828517bdd15b3b58caac480dfef16e73dbcc494cc93901adcbc4d71e8d53e279c761581c616a4a8a728570d31d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat

Filesize
220B

MD5
18ca6760d99e70383786aab57acea870

SHA1
cf270759001dae9bcfbf3b8a956e2df11d2d5ef8

SHA256
28471ad4dd5d5754c35ad6c871b831dc38fdbbfa0f4508aa79c705c8ce66e971

SHA512
2dfd7afb68daccd216bd983370e60cc8d6fba22722f8d78be5afd9ea38c6ecb2cca925bc9b4d02046f545d59fac9dc7ae3fb4c4a2d6d7f0d167bab3d497631e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat

Filesize
220B

MD5
a75d464c179e90c70d4f3492659a1755

SHA1
fb50934c01fa4abe134fde40ca62ac429ddb4927

SHA256
0b7f0308e0c64ab7f7a829579b46e70e455676b1633ef0511a2810a46df540e5

SHA512
a824c040bda2de1832d20fe578baebfbef254cc0b8641e8bd453710911c186f005daa9251d2c34c206bee9170537e77151edaab9b9d6ef6a89e50e116ec5e6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB702.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat

Filesize
220B

MD5
7feb940f44b70d2d7a1bfb4930fcf0fa

SHA1
6551e1be4fd67ac3a8c5f7d8402da0360dd97898

SHA256
c8cb7e76f9b42151289dd6d97fa6caf1b7aa25b5258fd677c484e24126b72402

SHA512
1b0bb9f697ed99e072e29165c435e1bfa68dd21260819a9a6fb88acac44454880db4e804ee1a26c8210e7dc223278591fa7e35c5e92c6e15bb863ce9ff4322d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat

Filesize
220B

MD5
144eb1313cc33c05915788782751638c

SHA1
b5eccdae2f3363dd30db3861f90d1d9ff1ce3b2c

SHA256
faf8ab8743fbf500a9f823108e6e88b6662a4b18596075e29be5ec148238f102

SHA512
e3d3df9ad3b35dc5c9826e721bb7f910a7644507da18d7cfb13dcbee90ba0e75e2874cdbcbb4ccd27f2d29015e5283301d7d9e527bc74e661d5e65ec97125997

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB714.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat

Filesize
220B

MD5
742143f170b0444ecd6f6365c0444da0

SHA1
5076f4455e306fc55955d5f9ad45bafef6a22659

SHA256
1300f26d35e8b3fccbc50851c60d4f3ddf361cb4f651a98d2a00f46e9ff2bdfe

SHA512
cdd718ddaa0972a4b458b70d8b5420925308e984c97af3093291684660efd5151d89e993f6e41a0be81542377ff136b6e408b3974d9bb62295e16c6007bcd02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat

Filesize
220B

MD5
5f19d11d67d7da5e4f2de917ae39911d

SHA1
b609972d64de904118d08e652ae096c441bc37f8

SHA256
e4e6dbb09f6cfd48239415dafa0193d34bb3794c95ddcd8c0a852fbc0842b278

SHA512
c8bfdc94d3edd021ea212069c2a1e49dd0b4377f0695aab0c5b808a2f18dd287cf5ec33e9c101276bcfe26e841a4e9aed83b2b7c0857038803c59a19cb3cb0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat

Filesize
220B

MD5
198b57c7708a6328a9d9e233c8163dc1

SHA1
7e7ffe60842243f571230bf6294ed6b6c95179c3

SHA256
7153b6cced0c2b98363678b39153095d2f7c3e70e855a4cd2ad12075e6934db0

SHA512
91df78a7b6e44cda6ca105a65b10a5eaa88190659529866539e9975b651fae9e1d7656c8d3255f788e9939533542b1c3bd254a2fe2409f9e3f8b162a0f17378c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat

Filesize
220B

MD5
81aa8920943acea292a0c77348e1d55d

SHA1
14732c016c9cbd119e10da217bf586a247e88de1

SHA256
9684c1ff7e24acdf1c00d7920c48f9682be9419c55a5326eebab8988482d6a46

SHA512
97fbc5ac95c15c2ace76e17ab1ae8c264a7490221c30830d37914ea7a7116f0f60769b7e72d529443f9ff3417d6b515f3aead769bd4583294231c9b05b3ea2c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2S6PXC92XI235NXD1P2J.temp

Filesize
7KB

MD5
1a45fcf60e1078f554ef47877d2f7312

SHA1
4d917523992e061090708f5b54dcbd573c3f3eb9

SHA256
b2239d10f05b03764a2fc35a7e249f2c6509fa95ba64159c95735f0f7589e0ed

SHA512
9db4a42634fd8f566af73f62229873b9ce2fa1d50b5a819a78e6691b03377906443a944f19e967cfb6305634631cf990a9076521c642a36d6465eb14612dd977

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1292-33-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/1664-103-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/1796-39-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/1796-38-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2368-344-0x0000000000A60000-0x0000000000B70000-memory.dmp

Filesize
1.1MB

Download
memory/2700-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2700-17-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2700-16-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2700-13-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download
memory/2700-15-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2764-284-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/2824-524-0x0000000001190000-0x00000000012A0000-memory.dmp

Filesize
1.1MB

Download
memory/2976-404-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/2980-224-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2980-223-0x0000000000B90000-0x0000000000CA0000-memory.dmp

Filesize
1.1MB

Download
memory/3000-163-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/3008-464-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download