dcrat | 0ae3546fd0b4d0d5b2bff4b291cd67598cfcb3b0a973406d94f4bbb7ac114117

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0ae3546fd0b4d0d5b2bff4b291cd67598cfcb3b0a973406d94f4bbb7ac114117.exe
Size

1.3MB
MD5

cc0808680416688ce09479280409858c
SHA1

6e4c4f3ad1a9f6565b1e5ec6f5bf44b3448e8395
SHA256

0ae3546fd0b4d0d5b2bff4b291cd67598cfcb3b0a973406d94f4bbb7ac114117
SHA512

7a6d0b4258fb1232c3644de51781f42af0075e91bc151e4bee8748f77e4edb8233ab9705aedf9929bc51eb6f89a0990a9e099d9d14a131aef088615666b0a5c8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2600	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2600	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2600	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2600	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2600	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2600	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2600	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2600	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2600	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000186de-9.dat	dcrat
behavioral1/memory/2732-13-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/2012-30-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/2328-110-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/2384-170-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/2104-230-0x0000000000CC0000-0x0000000000DD0000-memory.dmp	dcrat
behavioral1/memory/2128-349-0x00000000011B0000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/1904-468-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/1952-528-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1732	powershell.exe
2356	powershell.exe
1592	powershell.exe
1596	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2732	DllCommonsvc.exe
2012	DllCommonsvc.exe
2328	DllCommonsvc.exe
2384	DllCommonsvc.exe
2104	DllCommonsvc.exe
2264	DllCommonsvc.exe
2128	DllCommonsvc.exe
1876	DllCommonsvc.exe
1904	DllCommonsvc.exe
1952	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2668	cmd.exe
2668	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
28	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
31	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\wininit.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0ae3546fd0b4d0d5b2bff4b291cd67598cfcb3b0a973406d94f4bbb7ac114117.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1664	schtasks.exe
2840	schtasks.exe
2864	schtasks.exe
3036	schtasks.exe
1960	schtasks.exe
2296	schtasks.exe
1616	schtasks.exe
2464	schtasks.exe
1404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2732	DllCommonsvc.exe
1732	powershell.exe
2356	powershell.exe
1592	powershell.exe
2012	DllCommonsvc.exe
1596	powershell.exe
2328	DllCommonsvc.exe
2384	DllCommonsvc.exe
2104	DllCommonsvc.exe
2264	DllCommonsvc.exe
2128	DllCommonsvc.exe
1876	DllCommonsvc.exe
1904	DllCommonsvc.exe
1952	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	DllCommonsvc.exe
Token: SeDebugPrivilege	2012	DllCommonsvc.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2328	DllCommonsvc.exe
Token: SeDebugPrivilege	2384	DllCommonsvc.exe
Token: SeDebugPrivilege	2104	DllCommonsvc.exe
Token: SeDebugPrivilege	2264	DllCommonsvc.exe
Token: SeDebugPrivilege	2128	DllCommonsvc.exe
Token: SeDebugPrivilege	1876	DllCommonsvc.exe
Token: SeDebugPrivilege	1904	DllCommonsvc.exe
Token: SeDebugPrivilege	1952	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2816	1668	JaffaCakes118_0ae3546fd0b4d0d5b2bff4b291cd67598cfcb3b0a973406d94f4bbb7ac114117.exe	31
PID 1668 wrote to memory of 2816	1668	JaffaCakes118_0ae3546fd0b4d0d5b2bff4b291cd67598cfcb3b0a973406d94f4bbb7ac114117.exe	31
PID 1668 wrote to memory of 2816	1668	JaffaCakes118_0ae3546fd0b4d0d5b2bff4b291cd67598cfcb3b0a973406d94f4bbb7ac114117.exe	31
PID 1668 wrote to memory of 2816	1668	JaffaCakes118_0ae3546fd0b4d0d5b2bff4b291cd67598cfcb3b0a973406d94f4bbb7ac114117.exe	31
PID 2816 wrote to memory of 2668	2816	WScript.exe	32
PID 2816 wrote to memory of 2668	2816	WScript.exe	32
PID 2816 wrote to memory of 2668	2816	WScript.exe	32
PID 2816 wrote to memory of 2668	2816	WScript.exe	32
PID 2668 wrote to memory of 2732	2668	cmd.exe	34
PID 2668 wrote to memory of 2732	2668	cmd.exe	34
PID 2668 wrote to memory of 2732	2668	cmd.exe	34
PID 2668 wrote to memory of 2732	2668	cmd.exe	34
PID 2732 wrote to memory of 1592	2732	DllCommonsvc.exe	45
PID 2732 wrote to memory of 1592	2732	DllCommonsvc.exe	45
PID 2732 wrote to memory of 1592	2732	DllCommonsvc.exe	45
PID 2732 wrote to memory of 1596	2732	DllCommonsvc.exe	46
PID 2732 wrote to memory of 1596	2732	DllCommonsvc.exe	46
PID 2732 wrote to memory of 1596	2732	DllCommonsvc.exe	46
PID 2732 wrote to memory of 1732	2732	DllCommonsvc.exe	47
PID 2732 wrote to memory of 1732	2732	DllCommonsvc.exe	47
PID 2732 wrote to memory of 1732	2732	DllCommonsvc.exe	47
PID 2732 wrote to memory of 2356	2732	DllCommonsvc.exe	48
PID 2732 wrote to memory of 2356	2732	DllCommonsvc.exe	48
PID 2732 wrote to memory of 2356	2732	DllCommonsvc.exe	48
PID 2732 wrote to memory of 2012	2732	DllCommonsvc.exe	53
PID 2732 wrote to memory of 2012	2732	DllCommonsvc.exe	53
PID 2732 wrote to memory of 2012	2732	DllCommonsvc.exe	53
PID 2012 wrote to memory of 1980	2012	DllCommonsvc.exe	54
PID 2012 wrote to memory of 1980	2012	DllCommonsvc.exe	54
PID 2012 wrote to memory of 1980	2012	DllCommonsvc.exe	54
PID 1980 wrote to memory of 2480	1980	cmd.exe	56
PID 1980 wrote to memory of 2480	1980	cmd.exe	56
PID 1980 wrote to memory of 2480	1980	cmd.exe	56
PID 1980 wrote to memory of 2328	1980	cmd.exe	57
PID 1980 wrote to memory of 2328	1980	cmd.exe	57
PID 1980 wrote to memory of 2328	1980	cmd.exe	57
PID 2328 wrote to memory of 2560	2328	DllCommonsvc.exe	58
PID 2328 wrote to memory of 2560	2328	DllCommonsvc.exe	58
PID 2328 wrote to memory of 2560	2328	DllCommonsvc.exe	58
PID 2560 wrote to memory of 2756	2560	cmd.exe	60
PID 2560 wrote to memory of 2756	2560	cmd.exe	60
PID 2560 wrote to memory of 2756	2560	cmd.exe	60
PID 2560 wrote to memory of 2384	2560	cmd.exe	61
PID 2560 wrote to memory of 2384	2560	cmd.exe	61
PID 2560 wrote to memory of 2384	2560	cmd.exe	61
PID 2384 wrote to memory of 644	2384	DllCommonsvc.exe	62
PID 2384 wrote to memory of 644	2384	DllCommonsvc.exe	62
PID 2384 wrote to memory of 644	2384	DllCommonsvc.exe	62
PID 644 wrote to memory of 1540	644	cmd.exe	64
PID 644 wrote to memory of 1540	644	cmd.exe	64
PID 644 wrote to memory of 1540	644	cmd.exe	64
PID 644 wrote to memory of 2104	644	cmd.exe	65
PID 644 wrote to memory of 2104	644	cmd.exe	65
PID 644 wrote to memory of 2104	644	cmd.exe	65
PID 2104 wrote to memory of 1704	2104	DllCommonsvc.exe	66
PID 2104 wrote to memory of 1704	2104	DllCommonsvc.exe	66
PID 2104 wrote to memory of 1704	2104	DllCommonsvc.exe	66
PID 1704 wrote to memory of 824	1704	cmd.exe	68
PID 1704 wrote to memory of 824	1704	cmd.exe	68
PID 1704 wrote to memory of 824	1704	cmd.exe	68
PID 1704 wrote to memory of 2264	1704	cmd.exe	69
PID 1704 wrote to memory of 2264	1704	cmd.exe	69
PID 1704 wrote to memory of 2264	1704	cmd.exe	69
PID 2264 wrote to memory of 880	2264	DllCommonsvc.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ae3546fd0b4d0d5b2bff4b291cd67598cfcb3b0a973406d94f4bbb7ac114117.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ae3546fd0b4d0d5b2bff4b291cd67598cfcb3b0a973406d94f4bbb7ac114117.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\Filters\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtXcZTVakC.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2480
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2756
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1540
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:824
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"
        14⤵
        
        PID:880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2896
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"
        16⤵
        
        PID:1912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1540
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"
        18⤵
        
        PID:1480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1212
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"
        20⤵
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2548
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat"
        22⤵
        
        PID:1364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d855cb20f008c756bd31b2258fbffcc8

SHA1
c4ec32981fe92e9371524bd7d2b8c8008519356d

SHA256
e7e9b4643c4e0415dfc786e1bde2090e6ed1704469b72242f19bd2d1f782d2ab

SHA512
12b1c15064b1be2d26672a4d4665b566e14eb88c14552980705c66c184d3d89ce2507afa8675e944f1757d547576c6fdff21867083a31b4e3b86798e0d2ffce1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35e0d18397d5d8f3908f7a138979b4ea

SHA1
c06872d1cea2285b6b3ff5bebf72e4a8b594d1a6

SHA256
f7bbc3a3d8b4b15383b268b232d1a85b949ba001f8b4ddf4b2958620b52b3fb0

SHA512
5f331e7d64c5c85fe6573fd71dfd8494adac4d100aba399560dc68b4cf439fbcb601e30eaa484e65f376687a363356d342b5e7232f83a136d62ef4f1633e6c4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8328b5252a97ba5845f5571c528c021a

SHA1
100c82db7ad2d133cf9a451cfa93f0ab67e4a47a

SHA256
185b44030287f3f372d21e542f3d2b188bd6ba5e0ad5c9987b81a1a028dd6ac9

SHA512
086d2841bc5855459a38ba833edc86b8b3c65aa7c646be6e09871772d3ea33d0c8ddf910e7594a3af98df275a67c8bbc5b5ccff58c92338588780812ba0f3a6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ca03770d5093b76992b672eb4a930e4

SHA1
c4b2d04fc0ac76a2d49fb6710a44c195cbbc961d

SHA256
a8a6564ba6474da58e64fbf8851017b2aeec922b2619e4ce4562fc29abcda176

SHA512
695c8ed3fcd44478a5589185027cc659414e916701f75a02ddab015c61c28671efd6a09e03614f00ceef816772a0c2ed3fe0a92cdc14606ae8953016a4b64ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
907cbb27e09615421a38d74a3085061d

SHA1
ec21b382d1a1dfacd5e368a0c92a3e6d80c9fe14

SHA256
46c833da9b4546746262252141703c127a37f4b29b0de9de8f502552546b4f39

SHA512
61e6c0649b75eda1d515e3d5412670cc454b3e3db601eaad9d6d50163775ea244f8eada637d197124c41c347bc2675e95a53238020c377d0b42a27a4851d02bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9e39b66dbe45c51a89ef9e460300a38

SHA1
c02832e48e044d5d1e8bb40bae8d18ff828a4f6d

SHA256
d7d0cfcdc7ae8bbfa954343ed74479980490ef7cdcb48681da96ad31bb40000c

SHA512
369fbfb5c10a5501195b755b4f3865163961aeaf16f4c3688aaf9de7f8af80458c5e7accc3e85ad78d313fda3cb4498c000b6116f1adadeba7c924e41c5ada43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad8ce256dc19757c234cc65944a6bc1c

SHA1
5db439956c803889c59cef66a6235c8e962d8f1c

SHA256
4de65af75043b61b6b6847c375d1b13fe8a5988d09cce5690cf2ad13e922c47e

SHA512
48b8b45b1b00201825f08a860ac5c81a2458da73565f270c56fbbc91b7e769fe454df9a9b0558b57e81de014b65c8fe302be55e3722d70ced81356de03825afe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
088f15cf5587e06c5195a4efee6b13ff

SHA1
1fa066f01b4db59c26ce558dd34d3e673c196e48

SHA256
7b621b535def5d317bedc25a6777ba17da32085e9a26e142226fb53cdf9fde27

SHA512
7f633f7186a23bd4baf746f48e15183b325bec93197b8b34ea16d3a68a470b14d25dc0938bcabb9217c410ede5bc234f89b71ebf0f5c473f119f422611789811

Download Submit
C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat

Filesize
230B

MD5
7f6b8eca4bdd78af303335daf7843407

SHA1
692f3cb5113eca0c037ebc0db29dafad86d5172a

SHA256
215d400d292663b9044058e413e82bae1ed9f9c36d3207a4ab42a2290da751a7

SHA512
69b5eb783834cb51ae17313927ef82886841634cd94db4de5942f311444236b2904438f3c36a54d0c8f6907f51ee2955ab6976c0b4db730cab8dc9bb0fcef8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1602.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat

Filesize
230B

MD5
561a45bb90e93d297da20ce97111a8b4

SHA1
b8ce2021bfc5882216ef4bf96c95e3be7995eec2

SHA256
d0e5e6b9e47e6480d81507c78f3865caa7c15065493f118ee52196127d4f7f42

SHA512
4cb3d7b4bc604e4bfa1a9c298da2884577d5a2625535e740bcf797c2cb0e68e143d8ea66b06b3d865e2e22f0eaad73c011831d7150a489ee2d4531d9c6bd1301

Download Submit
C:\Users\Admin\AppData\Local\Temp\QtXcZTVakC.bat

Filesize
230B

MD5
3b177a98d0da7f62bdb80400b504eb56

SHA1
19c99afe3b3b254e3309b530fa016a8bd3195859

SHA256
3716bec6ce9315c326b54bb528fb44b9436c1f57b9df1b3d2e39c15149e5aa3c

SHA512
af68c6b38eab411133b6a428ccba746701a83919d116eda0e7bad707743ab81523ff02779364ec68da77b058067c38641946b8bc09737f4e6aca411b674b2bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat

Filesize
230B

MD5
410cfcb9f49ff2e1a33683e6f140c7c3

SHA1
e1d87f737e3ceab761cf23b0be2ae4abd4bbe90e

SHA256
998e6ee77592623d7ae95b47e23a7f161d3703bf6c70b7512e15a587c0c8635e

SHA512
a0928fd3c1ed56cc2ece703ee90f0053bf57562fe2fae9fbc3eba379afceda37a5199dcb453d72335c115f62204428c0e018b26a064b54deace5ebdcf7b7b140

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1615.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat

Filesize
230B

MD5
ba27e3a3900554d22ff487fc5ac6a544

SHA1
ee08757a7a157c60b70071f6423a3ca97d04cb61

SHA256
44af4cbd137a85496daa0777aa7d01689aa6c2b66288c358a928add92fbd49a1

SHA512
bc221fe9f66233e5728f80313b55c50ab5564dd8e8e356c0a5b599be8035d49d89734239f4e7c4adbb3b21a19ebf0ad226c0ec666eb5026606043dc12e7e7d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat

Filesize
230B

MD5
be028a45cfec5460d1304d19bde9d987

SHA1
21594b6fce7ae9fefbfd134c1db03b1ff22f7727

SHA256
cdb165d36e2bcc6dac84404134f469bd02f9ab9d9911247e64b05807dedd99f3

SHA512
530085b16e26773bef866bda6649e015c4e73e07fbc09e6ad9e2b85b90f21ff58229447948deeefdf39ec6a3aff568fc42c3fbb6f62f9290f0b6680128093ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat

Filesize
230B

MD5
ab5afff18916bff328694e6c369cdae9

SHA1
d304f0d3bcc55a645968027e2c7410a1eb921599

SHA256
02ed03428d191da4a162c15b758cf819c0d5c82987c60dd74326774c965d3b76

SHA512
f90e1ffa4adf798fee76d7972bc674493cf8f4bb50ef1840db7526b50d8b66fb94f94c49678d60e883a3ee2c5ffa69b22368f5c2e9f51bfcf1272d12ad439d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat

Filesize
230B

MD5
7815c4b8189a3be3483639c22cc2d63c

SHA1
ff819dbd14fe679209ea11ce4463391b9aaac58b

SHA256
62d0c3c42cd6e93d381ea4ff8e337f42f597fd52418f005dfe2b7fb56a0fc5b7

SHA512
1f28339f9a526fc0448abb16267414b6b6f877d58312f51750f8442dfbc36ad9147c97ff1cffa605bbe7740f679f88d2b338aacf5933383d3cf9786ded862a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat

Filesize
230B

MD5
808390ce93008f1892e44449202e1069

SHA1
2ccb2cec8388010d098c31774311662bb9adf8bf

SHA256
635e324a4864477baa2a182433a699141279f5b81b737110f8ce97ae496996cd

SHA512
2cafef74d324f6cb4d00efce9d251d0ef0ac5fcb7539e141e45c968d8e4013c4ab485fa1c75178b4861b3d437a7d90f2d2219f6bbf15e4074615bd0ea33fb8ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
079b1fb2a8e926edd2397ce1cf1a156e

SHA1
3ecec4d68dc7122f1ed47246b38dc8ceec58a66a

SHA256
7915beb5e75ea8ffb072ce17ca1b0e2ff610d4286d011fe83a1c11d84c80850e

SHA512
9b762ee36e95cc2921706588b55b2d2949fdd61a91dd0a7626a8a1d87953e91ba105d1e641132773e9dc7251f8a7ef4b8f8f70f9ba562ae34088c1d9021431ed

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1592-51-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/1732-45-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/1904-468-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/1952-528-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/2012-30-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/2104-230-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2128-349-0x00000000011B0000-0x00000000012C0000-memory.dmp

Filesize
1.1MB

Download
memory/2328-110-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2384-170-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/2732-17-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2732-13-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/2732-14-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2732-15-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/2732-16-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download