dcrat | 0acf2f4fa59c518cb5b9da3007f0c3e29197b049fe9c8f2b332b9a99cbc68d4a

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0acf2f4fa59c518cb5b9da3007f0c3e29197b049fe9c8f2b332b9a99cbc68d4a.exe
Size

1.3MB
MD5

1a8ab00e0ce16a24fea261c11419e035
SHA1

e382baccab68fb50ba86549541895531588dc13c
SHA256

0acf2f4fa59c518cb5b9da3007f0c3e29197b049fe9c8f2b332b9a99cbc68d4a
SHA512

2eb7c8c8774f2f7b6dfb8b9e4b3766195992e1346465e1b0011e3b00baa0d8df6f22b8f83cb4a4ea7ae6d2f11ec1f05e8121cd1f72c89ae4d1978d2bb959b3d5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2608	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2608	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015694-9.dat	dcrat
behavioral1/memory/2684-13-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat
behavioral1/memory/1428-51-0x0000000000F10000-0x0000000001020000-memory.dmp	dcrat
behavioral1/memory/892-117-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/2152-177-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/2300-355-0x0000000000250000-0x0000000000360000-memory.dmp	dcrat
behavioral1/memory/1264-384-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1624	powershell.exe
1856	powershell.exe
1232	powershell.exe
1244	powershell.exe
2112	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
2684	DllCommonsvc.exe
1428	wininit.exe
892	wininit.exe
2152	wininit.exe
1668	wininit.exe
680	wininit.exe
2300	wininit.exe
1264	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2904	cmd.exe
2904	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0acf2f4fa59c518cb5b9da3007f0c3e29197b049fe9c8f2b332b9a99cbc68d4a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2068	schtasks.exe
392	schtasks.exe
1864	schtasks.exe
1164	schtasks.exe
2992	schtasks.exe
2060	schtasks.exe
2056	schtasks.exe
2592	schtasks.exe
2636	schtasks.exe
2976	schtasks.exe
2220	schtasks.exe
2400	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2684	DllCommonsvc.exe
1624	powershell.exe
1244	powershell.exe
2112	powershell.exe
1232	powershell.exe
1856	powershell.exe
1428	wininit.exe
892	wininit.exe
2152	wininit.exe
1668	wininit.exe
680	wininit.exe
2300	wininit.exe
1264	wininit.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	DllCommonsvc.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	1428	wininit.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	892	wininit.exe
Token: SeDebugPrivilege	2152	wininit.exe
Token: SeDebugPrivilege	1668	wininit.exe
Token: SeDebugPrivilege	680	wininit.exe
Token: SeDebugPrivilege	2300	wininit.exe
Token: SeDebugPrivilege	1264	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2436	3028	JaffaCakes118_0acf2f4fa59c518cb5b9da3007f0c3e29197b049fe9c8f2b332b9a99cbc68d4a.exe	30
PID 3028 wrote to memory of 2436	3028	JaffaCakes118_0acf2f4fa59c518cb5b9da3007f0c3e29197b049fe9c8f2b332b9a99cbc68d4a.exe	30
PID 3028 wrote to memory of 2436	3028	JaffaCakes118_0acf2f4fa59c518cb5b9da3007f0c3e29197b049fe9c8f2b332b9a99cbc68d4a.exe	30
PID 3028 wrote to memory of 2436	3028	JaffaCakes118_0acf2f4fa59c518cb5b9da3007f0c3e29197b049fe9c8f2b332b9a99cbc68d4a.exe	30
PID 2436 wrote to memory of 2904	2436	WScript.exe	31
PID 2436 wrote to memory of 2904	2436	WScript.exe	31
PID 2436 wrote to memory of 2904	2436	WScript.exe	31
PID 2436 wrote to memory of 2904	2436	WScript.exe	31
PID 2904 wrote to memory of 2684	2904	cmd.exe	33
PID 2904 wrote to memory of 2684	2904	cmd.exe	33
PID 2904 wrote to memory of 2684	2904	cmd.exe	33
PID 2904 wrote to memory of 2684	2904	cmd.exe	33
PID 2684 wrote to memory of 2112	2684	DllCommonsvc.exe	47
PID 2684 wrote to memory of 2112	2684	DllCommonsvc.exe	47
PID 2684 wrote to memory of 2112	2684	DllCommonsvc.exe	47
PID 2684 wrote to memory of 1244	2684	DllCommonsvc.exe	48
PID 2684 wrote to memory of 1244	2684	DllCommonsvc.exe	48
PID 2684 wrote to memory of 1244	2684	DllCommonsvc.exe	48
PID 2684 wrote to memory of 1232	2684	DllCommonsvc.exe	49
PID 2684 wrote to memory of 1232	2684	DllCommonsvc.exe	49
PID 2684 wrote to memory of 1232	2684	DllCommonsvc.exe	49
PID 2684 wrote to memory of 1856	2684	DllCommonsvc.exe	50
PID 2684 wrote to memory of 1856	2684	DllCommonsvc.exe	50
PID 2684 wrote to memory of 1856	2684	DllCommonsvc.exe	50
PID 2684 wrote to memory of 1624	2684	DllCommonsvc.exe	51
PID 2684 wrote to memory of 1624	2684	DllCommonsvc.exe	51
PID 2684 wrote to memory of 1624	2684	DllCommonsvc.exe	51
PID 2684 wrote to memory of 1428	2684	DllCommonsvc.exe	57
PID 2684 wrote to memory of 1428	2684	DllCommonsvc.exe	57
PID 2684 wrote to memory of 1428	2684	DllCommonsvc.exe	57
PID 1428 wrote to memory of 2072	1428	wininit.exe	58
PID 1428 wrote to memory of 2072	1428	wininit.exe	58
PID 1428 wrote to memory of 2072	1428	wininit.exe	58
PID 2072 wrote to memory of 1980	2072	cmd.exe	60
PID 2072 wrote to memory of 1980	2072	cmd.exe	60
PID 2072 wrote to memory of 1980	2072	cmd.exe	60
PID 2072 wrote to memory of 892	2072	cmd.exe	61
PID 2072 wrote to memory of 892	2072	cmd.exe	61
PID 2072 wrote to memory of 892	2072	cmd.exe	61
PID 892 wrote to memory of 2464	892	wininit.exe	62
PID 892 wrote to memory of 2464	892	wininit.exe	62
PID 892 wrote to memory of 2464	892	wininit.exe	62
PID 2464 wrote to memory of 2980	2464	cmd.exe	64
PID 2464 wrote to memory of 2980	2464	cmd.exe	64
PID 2464 wrote to memory of 2980	2464	cmd.exe	64
PID 2464 wrote to memory of 2152	2464	cmd.exe	66
PID 2464 wrote to memory of 2152	2464	cmd.exe	66
PID 2464 wrote to memory of 2152	2464	cmd.exe	66
PID 2152 wrote to memory of 1548	2152	wininit.exe	67
PID 2152 wrote to memory of 1548	2152	wininit.exe	67
PID 2152 wrote to memory of 1548	2152	wininit.exe	67
PID 1548 wrote to memory of 2264	1548	cmd.exe	69
PID 1548 wrote to memory of 2264	1548	cmd.exe	69
PID 1548 wrote to memory of 2264	1548	cmd.exe	69
PID 1548 wrote to memory of 1668	1548	cmd.exe	70
PID 1548 wrote to memory of 1668	1548	cmd.exe	70
PID 1548 wrote to memory of 1668	1548	cmd.exe	70
PID 1668 wrote to memory of 2892	1668	wininit.exe	71
PID 1668 wrote to memory of 2892	1668	wininit.exe	71
PID 1668 wrote to memory of 2892	1668	wininit.exe	71
PID 2892 wrote to memory of 2468	2892	cmd.exe	73
PID 2892 wrote to memory of 2468	2892	cmd.exe	73
PID 2892 wrote to memory of 2468	2892	cmd.exe	73
PID 2892 wrote to memory of 680	2892	cmd.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0acf2f4fa59c518cb5b9da3007f0c3e29197b049fe9c8f2b332b9a99cbc68d4a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0acf2f4fa59c518cb5b9da3007f0c3e29197b049fe9c8f2b332b9a99cbc68d4a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1980
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2980
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2264
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2468
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat"
        14⤵
        
        PID:1336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2024
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat"
        16⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1316
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default\PrintHood\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5db867310de07d48c92f1aff3987042

SHA1
765c523bd3d4034adbb1ce850f4e4384fe10ad1c

SHA256
05149a5161703813f1ff78bc9475e916a0868afcd1fd9319806c931a52d54f73

SHA512
d45e32f16af1da52b9331686eb73c15b2cc2fc9434fd75e4a11eca5b51a8b08a23ed965b494afaa2cd8299ec9919be51e2ec1a5e944d28470fcc175a876b8178

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8bff55aa33e37d3aea43510d1da884b

SHA1
79abcb3ba17fafff60dc27c9a3d044674f972a48

SHA256
a4ec0473175cfa3bf462005ce755a4dbbef9d47f56be9c868cf9967950b767e3

SHA512
df212e3faa50d95ee4b1fa250b7a49261aa6db65972c51ea691f0cea7530f3737dac2ecaa3fdaaa273db9c6d5259aa04e512354fdf76b66967892d146a2b8f06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25f4ec5e3b1339647bbe7b48b417ea55

SHA1
ac95bba2dd64077938ed27e1271487c9a0a2f6a2

SHA256
58ef303b3537c3d5d9025f5ee8b27269941c9e0e30370072c9831397bca35b6f

SHA512
df75e4a6b37c4160706aee8315fc996121dbc094a08c6cbc6cf7add6fa548d8d5aacfd4305029ad0a64e3331bbf985d893f81d26faa29454429432e12a68a35c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
806799f5dbdb88b6abb3273ceb32f5c3

SHA1
f370e03fbacab33810a7f054503fc365bc38fba6

SHA256
310d17f1c48ad8957f7a56fd2022cfa61df815504984f03f45a543e6fecd66db

SHA512
119c191c036471d0eaf60a156811f78b29e973e72a479dec73560787d27289a5a2c19b257b3284e606fa5bb8576ec9abae958d939a34026ddf2980654dd047d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23abcbb43b1403ccbfad0be800b23845

SHA1
9ec602769792c7b512413a5a7f773a1a475264e8

SHA256
4eb6772b84aedcc3e321742b8ab75b68f7a733627ab1a034dd4eceba828b9e59

SHA512
5e69d445925eccedc5eab73119f723c3669137a6eba229f6e10e69a257b3e15d5e24dd99472a8a703d5a38062b703596c0e7a19ad0996e8029773e6ca35140e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat

Filesize
239B

MD5
af9039b42a26253b4a7c6f5335c94a63

SHA1
12049ece9a5e27649a9f0dc37198bc5f2005e7c3

SHA256
8c2f267984ea6d14f2d369351292837477f166b3ea63fb045f07acf726dbefea

SHA512
8bdb55eeb2a00a016424488bbbfc97bd3df1868b8f68c0da038177e7c872cf4f6e52897b8c4abf86f151273bd90c33f5ad86a166290fe300864e1b6aefab3b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA8FE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat

Filesize
239B

MD5
6ff9f52e3d4ed6634eb82536cc53515f

SHA1
07d8745a3ed3c7d5e311f76a8699c1f444f7925a

SHA256
30e796eb469ba896aae2a37e76fb75dacc37e034777f3bb795b4957c6370a2bc

SHA512
c3ab858fcd8779e9a6b3d55a9eab32de8668ceb47ce9ca49bed7279688e414f7a8ed1c132db08472e17fb30b4ce9994055281316216d46b0a2946799e0c352ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat

Filesize
239B

MD5
7ec11bd58d3aef5c5f1559fa47085e93

SHA1
2e2c5729727c369afce096b70fe93180a228f8c5

SHA256
d92e246389f21baac98b18b9a6e8caf92b460989844714f194027d7e92710a75

SHA512
8a0e4c0fbd620594dc3cfdd0632597a56bd4e15fa4068dfa87c9db33af5346566527d56936869e05dc58ffb6cdaa5d3a4b44f0ecf5ba23ef9857ac5de2c63c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA901.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat

Filesize
239B

MD5
da44f30797d36c4801c04cc11ec785c2

SHA1
3b476528e8949532d027a5fcb12859c6fbc3a697

SHA256
666117ec1a4c3bc20511ab77b53bb5d005196ed838f14b6eeaf909e5dea44a76

SHA512
98f37e45a472c84aa54ccccb7353e1b22a7a387d1a33aa3b62640197d04b414f5784305d4f1a32f9918caf88eaa378c3fa8c642db5be5da4e29729f5561a52b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat

Filesize
239B

MD5
5b90ac688e592b617672ca891d0313e6

SHA1
c308b194e6e2af708f5180e615b4828cb2ee7e38

SHA256
b97da35d034ad78028e5f396f159ae19c3e34587401d808c76bee3f67f8a12ef

SHA512
ed61bd67626143824e6a93aab3ba3400f06ba92c9a6f2400092d731cbc61f728a952bd0ca50f1d0e0048781b2a2c16aa8a447daece47e057146e7d69973cf1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat

Filesize
239B

MD5
6be80ea8b0d4e00f4967d5314d2a6d6b

SHA1
dd77c3d57327df17cd1683e95babfe1db9099df9

SHA256
575245b82bdde2da39ea23a25b6ccefb3a37677d734a1a7d1bcbea72eb36e418

SHA512
abc0c974a8d668a7fd3c7853a0fd428eb11e32af017e703b561fbb885fc6f6124b077ecad572b8054ffb11346f3fd9160e88ba540e27390466c9ad568e0bd1b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
17219155f04dc06f550e3b6f438847c6

SHA1
1411c9bf560bef68b3a52efcc61d0e1e2ee20be1

SHA256
1dbdd5dad0e07ebee549653feb57a5b7ed15cf71ad844e41868b236f997ff247

SHA512
8a35ee0bf570d5e0204ce61b21c42300eb67676a5b013bd77239622fadef0aa82f065b724fb8b1a25b990db4068ddb8187355483c2f0781fbbc5de9a30f46b79

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/892-117-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/1244-58-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/1264-385-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1264-384-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download
memory/1428-51-0x0000000000F10000-0x0000000001020000-memory.dmp

Filesize
1.1MB

Download
memory/1624-52-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2152-177-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/2300-355-0x0000000000250000-0x0000000000360000-memory.dmp

Filesize
1.1MB

Download
memory/2684-17-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/2684-13-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download
memory/2684-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2684-15-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2684-16-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download