dcrat | 94aa487917e64061798918b573e3f4dfb027315bfeedc8af71f1e08da5ea2084

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_94aa487917e64061798918b573e3f4dfb027315bfeedc8af71f1e08da5ea2084.exe
Size

1.3MB
MD5

4726018a85f26b6b7e7fe0feee42bf4a
SHA1

2cddf0cf839b49e2025bc303ce2fc1be084d2de5
SHA256

94aa487917e64061798918b573e3f4dfb027315bfeedc8af71f1e08da5ea2084
SHA512

c451e8b2ea2910d93d1fab09c1c362fdfd23e439b437cfe884247a953f42bff6e8fa0ac2a7f35925e65ee61cd2acf0b2554837a333b565ba5793feeabf928db9
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2540	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d3a-9.dat	dcrat
behavioral1/memory/2140-13-0x0000000000270000-0x0000000000380000-memory.dmp	dcrat
behavioral1/memory/764-45-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/1432-104-0x0000000000B30000-0x0000000000C40000-memory.dmp	dcrat
behavioral1/memory/2676-164-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat
behavioral1/memory/872-224-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/2164-284-0x00000000012A0000-0x00000000013B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2848	powershell.exe
3020	powershell.exe
1936	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2140	DllCommonsvc.exe
764	Idle.exe
1432	Idle.exe
2676	Idle.exe
872	Idle.exe
2164	Idle.exe
1376	Idle.exe
2308	Idle.exe
1192	Idle.exe
348	Idle.exe
3052	Idle.exe
1272	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2156	cmd.exe
2156	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
26	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_94aa487917e64061798918b573e3f4dfb027315bfeedc8af71f1e08da5ea2084.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2532	schtasks.exe
2548	schtasks.exe
2652	schtasks.exe
2860	schtasks.exe
2884	schtasks.exe
2700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2140	DllCommonsvc.exe
2848	powershell.exe
1936	powershell.exe
3020	powershell.exe
764	Idle.exe
1432	Idle.exe
2676	Idle.exe
872	Idle.exe
2164	Idle.exe
1376	Idle.exe
2308	Idle.exe
1192	Idle.exe
348	Idle.exe
3052	Idle.exe
1272	Idle.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	DllCommonsvc.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	764	Idle.exe
Token: SeDebugPrivilege	1432	Idle.exe
Token: SeDebugPrivilege	2676	Idle.exe
Token: SeDebugPrivilege	872	Idle.exe
Token: SeDebugPrivilege	2164	Idle.exe
Token: SeDebugPrivilege	1376	Idle.exe
Token: SeDebugPrivilege	2308	Idle.exe
Token: SeDebugPrivilege	1192	Idle.exe
Token: SeDebugPrivilege	348	Idle.exe
Token: SeDebugPrivilege	3052	Idle.exe
Token: SeDebugPrivilege	1272	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2472	1680	JaffaCakes118_94aa487917e64061798918b573e3f4dfb027315bfeedc8af71f1e08da5ea2084.exe	31
PID 1680 wrote to memory of 2472	1680	JaffaCakes118_94aa487917e64061798918b573e3f4dfb027315bfeedc8af71f1e08da5ea2084.exe	31
PID 1680 wrote to memory of 2472	1680	JaffaCakes118_94aa487917e64061798918b573e3f4dfb027315bfeedc8af71f1e08da5ea2084.exe	31
PID 1680 wrote to memory of 2472	1680	JaffaCakes118_94aa487917e64061798918b573e3f4dfb027315bfeedc8af71f1e08da5ea2084.exe	31
PID 2472 wrote to memory of 2156	2472	WScript.exe	32
PID 2472 wrote to memory of 2156	2472	WScript.exe	32
PID 2472 wrote to memory of 2156	2472	WScript.exe	32
PID 2472 wrote to memory of 2156	2472	WScript.exe	32
PID 2156 wrote to memory of 2140	2156	cmd.exe	34
PID 2156 wrote to memory of 2140	2156	cmd.exe	34
PID 2156 wrote to memory of 2140	2156	cmd.exe	34
PID 2156 wrote to memory of 2140	2156	cmd.exe	34
PID 2140 wrote to memory of 3020	2140	DllCommonsvc.exe	42
PID 2140 wrote to memory of 3020	2140	DllCommonsvc.exe	42
PID 2140 wrote to memory of 3020	2140	DllCommonsvc.exe	42
PID 2140 wrote to memory of 2848	2140	DllCommonsvc.exe	43
PID 2140 wrote to memory of 2848	2140	DllCommonsvc.exe	43
PID 2140 wrote to memory of 2848	2140	DllCommonsvc.exe	43
PID 2140 wrote to memory of 1936	2140	DllCommonsvc.exe	44
PID 2140 wrote to memory of 1936	2140	DllCommonsvc.exe	44
PID 2140 wrote to memory of 1936	2140	DllCommonsvc.exe	44
PID 2140 wrote to memory of 344	2140	DllCommonsvc.exe	48
PID 2140 wrote to memory of 344	2140	DllCommonsvc.exe	48
PID 2140 wrote to memory of 344	2140	DllCommonsvc.exe	48
PID 344 wrote to memory of 784	344	cmd.exe	50
PID 344 wrote to memory of 784	344	cmd.exe	50
PID 344 wrote to memory of 784	344	cmd.exe	50
PID 344 wrote to memory of 764	344	cmd.exe	51
PID 344 wrote to memory of 764	344	cmd.exe	51
PID 344 wrote to memory of 764	344	cmd.exe	51
PID 764 wrote to memory of 1292	764	Idle.exe	52
PID 764 wrote to memory of 1292	764	Idle.exe	52
PID 764 wrote to memory of 1292	764	Idle.exe	52
PID 1292 wrote to memory of 1748	1292	cmd.exe	54
PID 1292 wrote to memory of 1748	1292	cmd.exe	54
PID 1292 wrote to memory of 1748	1292	cmd.exe	54
PID 1292 wrote to memory of 1432	1292	cmd.exe	55
PID 1292 wrote to memory of 1432	1292	cmd.exe	55
PID 1292 wrote to memory of 1432	1292	cmd.exe	55
PID 1432 wrote to memory of 2300	1432	Idle.exe	56
PID 1432 wrote to memory of 2300	1432	Idle.exe	56
PID 1432 wrote to memory of 2300	1432	Idle.exe	56
PID 2300 wrote to memory of 2920	2300	cmd.exe	58
PID 2300 wrote to memory of 2920	2300	cmd.exe	58
PID 2300 wrote to memory of 2920	2300	cmd.exe	58
PID 2300 wrote to memory of 2676	2300	cmd.exe	59
PID 2300 wrote to memory of 2676	2300	cmd.exe	59
PID 2300 wrote to memory of 2676	2300	cmd.exe	59
PID 2676 wrote to memory of 896	2676	Idle.exe	60
PID 2676 wrote to memory of 896	2676	Idle.exe	60
PID 2676 wrote to memory of 896	2676	Idle.exe	60
PID 896 wrote to memory of 1648	896	cmd.exe	62
PID 896 wrote to memory of 1648	896	cmd.exe	62
PID 896 wrote to memory of 1648	896	cmd.exe	62
PID 896 wrote to memory of 872	896	cmd.exe	63
PID 896 wrote to memory of 872	896	cmd.exe	63
PID 896 wrote to memory of 872	896	cmd.exe	63
PID 872 wrote to memory of 992	872	Idle.exe	64
PID 872 wrote to memory of 992	872	Idle.exe	64
PID 872 wrote to memory of 992	872	Idle.exe	64
PID 992 wrote to memory of 2172	992	cmd.exe	66
PID 992 wrote to memory of 2172	992	cmd.exe	66
PID 992 wrote to memory of 2172	992	cmd.exe	66
PID 992 wrote to memory of 2164	992	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94aa487917e64061798918b573e3f4dfb027315bfeedc8af71f1e08da5ea2084.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94aa487917e64061798918b573e3f4dfb027315bfeedc8af71f1e08da5ea2084.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\42CEn0iP2b.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:344
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:784
      - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h9TWO8Gj4g.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1748
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2920
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1648
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2172
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat"
        15⤵
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2320
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat"
        17⤵
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2404
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"
        19⤵
        
        PID:1724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:676
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat"
        21⤵
        
        PID:1964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1992
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PJw82jcrZC.bat"
        23⤵
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1560
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"
        25⤵
        
        PID:2732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2232
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d03327c38cf2066d27af4d9c21cc216

SHA1
137978dc9358dff0948b361802d756663c93f121

SHA256
4e515f17e0f27dbf02c3e46aee4a7dfa1970b41db5551a6e2a3e6c2aeb4dfad1

SHA512
8970f199d5c468d49128f64c8fa6c3d6406cbae62afe901f38613bfded4638a8c422fba081627db1582a08f6dd70ec174936fbff368f324e1acbbcb46515a087

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1438da158ea93388b45cd76bc6e6586

SHA1
c48f2566f2c43c0d0e047eaf47c098f0e88070cb

SHA256
7a2a28a6d43422b01cab16ec272ea80d716c0d2068da7c6dc2871df4068a3a80

SHA512
f1de81be167688f5b9d61a1f6b12f3eaa1614e799fcdce6ad5dd02149a2ef83fe27e4c756c883c190695826b572836bd05790cd695a66e5e815c30411c6e1447

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f1460e9264575873c342f5e7d72798a

SHA1
01246b1657b83b86db43aa2fda9a4317e868c6f6

SHA256
0e3c00ff36fe6706c9a29a126eecf4cd3f6d9b963c7621b837ec79279a5d00de

SHA512
fd7dcd5de8d83531717ae35ec767c0fcaae28b27b933f73e40a183053a4738fd05f115674acd1fbab650d1b02758dc189f6c6030ad0aa1522c20f346620fc629

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
711d4c297a1b8604ede60d925d2ca5ca

SHA1
a655f2f8340bd99c14925b3cd2be352718451648

SHA256
4d601566c7c32a1ebdaffd879d9770bc7a10ca2f2f74bbef0ce42d685dd4c50c

SHA512
04151a328d4dd02a4e6f192cee72b41aa2aba640d3468cbafa3cf9be5213171c6a539b7dbd3d328d0e7262afc5ba20d7f76c1253bd3a2bfdaaeaac0bfef67f0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d4347e42a24c054acc2c6183e934218

SHA1
e077013eeafb2f80694abe12e8b18cc6e804f2b5

SHA256
4ec17e68f44dd715e05b0a222ec15e61d5c35fef32320b4483b85a71b96eecf7

SHA512
1e4f7a4fd426011017dd6b29191389ad1ef6ddfccadbba76325069343985853ee8be9683849f101685d27ed21e29847d34c4a45566899728597a1d965853474e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33080d1d282de5b2ae6bacd044e40127

SHA1
ceec79f7a816391f25562fb0ea4c6acc8b8dbb21

SHA256
62ee254c2ba1a41f4054aff8360f516c8b2dff0bc1af568a4c619d53c1b7251a

SHA512
cb58308fb018cde86e968f695c98ab5f8da145daaef79e9e418747c20ae0d289681f81570f1ac1e7a7eccdd6829708d827ccf1628656d6b4ef840e650df987b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56a15d99e68cb1bd6b6f168c07efca83

SHA1
ba0f93515ca2251cbf855c0793abb1b906d92dd3

SHA256
2932f904e16d4b966e1962702a9c55498013357a65197d61e16884ac626d7f09

SHA512
7dd13c9e70b9ff600b6198187cad5c03040919e4f5c22c66feed1583e5d1004c7b5c085117386d1407697bfd39fcbf0d6eacae52d68412cd2caf093459017a5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35921e92a7d4dee802fc6eb27c691ea2

SHA1
5ef08ab6db1da4f17f3c495c82003232f249188a

SHA256
f9c932973ed47317338e479efeec01bf1942ca279202c97acf62cc074c8bb53d

SHA512
8e010001dc97093c35b251ebcf6b1135f85cda859621480c9a293da2cfa7ab5fa55c72013c0ef683a20ab00dc4076d228d513c835dcf589e5474784f91fac0f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aaba3137368ed17ad73d9a140ba2d911

SHA1
ba1140d44eae4478947c9284efd6943052ecc589

SHA256
b0b372739a57858885af4c9fba5abb351878b8956ecbae805f1faf2ade80ae7f

SHA512
cfed76dcc801dab98d7660fc398801ac19d908b1cc707b00e591cd0bb27dbc65b8bb231e923dee0e1cb3d0b10415b7e58c4141f8bc0c4eb83923e8c9a99b67f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\42CEn0iP2b.bat

Filesize
222B

MD5
27bbca917714928b504a87b32b716741

SHA1
d2d09b85873a18607248d216c313e4d48afa119b

SHA256
8378c56f7a43b6c31da150fb6bc368960f5f20feec0218adea397511489c3eae

SHA512
1390a67416553c785955ee6b7338af5ae0843d16b9a9ae81bbbe7a547420ac0cad0ebc2207c3becb0dcf6cd9d74d65258d66cfa969de0bb23e587e19c3e0865a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat

Filesize
222B

MD5
e249731b1e8734417c031438d80cc2e5

SHA1
4e839d90290483493f4046480bc14700596b1103

SHA256
27bbf680f9cb7bc76ca81123ec1162fb84d5c65fa06b9f20df785217bc1f341c

SHA512
818a6831ef81ecf2aef86ffe448c563ae125286562e4f332e21d731f63f240e86bd77e1fa692794f1042ab3eb0f799c35c2d10003a03d5056f470159b9dec1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat

Filesize
222B

MD5
ee961c4dbc492d6a6171d3735d922316

SHA1
df0e4dc6bfe3a7b0ff7ab20086b74bb3a8fd3360

SHA256
fa54ad798cba3c26de707ef38018d172e6520eb08b3f8d897c703719e904ed78

SHA512
0e0054e637e97b115219823b56ffd48b13f20dfb3151c8ee19c9e3991aad271de811b72a98eed9b969d612fe780bfd45c397aa0245730a190319967e38f24892

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat

Filesize
222B

MD5
a581eb35fea40ad64f5297eb2255b3f6

SHA1
2bf50cb73af6c4d2d9bf1134677d11a5d7beb620

SHA256
88f6f87e2ba96532da14610fe45f63f2923cf3e300532d5bde02e8100821acde

SHA512
2a26bf75ff31520119803975a9f80285c67b3cfbad9fc54fad5db72948768a15e122d597e31afaa4e75935100d913a40aaa9fdf7494488b19667e16b93bd9785

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat

Filesize
222B

MD5
851e7be54daadc23e70b8819aa644a78

SHA1
12fdd8c714acb5bf2a359196be9745359ddbb541

SHA256
5769da1771f5fe2200bcbea8776be575634a111ed7428b0e8ab942c921c2299b

SHA512
145073fa467f00610cfc661f7aae13381bf28230beff761df1734fb4916eedf8d93338be551140b64c1d93ad7c8fb72beacb8bcd8371887680a7f9e71b18fd30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1077.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat

Filesize
222B

MD5
ed34f8f605d8e04d013c49a85ba0fc8b

SHA1
eaa401b5695b5bf18b11b59d619068cfaa1b4222

SHA256
65b778fd121c891518177e94c23ee704495f574dd528240e961cd74ee71416aa

SHA512
86268411dc9a521547d35646ead825f2f633cb3a5b4785a2b3a576aa020a27cca4b83c1760ae1e5d4118ab257f9e76cd8f7a4a45b3e409eda0a468c9f54deb0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PJw82jcrZC.bat

Filesize
222B

MD5
151f349901778b43cccfaadb12aa8674

SHA1
65529fdef0af7b9a004136e4596887e25843f58b

SHA256
91a96ba70aa5a23a8548ed9a9d9d6267b9fbc03235cf472e99b2d817a5bf2b37

SHA512
b81b1a68981385f68157034bf7c69453a776e86d4effc66ac45ca714c72da8b655c42f67430d39236c31bbd8fc15b2ce0317cedfef6810fc4f822a1e18442d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat

Filesize
222B

MD5
922c71bf526ffb11a35e6fc192162817

SHA1
631e0ddd753060cc1f573b0f4dd4b9681a43d604

SHA256
f46ee11d78bbf684f3e126d9cac95472bd09390c50f9b0ed2136a5cd93662e4e

SHA512
871be2bffbbdb3b6f8c18a183f206f0b613448bcc51557e1c7207c7d14d63310477a570b6475cedb698833763494c4b61ce63fd9129e8af959ac7d7eba655fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1099.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\h9TWO8Gj4g.bat

Filesize
222B

MD5
174e432656be28f1a0445ef277a5d8c1

SHA1
da571d03642c75f2db223b0a779775354288df2a

SHA256
33e56c8647d2c64caf6b43d77f646607d5ed0ec15c3ed221c19330e2e268520d

SHA512
9017e1dfc6559ffbf3e6f3bf7bbf6bab6c418baf28aa0ace27f14ad7f8a0382d9571b1b7836ae53ec65e599a80b751d741397af1add504807b9703f1aeb95187

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat

Filesize
222B

MD5
bca774eb1443f4b662b9515556af0bba

SHA1
1f1532aa08b84793fd6641e9363c890b1f4b7842

SHA256
032d6ef7b456f79896204ac625b706ed7e0a6ce61c4321eb0c6365bd6e6f888e

SHA512
ec6a7124b41ca368b643710200b957abb9e222624bc55287e580e677ab060c79580c83ef877904b04a8e6585d86143a5bab3eb9353686baacf7374505cd02dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat

Filesize
222B

MD5
73e7acf2db0eac198f967b5ab93d5e95

SHA1
afe481403b55be99e73105057cf52df656e52528

SHA256
fbc83a358317d8f8ac1579f1b9e58b68d700fd1e7f0c065691b10f2194c447d6

SHA512
186fc995bd83b5e5304139eedbe3716f464f0364b8fe86e4f5052cb8904cbb89a116e917c79b466e3d01db11e558521a65094665c5aa98799b74314e3e6c4a83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8d524a41159c86fc96a5ae40df8942b3

SHA1
4b47797e4af3b8e970dd7d4e869ffdce743a2757

SHA256
5121acaf064bb9535625980ab35b97054789b76e8219fbc4bd45e31d955c4fac

SHA512
b3890916e67b4bab1830cb7364934b11a9f5ef93232416eb64f460186d70027d4fd1b7c4c783d00bf26d9cbe548bf4b1c6a068b3f8f7b8570f70776a1fffbb99

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/764-45-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/872-224-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/1432-104-0x0000000000B30000-0x0000000000C40000-memory.dmp

Filesize
1.1MB

Download
memory/1936-36-0x0000000002800000-0x0000000002808000-memory.dmp

Filesize
32KB

Download
memory/1936-35-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2140-17-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2140-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2140-15-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2140-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2140-13-0x0000000000270000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download
memory/2164-284-0x00000000012A0000-0x00000000013B0000-memory.dmp

Filesize
1.1MB

Download
memory/2676-164-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download