dcrat | bf31d574744f4150ed69f9b26e8288d4b66de62080a29721138f96eb71340c3e

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_bf31d574744f4150ed69f9b26e8288d4b66de62080a29721138f96eb71340c3e.exe
Size

1.3MB
MD5

c78b929ae607f6887182f3f74d9e7323
SHA1

1708219fb3d42b9b0336b1b598e3accf1b26225e
SHA256

bf31d574744f4150ed69f9b26e8288d4b66de62080a29721138f96eb71340c3e
SHA512

31ad33673c23ed541331bce926cfaa5f9964d003f5ab8590893c079c80c0b4462d56bf033c1a65d2be5669238eb09f2c8818f43ad6ba5a1deaa66c9679403676
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2616	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016edc-9.dat	dcrat
behavioral1/memory/2904-13-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/memory/1080-52-0x0000000000FF0000-0x0000000001100000-memory.dmp	dcrat
behavioral1/memory/2440-111-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/1744-348-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/1528-408-0x0000000000BF0000-0x0000000000D00000-memory.dmp	dcrat
behavioral1/memory/1192-468-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1548	powershell.exe
1980	powershell.exe
1736	powershell.exe
1504	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2904	DllCommonsvc.exe
1080	dllhost.exe
2440	dllhost.exe
1996	dllhost.exe
2172	dllhost.exe
2320	dllhost.exe
1744	dllhost.exe
1528	dllhost.exe
1192	dllhost.exe
2712	dllhost.exe
864	dllhost.exe
1788	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2684	cmd.exe
2684	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com
27	raw.githubusercontent.com
5	raw.githubusercontent.com
10	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\conhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bf31d574744f4150ed69f9b26e8288d4b66de62080a29721138f96eb71340c3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2220	schtasks.exe
1964	schtasks.exe
1096	schtasks.exe
2620	schtasks.exe
2788	schtasks.exe
864	schtasks.exe
2348	schtasks.exe
2876	schtasks.exe
1488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2904	DllCommonsvc.exe
1504	powershell.exe
1980	powershell.exe
1548	powershell.exe
1736	powershell.exe
1080	dllhost.exe
2440	dllhost.exe
1996	dllhost.exe
2172	dllhost.exe
2320	dllhost.exe
1744	dllhost.exe
1528	dllhost.exe
1192	dllhost.exe
2712	dllhost.exe
864	dllhost.exe
1788	dllhost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	DllCommonsvc.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1080	dllhost.exe
Token: SeDebugPrivilege	2440	dllhost.exe
Token: SeDebugPrivilege	1996	dllhost.exe
Token: SeDebugPrivilege	2172	dllhost.exe
Token: SeDebugPrivilege	2320	dllhost.exe
Token: SeDebugPrivilege	1744	dllhost.exe
Token: SeDebugPrivilege	1528	dllhost.exe
Token: SeDebugPrivilege	1192	dllhost.exe
Token: SeDebugPrivilege	2712	dllhost.exe
Token: SeDebugPrivilege	864	dllhost.exe
Token: SeDebugPrivilege	1788	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2744	3048	JaffaCakes118_bf31d574744f4150ed69f9b26e8288d4b66de62080a29721138f96eb71340c3e.exe	30
PID 3048 wrote to memory of 2744	3048	JaffaCakes118_bf31d574744f4150ed69f9b26e8288d4b66de62080a29721138f96eb71340c3e.exe	30
PID 3048 wrote to memory of 2744	3048	JaffaCakes118_bf31d574744f4150ed69f9b26e8288d4b66de62080a29721138f96eb71340c3e.exe	30
PID 3048 wrote to memory of 2744	3048	JaffaCakes118_bf31d574744f4150ed69f9b26e8288d4b66de62080a29721138f96eb71340c3e.exe	30
PID 2744 wrote to memory of 2684	2744	WScript.exe	31
PID 2744 wrote to memory of 2684	2744	WScript.exe	31
PID 2744 wrote to memory of 2684	2744	WScript.exe	31
PID 2744 wrote to memory of 2684	2744	WScript.exe	31
PID 2684 wrote to memory of 2904	2684	cmd.exe	33
PID 2684 wrote to memory of 2904	2684	cmd.exe	33
PID 2684 wrote to memory of 2904	2684	cmd.exe	33
PID 2684 wrote to memory of 2904	2684	cmd.exe	33
PID 2904 wrote to memory of 1548	2904	DllCommonsvc.exe	44
PID 2904 wrote to memory of 1548	2904	DllCommonsvc.exe	44
PID 2904 wrote to memory of 1548	2904	DllCommonsvc.exe	44
PID 2904 wrote to memory of 1504	2904	DllCommonsvc.exe	45
PID 2904 wrote to memory of 1504	2904	DllCommonsvc.exe	45
PID 2904 wrote to memory of 1504	2904	DllCommonsvc.exe	45
PID 2904 wrote to memory of 1736	2904	DllCommonsvc.exe	46
PID 2904 wrote to memory of 1736	2904	DllCommonsvc.exe	46
PID 2904 wrote to memory of 1736	2904	DllCommonsvc.exe	46
PID 2904 wrote to memory of 1980	2904	DllCommonsvc.exe	47
PID 2904 wrote to memory of 1980	2904	DllCommonsvc.exe	47
PID 2904 wrote to memory of 1980	2904	DllCommonsvc.exe	47
PID 2904 wrote to memory of 2292	2904	DllCommonsvc.exe	52
PID 2904 wrote to memory of 2292	2904	DllCommonsvc.exe	52
PID 2904 wrote to memory of 2292	2904	DllCommonsvc.exe	52
PID 2292 wrote to memory of 2420	2292	cmd.exe	54
PID 2292 wrote to memory of 2420	2292	cmd.exe	54
PID 2292 wrote to memory of 2420	2292	cmd.exe	54
PID 2292 wrote to memory of 1080	2292	cmd.exe	55
PID 2292 wrote to memory of 1080	2292	cmd.exe	55
PID 2292 wrote to memory of 1080	2292	cmd.exe	55
PID 1080 wrote to memory of 1804	1080	dllhost.exe	56
PID 1080 wrote to memory of 1804	1080	dllhost.exe	56
PID 1080 wrote to memory of 1804	1080	dllhost.exe	56
PID 1804 wrote to memory of 2056	1804	cmd.exe	58
PID 1804 wrote to memory of 2056	1804	cmd.exe	58
PID 1804 wrote to memory of 2056	1804	cmd.exe	58
PID 1804 wrote to memory of 2440	1804	cmd.exe	59
PID 1804 wrote to memory of 2440	1804	cmd.exe	59
PID 1804 wrote to memory of 2440	1804	cmd.exe	59
PID 2440 wrote to memory of 2640	2440	dllhost.exe	60
PID 2440 wrote to memory of 2640	2440	dllhost.exe	60
PID 2440 wrote to memory of 2640	2440	dllhost.exe	60
PID 2640 wrote to memory of 1784	2640	cmd.exe	62
PID 2640 wrote to memory of 1784	2640	cmd.exe	62
PID 2640 wrote to memory of 1784	2640	cmd.exe	62
PID 2640 wrote to memory of 1996	2640	cmd.exe	63
PID 2640 wrote to memory of 1996	2640	cmd.exe	63
PID 2640 wrote to memory of 1996	2640	cmd.exe	63
PID 1996 wrote to memory of 1040	1996	dllhost.exe	64
PID 1996 wrote to memory of 1040	1996	dllhost.exe	64
PID 1996 wrote to memory of 1040	1996	dllhost.exe	64
PID 1040 wrote to memory of 1504	1040	cmd.exe	66
PID 1040 wrote to memory of 1504	1040	cmd.exe	66
PID 1040 wrote to memory of 1504	1040	cmd.exe	66
PID 1040 wrote to memory of 2172	1040	cmd.exe	67
PID 1040 wrote to memory of 2172	1040	cmd.exe	67
PID 1040 wrote to memory of 2172	1040	cmd.exe	67
PID 2172 wrote to memory of 784	2172	dllhost.exe	68
PID 2172 wrote to memory of 784	2172	dllhost.exe	68
PID 2172 wrote to memory of 784	2172	dllhost.exe	68
PID 784 wrote to memory of 2040	784	cmd.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf31d574744f4150ed69f9b26e8288d4b66de62080a29721138f96eb71340c3e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf31d574744f4150ed69f9b26e8288d4b66de62080a29721138f96eb71340c3e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lKhhpQ3tH5.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2420
      - C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2056
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1784
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1504
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2040
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat"
        15⤵
        
        PID:2964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:268
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat"
        17⤵
        
        PID:1496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1964
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat"
        19⤵
        
        PID:2956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2432
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat"
        21⤵
        
        PID:2912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2736
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"
        23⤵
        
        PID:1132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2800
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
        25⤵
        
        PID:904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2460
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fcf97b01410dc619bd6ed5c300831a0

SHA1
495b1469f55747d9da6737c77a1040618db6da76

SHA256
f42209cd0a49457322dcf1b072907cf38cc88fb09f30157b091ab35871054b6b

SHA512
33f1405c65fc916837dbf4ab414a984020639dc183599d15940fbd655c412239bb2283486290f12e57e314c44e6566d2c2419bc4a321f3c11f97371dbb4ebb13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27fb6fa9e482b5e529f58ab86da71eb4

SHA1
360612274ad4811af41410725ab3e700ebcd6e8b

SHA256
99b42177e0d3c0eb6df838fc44bc30efcb7c32d48053aa9f65dce13f19d01ea0

SHA512
0dbdfce714008d7dbb11c9ffdc6a645ee1fc8c416d9afa2fd77b5a689ca559efb65c9425e43edbb28a11a01a3472d3505a7ab05ee4e008ca729415ece9d826a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4b7172f56b7a5a7268b4e6d5c46d871

SHA1
b90611acacac599dc5176327f14b65c3761d55f4

SHA256
4b95b60ac797e19c9e265c9c7d7f2a7f18be03bc9fd0a939c72456cf5ad8dcc9

SHA512
c7f2353a0b07b7a41a9f7de97b27d3a7c5cb2a0a3b317ca45d550e421221307b108bdf3b7d1ee091c11def1f89f51757d0d45084c6d913eba53f21f5ce498ea2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd7695c2a77405f04510a53b8f6b3904

SHA1
e74334862cba80135b01a2bd39b810f810404284

SHA256
db793392b6a1f8f4458fdded2723bf467d8875bd98ea719a9c367fc8d7554086

SHA512
7b73201cec9345b33c0dddd8163c7a39c15d563b096b6fb2ef50b333f0194954add6080cb1419aa75e0a62bd402af35b2344ce2ded666ca243260cbe9f791b86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bfcc643a9adfe6a9e6578d35e8c0015

SHA1
c55f381ed43e2b16c76f2e9ff815660e0d9e2b73

SHA256
6c0ced35e9b4ac5099058b7a5c77dd299d5b7fecf8783d6d85532e671d25989e

SHA512
1bdfbdf6dfeacd7ba355b8135ee5ca3cb1472ee4d864314a3354b671006237e6ee64d7caf83adcf3c304b8bdbf5e9587b8436dac3dd14caec94e48ccf239ec7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cb526bf12af6c1ae1110259615747e4

SHA1
ad9bc64345687ba1d927fb0a9612662080402450

SHA256
a4f80ea71905b0b31b8fce0602770df3a3a6b05cd28c438213b49d6f898fc9ff

SHA512
a51a13770e62f262904984ce8597b811b1b4870053b90bcbcc9847d158f718a13e0235fb6247a33f2e53ab33ee17da16fbd70af7fadf4d28d3b0e18252f26656

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e028501d271ced86955293ed7a102b71

SHA1
26c1acf8e1a8a35c32b6e3580adcc3f7d3c047f0

SHA256
6b1faa5786b91605a72e9b03943a3b5135452f6688cb14654d08cb5e3b7519c5

SHA512
a0f04160463a95bd67f7a5d84a5b9ee587ba47c65c80ae22c0a2b2e3e6b9abb6ebf11525de8f4159a343f45751a9c15c66a3bbdeea77dc51faf347a65cf02614

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2d14c12b9e586e0f33721ef7d09596c

SHA1
df9397688dc1c363599b63834f93460e2ecd06eb

SHA256
36bd3ac88ea1bb6efb5df2015e571e26d7717a0ea1b8122b403c466854e84538

SHA512
170875d63330224998fe2b38a94712a41f5743ca32ac2941cd9c68fe96f60d0d5fa9d81ea6dc79fcb27d82cc7f7d7df591c51225acfb323a3cb5e9051c696df2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fcf0f892d7f6f3fca50b75528020dc7

SHA1
9cca460f461d59587792a5f7a3f53abf0cdcbad3

SHA256
cd4cd36f070e5548ea811a213bc6f9e8349898720928ff0aa76b5cc0b1c0c656

SHA512
ef82b22a2264b37cde51a49f3bd3c37259c1ed5a127f47cecb0a58708655df872ee5da4108dba117084f0736bbaf596b0aeae87d887f11669695da3f25a49b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat

Filesize
194B

MD5
666bb4659b7bbc64559e7b9740eaaf85

SHA1
9f2738a4d8072740c6375218080fd87a78c5af40

SHA256
a0e7a7df48c4dab76dcd594fdedffd6ad996545257b2d683cade04dc41a5ef0b

SHA512
98011b923348da795c78ce407f28aa620708ec3d9698820d0343aa5d723b24776845347f54b90e489947ae1040a3115e3b964044a034738b765e6af11e84c65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2B47.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat

Filesize
194B

MD5
bba30fe32c44fb17fbf5cc9c41fcacaa

SHA1
c03de6b82e3061ed5a1bf058789bff603a6a67dc

SHA256
3880c088cea25ae0dc094cf45b7dd1aff440b48709fcbc1b0f4ef95552dc9b5b

SHA512
762eb62b38e83917432a73af2aa813bfdbeff7e1486ab5c8fec0b807517243a8c7529dce643b998c3ee4343c6fd36312565c964df51b85dcc7afa303837fe491

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat

Filesize
194B

MD5
620218779936d251ceaccbec97393ac2

SHA1
d08f66e1f275f3af82109d96cd6edde9a86effc0

SHA256
ca181fe84dff9a6bb0ffdc5e1655dfb6237d8209ab282c6dc5db9b62be7f0d89

SHA512
62e35d7bfcbcc2133b0d2952c6314c0c7b27056e8717555a2771943ea45b0f8549806b77cd8dee81be83949c5a5774986f03036cab5703e98ded180c7137e994

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat

Filesize
194B

MD5
0eeec5248c1a404e702de7e41ffab84a

SHA1
745e8118689fa234990fad3d2cb8aa23f8cbcd22

SHA256
5f4b8c70b199cd0507452ef37976ee5714a5630f9679fe24bfa9577699006634

SHA512
db2876da88278a2b3862dbed98d592dbdfffc26685f6cf562cf00bcb511c24f89a5718318f9e4958b9e4cf1a3773bf57f0bfa104bea80909913cd217ddd02a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2B59.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat

Filesize
194B

MD5
20c23835e53960fb76a5ec7bda37dc4d

SHA1
bcd54fe80136f7a40fd51a8a412f9e37d40d7bbc

SHA256
c18a246d60907729e23b0f22be42f97ca1eb554fe5139bdc6f9c80e89fa47918

SHA512
b930b6b0d3e4d4cd3140cb226aa97d994a805005b6fe29d0aaf80a74f1176ad51f75e9c84443582e5739d582c44d6f66bd8663dd799bc7efc1752cc34d24fb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat

Filesize
194B

MD5
c2a82107470aaf7a334d7eb18b09fff8

SHA1
3bd2ba952f53f407d4ee2b5fcd66984bc5aaccb2

SHA256
b03e07d77c302b795b431ccb06e359505dadde28fcb998c0637cc07db6c86a85

SHA512
7a3dfd8f8fd071ea8ba65e65e96d66b9ea9bc34eb30b37e2e308ab6acbf01c337d8213d1e6539671fa7a4ac0f271d8b052548f2eaf63f7ee808da175159e0623

Download Submit
C:\Users\Admin\AppData\Local\Temp\lKhhpQ3tH5.bat

Filesize
194B

MD5
5b2c8ad811bd4cc19092d99147eb17b6

SHA1
3b2f3f834fb300b1f0126be3718cc5eeeb1d8d15

SHA256
8197b2fb29141fa3368ca84e67ce5f925d922ec47c8736a65e2cf9d3a6fbaf03

SHA512
fdb028c9f4180d0b429eb07a14e65b0d786d6c7f6599dd3c18057f23c82cec6479a9a666bf4f59cbca4b80751e9c29c4d38e31052c2ca4966ba36db3ab271f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat

Filesize
194B

MD5
8ab2ffc8ae65588bc10a1db39b02e662

SHA1
2e0d6f51231dd3a2044a3e2aadaff4e9c15730f4

SHA256
d371eebe8b914d3f14d72492c4a08d9be216b73d563668b5e4b34218c2552c1e

SHA512
98d95eb53ae64c9d075a1452301087ac27cc9c0369d214665cd413817ae2ea547bb0ea1ebe6803fd50bbedd17e0c8562f35d6a4a1555d4de8987b8bfe22f14ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat

Filesize
194B

MD5
1ff1023d5de961916474e18c738b2d80

SHA1
b0917318083f4c2fe0a00808f0a97af58c63586a

SHA256
623fb081209688495231f6d5f4d4dc4cf33fa3ba611eca891a73355ca7d71f44

SHA512
4f75a80327d0b752334d0c7e39014a3fc422c8792ca82c4985b44ae8bf86992b57177821e1d0b6a64cd4e1568462aabad5b55750bb34c38a5368e0573d1b1477

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat

Filesize
194B

MD5
67517f65d739fc10344469e2b3248527

SHA1
9060987521ad088bf5f009d492118c70386e04e9

SHA256
94d1339d823e424f1bcc232bb49b162e46c17a47c601923035c107f61285a6be

SHA512
978baab1dc59f1996e3af558493cd3b4b3249f55e8581622b5fd2ef7606da60cf5c1149eb11a344a618cb14dde2a49ca43b8682246d089107942a6c7d5067a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat

Filesize
194B

MD5
224da430bcad8d84cf21f23697c246de

SHA1
3e961e654b5c5e970aff147f4f0b84660cc90047

SHA256
1249c1f03809a68add4799f1bdc1504a2499c147b18e0b7e2521ecc4820f4b01

SHA512
a2690fb840a2b881af368cbafd1854b68ad5eea0c4840cc374f00482f7eb93c28b2db79e24fe034e70e0a9aec67caa21f9b0e8b5c8c3e852aaaa06b9cdfb39f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fdcc60db1386a523b3ff8f79b7d5a006

SHA1
4c2d53791253b300f83fc228c73c9f797a660e7f

SHA256
67a919bae148267bfd38b54cc94bcaa94a6c74e75c5644444fd20417de5ffc1e

SHA512
8ca0cb3ae76d0bf870047539ba351c6d4a4784817396f7f15e0790ffc2b7c9b3e229b05012921300c83e46a100e82ed516f17ff5ba93db362b5cbcaf90a90c85

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1080-52-0x0000000000FF0000-0x0000000001100000-memory.dmp

Filesize
1.1MB

Download
memory/1192-468-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/1504-33-0x000000001B890000-0x000000001BB72000-memory.dmp

Filesize
2.9MB

Download
memory/1528-408-0x0000000000BF0000-0x0000000000D00000-memory.dmp

Filesize
1.1MB

Download
memory/1744-348-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/1980-38-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/2440-111-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/2904-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2904-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2904-15-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2904-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2904-13-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download