dcrat | 9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3

Analysis

max time kernel
144s
max time network
140s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3.exe
Size

1.3MB
MD5

5b72a4a651f45f97ddbee6b337cc1dd2
SHA1

be4bd3170e6edb71abfe754a108d8ff6338881d2
SHA256

9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3
SHA512

d5938e52490c8087c60d7c26aecf536e916aaee23ff367b4466c8d4b8bcdab54f96092ff9a0f7291602e43050d934080ad1f35947a0c2d7abe714cfd53240ff9
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2704	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000018780-10.dat	dcrat
behavioral1/memory/2820-13-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat
behavioral1/memory/2160-45-0x0000000000FE0000-0x00000000010F0000-memory.dmp	dcrat
behavioral1/memory/836-578-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/2276-638-0x0000000000B70000-0x0000000000C80000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2576	powershell.exe
664	powershell.exe
2264	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2820	DllCommonsvc.exe
2160	spoolsv.exe
1084	spoolsv.exe
2332	spoolsv.exe
2828	spoolsv.exe
1924	spoolsv.exe
2928	spoolsv.exe
3008	spoolsv.exe
372	spoolsv.exe
1472	spoolsv.exe
836	spoolsv.exe
2276	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2760	cmd.exe
2760	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
30	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
33	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2348	schtasks.exe
2752	schtasks.exe
2784	schtasks.exe
2836	schtasks.exe
1664	schtasks.exe
2656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2820	DllCommonsvc.exe
2820	DllCommonsvc.exe
2820	DllCommonsvc.exe
2576	powershell.exe
664	powershell.exe
2264	powershell.exe
2160	spoolsv.exe
1084	spoolsv.exe
2332	spoolsv.exe
2828	spoolsv.exe
1924	spoolsv.exe
2928	spoolsv.exe
3008	spoolsv.exe
372	spoolsv.exe
1472	spoolsv.exe
836	spoolsv.exe
2276	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	DllCommonsvc.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2160	spoolsv.exe
Token: SeDebugPrivilege	1084	spoolsv.exe
Token: SeDebugPrivilege	2332	spoolsv.exe
Token: SeDebugPrivilege	2828	spoolsv.exe
Token: SeDebugPrivilege	1924	spoolsv.exe
Token: SeDebugPrivilege	2928	spoolsv.exe
Token: SeDebugPrivilege	3008	spoolsv.exe
Token: SeDebugPrivilege	372	spoolsv.exe
Token: SeDebugPrivilege	1472	spoolsv.exe
Token: SeDebugPrivilege	836	spoolsv.exe
Token: SeDebugPrivilege	2276	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2416	2888	JaffaCakes118_9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3.exe	30
PID 2888 wrote to memory of 2416	2888	JaffaCakes118_9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3.exe	30
PID 2888 wrote to memory of 2416	2888	JaffaCakes118_9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3.exe	30
PID 2888 wrote to memory of 2416	2888	JaffaCakes118_9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3.exe	30
PID 2416 wrote to memory of 2760	2416	WScript.exe	31
PID 2416 wrote to memory of 2760	2416	WScript.exe	31
PID 2416 wrote to memory of 2760	2416	WScript.exe	31
PID 2416 wrote to memory of 2760	2416	WScript.exe	31
PID 2760 wrote to memory of 2820	2760	cmd.exe	33
PID 2760 wrote to memory of 2820	2760	cmd.exe	33
PID 2760 wrote to memory of 2820	2760	cmd.exe	33
PID 2760 wrote to memory of 2820	2760	cmd.exe	33
PID 2820 wrote to memory of 2264	2820	DllCommonsvc.exe	41
PID 2820 wrote to memory of 2264	2820	DllCommonsvc.exe	41
PID 2820 wrote to memory of 2264	2820	DllCommonsvc.exe	41
PID 2820 wrote to memory of 2576	2820	DllCommonsvc.exe	42
PID 2820 wrote to memory of 2576	2820	DllCommonsvc.exe	42
PID 2820 wrote to memory of 2576	2820	DllCommonsvc.exe	42
PID 2820 wrote to memory of 664	2820	DllCommonsvc.exe	43
PID 2820 wrote to memory of 664	2820	DllCommonsvc.exe	43
PID 2820 wrote to memory of 664	2820	DllCommonsvc.exe	43
PID 2820 wrote to memory of 2668	2820	DllCommonsvc.exe	47
PID 2820 wrote to memory of 2668	2820	DllCommonsvc.exe	47
PID 2820 wrote to memory of 2668	2820	DllCommonsvc.exe	47
PID 2668 wrote to memory of 2104	2668	cmd.exe	49
PID 2668 wrote to memory of 2104	2668	cmd.exe	49
PID 2668 wrote to memory of 2104	2668	cmd.exe	49
PID 2668 wrote to memory of 2160	2668	cmd.exe	51
PID 2668 wrote to memory of 2160	2668	cmd.exe	51
PID 2668 wrote to memory of 2160	2668	cmd.exe	51
PID 2160 wrote to memory of 1776	2160	spoolsv.exe	52
PID 2160 wrote to memory of 1776	2160	spoolsv.exe	52
PID 2160 wrote to memory of 1776	2160	spoolsv.exe	52
PID 1776 wrote to memory of 2492	1776	cmd.exe	54
PID 1776 wrote to memory of 2492	1776	cmd.exe	54
PID 1776 wrote to memory of 2492	1776	cmd.exe	54
PID 1776 wrote to memory of 1084	1776	cmd.exe	55
PID 1776 wrote to memory of 1084	1776	cmd.exe	55
PID 1776 wrote to memory of 1084	1776	cmd.exe	55
PID 1084 wrote to memory of 1644	1084	spoolsv.exe	56
PID 1084 wrote to memory of 1644	1084	spoolsv.exe	56
PID 1084 wrote to memory of 1644	1084	spoolsv.exe	56
PID 1644 wrote to memory of 2864	1644	cmd.exe	58
PID 1644 wrote to memory of 2864	1644	cmd.exe	58
PID 1644 wrote to memory of 2864	1644	cmd.exe	58
PID 1644 wrote to memory of 2332	1644	cmd.exe	59
PID 1644 wrote to memory of 2332	1644	cmd.exe	59
PID 1644 wrote to memory of 2332	1644	cmd.exe	59
PID 2332 wrote to memory of 1244	2332	spoolsv.exe	60
PID 2332 wrote to memory of 1244	2332	spoolsv.exe	60
PID 2332 wrote to memory of 1244	2332	spoolsv.exe	60
PID 1244 wrote to memory of 812	1244	cmd.exe	62
PID 1244 wrote to memory of 812	1244	cmd.exe	62
PID 1244 wrote to memory of 812	1244	cmd.exe	62
PID 1244 wrote to memory of 2828	1244	cmd.exe	63
PID 1244 wrote to memory of 2828	1244	cmd.exe	63
PID 1244 wrote to memory of 2828	1244	cmd.exe	63
PID 2828 wrote to memory of 608	2828	spoolsv.exe	64
PID 2828 wrote to memory of 608	2828	spoolsv.exe	64
PID 2828 wrote to memory of 608	2828	spoolsv.exe	64
PID 608 wrote to memory of 684	608	cmd.exe	66
PID 608 wrote to memory of 684	608	cmd.exe	66
PID 608 wrote to memory of 684	608	cmd.exe	66
PID 608 wrote to memory of 1924	608	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9fbcd186b057cdf53a7d34a98131c0f0d6a1849f90390771dda0de1ae83227d3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TckjSxu3FX.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2104
      - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2492
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2864
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:812
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:684
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"
        15⤵
        
        PID:2520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2888
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"
        17⤵
        
        PID:2760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2856
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"
        19⤵
        
        PID:1584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1984
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat"
        21⤵
        
        PID:1632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:828
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat"
        23⤵
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1696
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat"
        25⤵
        
        PID:1224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2180
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cabddd65da214958f26ac149c4f809d

SHA1
c6c88f311db39d98462c707fab68a2240600f0c1

SHA256
2ab7c9f19dd1ff47051ab9242cf4b91584f7beff16c52ce0b7f858c94cad3a90

SHA512
76e2a701b72bf247ae0cac244d80d2b32b6e9a7177577c86a6f8c254735c85023af9fbadf9191a1b39e673d6b1f1b2fd66b809e340eb591e334265b204ff3d1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
058804b4c8788de00e8d0b50427f4261

SHA1
4e0ead60f73779ccc9eb617c67b699b804289a8b

SHA256
17bd39a6f2acf6e7bb21f99231b96615095d534385e7f257135093da2bce402a

SHA512
95946720526a890fae2e5e7dc38e2200a3ae2e311acbee4b345ea7fa5765dc9d68ff2c1c72d30a1d1fa094e328b33cf46260445e3200bf92e676d9baae4b7ba1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
140512d84bd8e586c8994d6eb9240cfc

SHA1
3b8cd9695b478b445eec53015c5e42cb2eb24240

SHA256
9efc03f0c3124b8f030086917c03790721498f257f0752403438cced2ef67bff

SHA512
8ba99a9eb06fa0f69a64086567ee5b46f34781be12989fca7061b9598e986a94bf420262dc19fd2f70543f03c83551ac1d1a94ce72a87b60ec5d6cc144d1f0a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f27a0dbddaa4bee08d7864366a1d42f

SHA1
b9d6988798de423e0250bfe2b75ce88df5bcebc5

SHA256
460060603298d3e77d099759d8c1ad15079426966723d9ae011279043be39817

SHA512
4dfc67ffac4072b68029376d7e9d9c99a986e1410961852bff81755d11e31a8b40ba0d87cb3baea7f3e2b13caa2056be31034fb5be4f08c297e9f662e1ccfe8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45708b982404f450fe755a18511de8a1

SHA1
e84817d6f2d9a138cb9ab8f5bce695ffbd6a5f66

SHA256
9f354e859723adb2f30d0600e4d440dcdcc840c8c11b9f8987c176b891efe7fd

SHA512
57def3e0cb6a2fb4dd2f0717682e05b2289344fa116a5f965e02b140a95cac96012072ddbe13df2666e859a29750024264b5a3f111a72397ad1793e3dbe6b8a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a52465cc07d1f180929ccb8649ca098

SHA1
95949ba0f5b806a35362b36048b20d12fcb4398f

SHA256
505891ee15bbedf1d54a9ecb611cabb049e283ff88b9ff8362e4c286e683dd2a

SHA512
d75a31b9ca82c8fff78cc18e3429489101be5537ba90a042da80662c9fbdcdc791b47baaa1f67268da4d459c1ab221ec8b8bb59c230095193fefc98e9feb06e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3c62352e018ecab39f3613801ab350b

SHA1
5e7b6f5924763f1d6bff9a05c496712e43aa1c02

SHA256
90e87d8d0b7469975cbbc2113c1c1ff78b5029cc8851d72ad266582e10910f6f

SHA512
ffcb16dc709209bd550f9d1ee07acae3005e644b5ada4cf22eb574e28c5b15400caca1bc7a58cff90b5231e24dd36e12bdc2173e64665f383b8467c5ca8f8afe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a9458b2a15d743033eaf13ed2aec325

SHA1
cfeb7aa3d93098c3aa6eb75ff08c12ed09d13034

SHA256
3715c4f7237a557e623e940087f5dba2caf5da9124f6d267ba0a3d4f31c5ce3b

SHA512
c7683b4bb45f6b5576895093729886d901d3b3833bf2dc62c4db20ba287fb8253899506ff54f35939535f3e3d35c2cdc14ac88b3416ce9f6b17185059325e05e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
006fac2e3a67e39281c4656943db15ac

SHA1
23870c7a9f1e2cd4bd9bd666d81a9385a7aa6444

SHA256
6c4020c09e9f1e7925f0ca8682822b83e05c8ae468c572485337bf532c624b1a

SHA512
03a83a087551fedcf26820cc6874a8adeae86a2c8d24dc90029681833e4ddf64cab77ffdd3af84d32a33b06c0741796d4b371bba2bb38797d4674d3621898618

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat

Filesize
239B

MD5
32713652846528ed8c3bc250b0dfa4ea

SHA1
70bc964e8ba29d7a0ac131f3e7aec37767925f9f

SHA256
ac77e9b580949f91640111ec3ed1201249ea59d77e7a2d080ead448efbd19660

SHA512
d4b46af509c617d0da81ce9c80cff36be50d882ca6be186e3429adf293b23dec702412426c9e3edec5d2c0655f71784b9e8b55d67c368713c672466843c9aa44

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat

Filesize
239B

MD5
44d44bff3e0f4ad79f9398ef74037383

SHA1
4c6866a27f84022cbda86d6b3a0efef43f0a5960

SHA256
bc70ae72c5ed66e630107ed81453e82b60e65a620e8d939f2e967e043e50015c

SHA512
5b732b196e823ad02823c6f0da3ac4253553093fc859b82eda16dcb38e790f3a480402cee40b2c84a3733de111b843034ef3b9d248eb5cc186e55b3bc49956bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat

Filesize
239B

MD5
62c32e6df48d816f5ff5e8517ad6e20d

SHA1
0dcbec3379fa055a28bb206501703e08649fe039

SHA256
f086aec88bc11d716d28a7748d291722f2bf56af92869f0eead55aec14eebc47

SHA512
097c1744047cc429a99969d1be30e3cff0f4f6bc6d55187405b7346990191972d9cf0debda08d680aeb24c83d0ce7acf6238120e9d2e0251f9d94189a0146cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFBFD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat

Filesize
239B

MD5
bac8d5aa3d1ca173411e6a568289e75f

SHA1
a2c750374b2f6aef325d0178e55046da40e63bd5

SHA256
3416a9b8de38d53cd53f45908a53fbd1135b530e240142938f7ca8f7f92b7fa3

SHA512
c88628ea96b331bc1b8685cdfeab3a8f95a248bbc18a24b0266fd667feadff8fc489025e9509ba9efe3e7139eaf38d90d9b5466045b7445f8591d2d38b0a470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat

Filesize
239B

MD5
6240e93eb248bdca92bb0a85b6e04c1e

SHA1
81f2a6c30e2837470b21d98bb49fc26e24934140

SHA256
4221553e174ed37cd534035070e7eb112ce7507dcb71f813b4f0562a1224e63b

SHA512
b2e985425a3f8b83a666c73a88c68742859e681f4199462d963836edb0f2e6ff618a6bea8c566848597dcf40f71fbd41da9550a25dcb2bfd0edf74bdd451a994

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat

Filesize
239B

MD5
241a14ba3b2895db6990057a6e504260

SHA1
2d388123d26e8e3923497892dd9ada482dd964f3

SHA256
9c98781d06c58d8e7f76e2b763193dd2cb709cde7aeec111834ff53d38de7788

SHA512
a7c82db5953aaae27ea5186314c12e6f09fa7d391d21d081f051ff3c1b34d70e9a08fd800d0c34bd594eed7d498682fe390fdc7f17523014d3d9f4e8e02cf6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFC1F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TckjSxu3FX.bat

Filesize
239B

MD5
e97448d9c628795f8382f634c5a15562

SHA1
ed2fbd836b8fafa79d9ad2b5249ce7107fcaadcd

SHA256
0bebaf0e24a9895952d0dcf16d2029f5a84853e5749870124c33f88873c5e38d

SHA512
763bcb8d1530345cd0570c205b4bd725299e798248575097e9654f9bf0152dae2add37ef20f5fd9428d75e1850e8f6eb82b6ac7a8187d9b6ae113566145a5197

Download Submit
C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat

Filesize
239B

MD5
e2d249ec46c37996b98bca01913c2e20

SHA1
c638bb0a914fa56d43c3b7ea3dfbdc20b0f11539

SHA256
4f77d5da39e5b19a7735f21d8ade5f94e1acac71eaf90644fb971936e7983e0b

SHA512
758fc041283d7a05fd29e3fe149c75bf3a94fc860fe12fdd1ff2fc0cf06814ca0bb8e7afbc397187e18c6f2724d80ccbbfb57de6c7c38287d42bbb1bc2e24270

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat

Filesize
239B

MD5
2d9fe27d66a3412dc87bce0b09ef0e1a

SHA1
e92fb4e756f465101c78ad8503b11ef6f808b6f8

SHA256
a1ab4bf66074f5acb24987809942d14ad501e30e65cef9c1012768690fd51e91

SHA512
3384d66de64037b7e869b2171f8866c633df68c45896b050814a3ffea4a8c1c49855e57e47e7ccedee7f9c399b89df86032d663325c8d495b8a3be3cd3f2ea57

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat

Filesize
239B

MD5
911672e6487a48d0ee407a88e1d88de4

SHA1
b15c76a4fee04e0a20802824b9a7ebc3bf974ba3

SHA256
6193bcf8a55ed3b32033d3f77adda50f040e0eee13b7423a37e8d6fa6eb55189

SHA512
ed5b1538af702984a6582cf748be0e3c0f42dbad89d48015c785b260a74e5813621d1d7c9f0d4d6fb0fb2689f02c6453070799d2986223127caac4cf2f31ebc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat

Filesize
239B

MD5
74629572101bc0a29625c72c123507e8

SHA1
bccd5f8296a10eb65a7fd115eba64b35b6800410

SHA256
53178daa6f1ae613f7c8e34756f64be5347a8173aa31ae0e2fbe870cd57b3159

SHA512
c515f616ed7c01c311bbf1a72ee899b58e21328107be40e23aba7c3b6ee2650abae388c113c17cfc740c078651e7196b40395ff17472288779a63d319cb117f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\55ZXQBC3IKB3JJ2WPVDS.temp

Filesize
7KB

MD5
cb62df032111cc21f13fc61184ab58a8

SHA1
9680210e00b7aae2ea76a39dd37fa17a993fbf41

SHA256
3ec979faecf4d096250ab48aa1807eadabc571f2d1ed2595eb189ed1540b1465

SHA512
1eca4759e6a755060fe6ebe908ac6269c0446f75b0bbcbc82bbfecac0c9bd22578d93260109e3c1443407d3136c66de87e4269ca318f502290ae9b7a9364f506

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/836-578-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/1472-518-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2160-45-0x0000000000FE0000-0x00000000010F0000-memory.dmp

Filesize
1.1MB

Download
memory/2160-46-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2276-638-0x0000000000B70000-0x0000000000C80000-memory.dmp

Filesize
1.1MB

Download
memory/2576-40-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2576-41-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/2820-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2820-16-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/2820-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2820-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2820-13-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download