dcrat | 24e2b85e2fa0a93540be3e4dc4470afb9f4b384ad007fde7fb4725edf2589907

Analysis

max time kernel
144s
max time network
140s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_24e2b85e2fa0a93540be3e4dc4470afb9f4b384ad007fde7fb4725edf2589907.exe
Size

1.3MB
MD5

6032429853024eb4665845af2bf5c145
SHA1

b4bb60b0dacd0cd6a11ffb940df54b02ea357e30
SHA256

24e2b85e2fa0a93540be3e4dc4470afb9f4b384ad007fde7fb4725edf2589907
SHA512

e4eba0451640b65c1623d51413b320df3a1e8461e861070e1506095d1ee05b7e5cee1b5c79a70fcb5b499c2385b830eb8cebd966b206122f00bf60a204c9b3bd
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2808	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2808	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000186f1-9.dat	dcrat
behavioral1/memory/2872-13-0x0000000000A50000-0x0000000000B60000-memory.dmp	dcrat
behavioral1/memory/2324-52-0x0000000001210000-0x0000000001320000-memory.dmp	dcrat
behavioral1/memory/920-230-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/340-291-0x0000000000C60000-0x0000000000D70000-memory.dmp	dcrat
behavioral1/memory/2756-351-0x0000000000CA0000-0x0000000000DB0000-memory.dmp	dcrat
behavioral1/memory/2432-530-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2868	powershell.exe
920	powershell.exe
1900	powershell.exe
1552	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2872	DllCommonsvc.exe
2324	dllhost.exe
2544	dllhost.exe
2856	dllhost.exe
920	dllhost.exe
340	dllhost.exe
2756	dllhost.exe
1968	dllhost.exe
2316	dllhost.exe
2432	dllhost.exe
1932	dllhost.exe
2064	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
316	cmd.exe
316	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\lib\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\lib\System.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_24e2b85e2fa0a93540be3e4dc4470afb9f4b384ad007fde7fb4725edf2589907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2844	schtasks.exe
2680	schtasks.exe
552	schtasks.exe
1864	schtasks.exe
2904	schtasks.exe
2920	schtasks.exe
2796	schtasks.exe
2140	schtasks.exe
2060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2872	DllCommonsvc.exe
1552	powershell.exe
1900	powershell.exe
920	powershell.exe
2868	powershell.exe
2324	dllhost.exe
2544	dllhost.exe
2856	dllhost.exe
920	dllhost.exe
340	dllhost.exe
2756	dllhost.exe
1968	dllhost.exe
2316	dllhost.exe
2432	dllhost.exe
1932	dllhost.exe
2064	dllhost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	DllCommonsvc.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2324	dllhost.exe
Token: SeDebugPrivilege	2544	dllhost.exe
Token: SeDebugPrivilege	2856	dllhost.exe
Token: SeDebugPrivilege	920	dllhost.exe
Token: SeDebugPrivilege	340	dllhost.exe
Token: SeDebugPrivilege	2756	dllhost.exe
Token: SeDebugPrivilege	1968	dllhost.exe
Token: SeDebugPrivilege	2316	dllhost.exe
Token: SeDebugPrivilege	2432	dllhost.exe
Token: SeDebugPrivilege	1932	dllhost.exe
Token: SeDebugPrivilege	2064	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2588	2404	JaffaCakes118_24e2b85e2fa0a93540be3e4dc4470afb9f4b384ad007fde7fb4725edf2589907.exe	30
PID 2404 wrote to memory of 2588	2404	JaffaCakes118_24e2b85e2fa0a93540be3e4dc4470afb9f4b384ad007fde7fb4725edf2589907.exe	30
PID 2404 wrote to memory of 2588	2404	JaffaCakes118_24e2b85e2fa0a93540be3e4dc4470afb9f4b384ad007fde7fb4725edf2589907.exe	30
PID 2404 wrote to memory of 2588	2404	JaffaCakes118_24e2b85e2fa0a93540be3e4dc4470afb9f4b384ad007fde7fb4725edf2589907.exe	30
PID 2588 wrote to memory of 316	2588	WScript.exe	32
PID 2588 wrote to memory of 316	2588	WScript.exe	32
PID 2588 wrote to memory of 316	2588	WScript.exe	32
PID 2588 wrote to memory of 316	2588	WScript.exe	32
PID 316 wrote to memory of 2872	316	cmd.exe	34
PID 316 wrote to memory of 2872	316	cmd.exe	34
PID 316 wrote to memory of 2872	316	cmd.exe	34
PID 316 wrote to memory of 2872	316	cmd.exe	34
PID 2872 wrote to memory of 1552	2872	DllCommonsvc.exe	45
PID 2872 wrote to memory of 1552	2872	DllCommonsvc.exe	45
PID 2872 wrote to memory of 1552	2872	DllCommonsvc.exe	45
PID 2872 wrote to memory of 2868	2872	DllCommonsvc.exe	46
PID 2872 wrote to memory of 2868	2872	DllCommonsvc.exe	46
PID 2872 wrote to memory of 2868	2872	DllCommonsvc.exe	46
PID 2872 wrote to memory of 1900	2872	DllCommonsvc.exe	47
PID 2872 wrote to memory of 1900	2872	DllCommonsvc.exe	47
PID 2872 wrote to memory of 1900	2872	DllCommonsvc.exe	47
PID 2872 wrote to memory of 920	2872	DllCommonsvc.exe	48
PID 2872 wrote to memory of 920	2872	DllCommonsvc.exe	48
PID 2872 wrote to memory of 920	2872	DllCommonsvc.exe	48
PID 2872 wrote to memory of 3004	2872	DllCommonsvc.exe	53
PID 2872 wrote to memory of 3004	2872	DllCommonsvc.exe	53
PID 2872 wrote to memory of 3004	2872	DllCommonsvc.exe	53
PID 3004 wrote to memory of 1204	3004	cmd.exe	55
PID 3004 wrote to memory of 1204	3004	cmd.exe	55
PID 3004 wrote to memory of 1204	3004	cmd.exe	55
PID 3004 wrote to memory of 2324	3004	cmd.exe	56
PID 3004 wrote to memory of 2324	3004	cmd.exe	56
PID 3004 wrote to memory of 2324	3004	cmd.exe	56
PID 2324 wrote to memory of 2268	2324	dllhost.exe	57
PID 2324 wrote to memory of 2268	2324	dllhost.exe	57
PID 2324 wrote to memory of 2268	2324	dllhost.exe	57
PID 2268 wrote to memory of 564	2268	cmd.exe	59
PID 2268 wrote to memory of 564	2268	cmd.exe	59
PID 2268 wrote to memory of 564	2268	cmd.exe	59
PID 2268 wrote to memory of 2544	2268	cmd.exe	60
PID 2268 wrote to memory of 2544	2268	cmd.exe	60
PID 2268 wrote to memory of 2544	2268	cmd.exe	60
PID 2544 wrote to memory of 2912	2544	dllhost.exe	61
PID 2544 wrote to memory of 2912	2544	dllhost.exe	61
PID 2544 wrote to memory of 2912	2544	dllhost.exe	61
PID 2912 wrote to memory of 440	2912	cmd.exe	63
PID 2912 wrote to memory of 440	2912	cmd.exe	63
PID 2912 wrote to memory of 440	2912	cmd.exe	63
PID 2912 wrote to memory of 2856	2912	cmd.exe	64
PID 2912 wrote to memory of 2856	2912	cmd.exe	64
PID 2912 wrote to memory of 2856	2912	cmd.exe	64
PID 2856 wrote to memory of 1896	2856	dllhost.exe	65
PID 2856 wrote to memory of 1896	2856	dllhost.exe	65
PID 2856 wrote to memory of 1896	2856	dllhost.exe	65
PID 1896 wrote to memory of 2168	1896	cmd.exe	67
PID 1896 wrote to memory of 2168	1896	cmd.exe	67
PID 1896 wrote to memory of 2168	1896	cmd.exe	67
PID 1896 wrote to memory of 920	1896	cmd.exe	68
PID 1896 wrote to memory of 920	1896	cmd.exe	68
PID 1896 wrote to memory of 920	1896	cmd.exe	68
PID 920 wrote to memory of 652	920	dllhost.exe	69
PID 920 wrote to memory of 652	920	dllhost.exe	69
PID 920 wrote to memory of 652	920	dllhost.exe	69
PID 652 wrote to memory of 544	652	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_24e2b85e2fa0a93540be3e4dc4470afb9f4b384ad007fde7fb4725edf2589907.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_24e2b85e2fa0a93540be3e4dc4470afb9f4b384ad007fde7fb4725edf2589907.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\lib\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nbjzFmbPFe.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1204
      - C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:564
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:440
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2168
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:544
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"
        15⤵
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2896
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
        17⤵
        
        PID:304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3036
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
        19⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2276
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"
        21⤵
        
        PID:1656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2640
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"
        23⤵
        
        PID:2824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2084
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"
        25⤵
        
        PID:1016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2296
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\lib\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\lib\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1966784b72d0fc04e6ffdb26a049a6f8

SHA1
f97fc9cf3736683c16cfbfd63caf48580b2584c9

SHA256
177dce9f6fb6500aa7c234e7ddf94a8a4f3c96668526464723b702ae829b9346

SHA512
ead073337a9ade6fe122d5b3da5e69120c54e9db6a18ac6c95c97db5bd4e5807b88d26ae403646e11622166e4fa8f8e98324ea01364b8dad1e6d05c52fa9020d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c15b98a5ceedfc26b552e42e7469fab

SHA1
0eef448abc9b5ac4bda01f4845016a8d75687135

SHA256
5d050d419e87abb70eecd47b0d20f005a2ccdd0e3ed3354dc20081723990df3e

SHA512
0b1188bc9a1d383f4dcd7c46e4b2c823627406a3c06fe3d188ef7fb7387067df6eaceba8d06380a1e7c03ddbc2226bb88628369a30e337dd069a9398ea64f8df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6d488d6d19bf813b6198995d2b8f8a4

SHA1
3c23ed82fddb9a17edc615eb57fd98c2778777e9

SHA256
5a8764fabf71732e6a6701a56f916ef9350e73c7eb78bac49b6a00cfe7a1f515

SHA512
a4a2f81bf472a9c5c3b0353211f6e30f1a6f1179264d24908bf55ab880ee6837993c7d4b249770f3ea628bff186ebec9a53a83df3d1c87b26c5595fadd764b50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f76965dfc619a4454f9b07498e3b2d7

SHA1
d8968f7e53fb6e1607d6350ea00baa11d9a708e0

SHA256
c935d8e616dcf677ba905d9c7b12d8c802de67ba3551703c156019647924fccb

SHA512
ef32825f769f219c0ff9f76920173059d476e4042e4650bfbc1c56c26b192df1d99730303a9069005d5beddf93ea09a06de33a83c58d054fc3faa4da523dc394

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
534b705453bac53f39a0721f4ca484a7

SHA1
9b8a80599e476074f2411b8564d96d1c288ec768

SHA256
dec8da4db54940b5327814bd768c92031f73453e87fb7e58c6467438d388ab67

SHA512
da761ba0ee4efeac24923c020c52e842d1248088878ee6ef71d42870126032a269236108b668804de3d5e1dc61df881187edeb3aeb5a86c645b95795adb4bf3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14b6fe2a4ad2c9b6376bdf8a2fe0e132

SHA1
1da684810ff845ac196506259067b45e2c9f2a8a

SHA256
a9643a76c03e6a01dab45640d6bd8165a4bcc2241209b7a48c0a9274e87724f2

SHA512
bbed0a69e191e13e55abe6d47c627d23bc1d383144c84f50e908560e1068ab45272da439e9fcdff6c6f1535320376b41bc72955a85ec9c1e687dbdec8f290525

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
779270ce2615e8e45e66fa9ae26df687

SHA1
7fc217cb0d2f1fc3438af97974601b1609521db2

SHA256
5c96edc89d0b6f59e771c6d008987b5819c849e303290592001f64ca9df95d2b

SHA512
1faa64549f644dcfd6d948b9968df345b3ca59d19676f48efa2cc09be45ec11812335a3ac098d85883889c8ab5e48ad1ad9d6f98476e0c7517eb2b11ccf73db1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5c814317473dfe5e04fa6680f1be737

SHA1
4df21f4512e7e6a7d850f82aaa63c7677767e73f

SHA256
85e46cbe63355a745da14fa8f5cde685d38fd4002d95bad83c14fd96f261c8bd

SHA512
b6239d24fc28de99efaaca52ed4f23145ed678732ce507b9e9c79134459e9820b1b513d1e4edd40bd8bfad290d6e7705316e2e55275c8a3a78344338fc3d66e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75f671e18400f8be4e09333f3d6f8b91

SHA1
3a02ab44cfb877942b1ccd9f777e41dda5091094

SHA256
f12b8acd1fcb8b46192fc41ffcfc17bb04d9baed75087cc358fdb24c292592a5

SHA512
55b1aebc79c6a934d293d1a3dfdd8c1d51e8d75134189e50d7698a703da45609cb54d4b164d9d76eef275ec31e0a89644b173777ab25446b322fdeb358c50f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat

Filesize
194B

MD5
2d3d8209580f2fce008a015007377a51

SHA1
0e0357d684c9a13b7a5d4015b9741633c0e8e762

SHA256
45618124581b5a365435e75a1a89ab8e416532e7d3a168749b2b8d8f04f830ec

SHA512
ef2a159341b443d00571c61b72add049e13438b4baf4b4c70ecd79befc5c2cba8e1eb8a4dc6adc0b68d74860756b4ab07c1b531a0bd42745e9324487aae16ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat

Filesize
194B

MD5
6beae78b55731fc8f9c9b290ebd39579

SHA1
d10311857198ae6443000b334ca534231f6d8d73

SHA256
7d8916a5443aaf86abda49dd34bf18f3e911be48a71cb95e0f8f9490338e104e

SHA512
7d27f549db193c822bb0d9ff105f0059e8509813b47da04377283b0e9abc22c26a5554ad0972d1646c17c6b3dba0b6bc8e987fab61367eafdf52bf820fa8de0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1844.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat

Filesize
194B

MD5
58356eb181f6ab8e2247b2f40394e83e

SHA1
547b53463d9f19573ee81cd53ed2356bbbebeb70

SHA256
c55c457f17a67d52ff21812583fc05de1eda6329fdc57293e6bdfa06453d49b9

SHA512
d20603cd14a26b8f44cef6db1b09c597b0665881c2a5b7bb4565ce95f7f70fcb40df1f80125691c80711cc50ea7b27412fcf18a898331903ad4bd48f9961458a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat

Filesize
194B

MD5
e36e4e300045af1f90b70f4a13f93e6e

SHA1
d0af6a98a41c2b222ba0472c98cf5b1386508fbe

SHA256
fd83c4b22d55c7837c0d2f13fafc4e73d466ff901019e3260432f945398ab6b0

SHA512
6bf97759539bed9f9d3d820db28391ea9691b60dae5c6b94441a133670e4a92a48da24e2c569585b44d2e056f326d5a02c9afedd4f95a36c45f8d693848a830c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1866.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat

Filesize
194B

MD5
e14b914143175c2e97df8e30ce44eb82

SHA1
8460d0a15c586333aee8090d189ea5da95a37d50

SHA256
bc32334c46a7c5bc2bb0c085c37f467e5daeeee0fb468a269a56085dead3b568

SHA512
db69caa36aef0a21197179781d80f9e0f9a004bf2682252d269a1cec8362b645ab45b0fb950626069436ddd016c79e604cdbb46347bede8f398c0fb7bd9612eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat

Filesize
194B

MD5
186213beaeddae9d6e3c189ad1cfb2ad

SHA1
0b21a414cafbbb3eb2ad829806ae50aa4ca2fbe5

SHA256
617e10469b5e5bb9922cdf527b98c08884958a95d1cd8c48e6388f69965025d3

SHA512
903d542cdd8e286637146ca9d05716ac68607e8359d3152b8ad19ba795d6a546d022a64717115a52c684042c35c1d971e811165ecc28f6ca420f4e7fb8073262

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

Filesize
194B

MD5
3fce50fd4e638e3a2dd39ca0260a999d

SHA1
4e495b6dae04e72d5c379dd74f3fa32f71c4a2c8

SHA256
bb28ce6db8e778156de8e128732d69149a79a9f1f888a854c842eb70b2262a6b

SHA512
503ec880ce21b98cc66dea093603c3372b30bf6ad36da46bf3cc9cc9d04ebbdf5f07227c84ce87a3a801e51a1b4a19128497ebe1482cd779a4e530ddff944ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat

Filesize
194B

MD5
ea88eedde6337dba191ad06c4a9b6e6f

SHA1
98cf5c00ad1344bc06a646c5ee20c5c509bd652d

SHA256
46b5be5e319115af51246f4c0ef2c140d8d36b01c40a04e701b156731ffbf8be

SHA512
f304313a3b4ce41affbda09556ed289913fab02b83e5664eaa7cbd9a1d1025b1e79120c5493f39fd64af56a41f699301fe39904b849ebc46b62e06dcff114f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat

Filesize
194B

MD5
5d0ee339ba1a01309aa22a09ff7cae51

SHA1
7827aff86ddc83516affe35a87c6e2b7b19dcf2c

SHA256
68432ba384d922c387510a227be0383c00e4582e47d562b3f5c23e934b55db78

SHA512
ff01027e4fac04785aa165588fcfa7724052b45ab7e4fbd0076662453d2b6ee5ee40944632c49d5a6f7591ed22ac247062ca0d0b62194630d10dfd458f316696

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbjzFmbPFe.bat

Filesize
194B

MD5
802c1316615dac7669c6e2aeafceb410

SHA1
7fd5f693126ac460851e7194f2413530c6c55901

SHA256
cada7abc2791ecda584d520be45f71211470b83adeb00e4545b32448d52b4f74

SHA512
07f25ab748bfafb68b4cb45e67f8165ef771ce88428e446743195f35e6040aef65e943fdc264f2a0c7dca7852953b11f25932bd8c8ca4aba9dc695b970b3b595

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat

Filesize
194B

MD5
be3858e0d590b31c34d6041d1c19262f

SHA1
8af1c4583c3265b960f693a7b1f65de0f940b606

SHA256
6c45547e55f1b9fdbcc45f55896ad557f033c08f3992f953156c25ff70900040

SHA512
6913b5ac85d9bae574e352185d402d612f0edbd587b5fc0f772656e72717f59ae098fec0ced84f692c11f0948ece2627885875131e37ab671a7b9a9b4b5a6f9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ATFNGF7OQOXXWBKKUGOF.temp

Filesize
7KB

MD5
6a3f73e13390d1c094069d5191d630e3

SHA1
12afd4794a08498b766249cab09717de0380ea2e

SHA256
7c6856a91923957f48ca8705ecab146b8e65d0a0816ee7fbb702e31d137c64b7

SHA512
1e6a0a52704998ee7bf0c7e7d50e130957ab200dbe23e8be9f8817fec1a401c32325ab5b9165b8858ffc1e2bb244e71490403f770c601ed73795603d7c54f642

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/340-291-0x0000000000C60000-0x0000000000D70000-memory.dmp

Filesize
1.1MB

Download
memory/920-230-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/920-231-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1552-38-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/1552-37-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/1968-411-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2324-52-0x0000000001210000-0x0000000001320000-memory.dmp

Filesize
1.1MB

Download
memory/2432-530-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/2756-351-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2856-170-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2872-17-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2872-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2872-15-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2872-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2872-13-0x0000000000A50000-0x0000000000B60000-memory.dmp

Filesize
1.1MB

Download