dcrat | 5d166771b6f2157714749fde6a4f24c538468d7046ba720c5023492cd625f87f

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5d166771b6f2157714749fde6a4f24c538468d7046ba720c5023492cd625f87f.exe
Size

1.3MB
MD5

d92b13a6fa39e7640c24691d604f3984
SHA1

b26ffd18ac5bec689afdfef130129c433bb785f0
SHA256

5d166771b6f2157714749fde6a4f24c538468d7046ba720c5023492cd625f87f
SHA512

ed383132b7befa9f40e9c83a105f13366e0aee14ee0e8ed942a83115e6aa2c6070fe4508db08af839cf79ebfb5b4574c78dfb4211e3e911757d76576f5e8952d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2500	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015cda-9.dat	dcrat
behavioral1/memory/2920-13-0x0000000000E90000-0x0000000000FA0000-memory.dmp	dcrat
behavioral1/memory/2352-52-0x0000000000940000-0x0000000000A50000-memory.dmp	dcrat
behavioral1/memory/2432-111-0x0000000000BD0000-0x0000000000CE0000-memory.dmp	dcrat
behavioral1/memory/2604-171-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/2232-232-0x0000000001230000-0x0000000001340000-memory.dmp	dcrat
behavioral1/memory/2612-351-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat
behavioral1/memory/2488-590-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/1724-650-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1312	powershell.exe
1868	powershell.exe
2844	powershell.exe
2828	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2920	DllCommonsvc.exe
2352	smss.exe
2432	smss.exe
2604	smss.exe
2232	smss.exe
2288	smss.exe
2612	smss.exe
1940	smss.exe
264	smss.exe
2520	smss.exe
2488	smss.exe
1724	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2792	cmd.exe
2792	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
39	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5d166771b6f2157714749fde6a4f24c538468d7046ba720c5023492cd625f87f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2124	schtasks.exe
2376	schtasks.exe
2256	schtasks.exe
3040	schtasks.exe
576	schtasks.exe
2224	schtasks.exe
1620	schtasks.exe
1448	schtasks.exe
1936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2920	DllCommonsvc.exe
2828	powershell.exe
2844	powershell.exe
1868	powershell.exe
1312	powershell.exe
2352	smss.exe
2432	smss.exe
2604	smss.exe
2232	smss.exe
2288	smss.exe
2612	smss.exe
1940	smss.exe
264	smss.exe
2520	smss.exe
2488	smss.exe
1724	smss.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	DllCommonsvc.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	2352	smss.exe
Token: SeDebugPrivilege	2432	smss.exe
Token: SeDebugPrivilege	2604	smss.exe
Token: SeDebugPrivilege	2232	smss.exe
Token: SeDebugPrivilege	2288	smss.exe
Token: SeDebugPrivilege	2612	smss.exe
Token: SeDebugPrivilege	1940	smss.exe
Token: SeDebugPrivilege	264	smss.exe
Token: SeDebugPrivilege	2520	smss.exe
Token: SeDebugPrivilege	2488	smss.exe
Token: SeDebugPrivilege	1724	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2660	2596	JaffaCakes118_5d166771b6f2157714749fde6a4f24c538468d7046ba720c5023492cd625f87f.exe	30
PID 2596 wrote to memory of 2660	2596	JaffaCakes118_5d166771b6f2157714749fde6a4f24c538468d7046ba720c5023492cd625f87f.exe	30
PID 2596 wrote to memory of 2660	2596	JaffaCakes118_5d166771b6f2157714749fde6a4f24c538468d7046ba720c5023492cd625f87f.exe	30
PID 2596 wrote to memory of 2660	2596	JaffaCakes118_5d166771b6f2157714749fde6a4f24c538468d7046ba720c5023492cd625f87f.exe	30
PID 2660 wrote to memory of 2792	2660	WScript.exe	31
PID 2660 wrote to memory of 2792	2660	WScript.exe	31
PID 2660 wrote to memory of 2792	2660	WScript.exe	31
PID 2660 wrote to memory of 2792	2660	WScript.exe	31
PID 2792 wrote to memory of 2920	2792	cmd.exe	33
PID 2792 wrote to memory of 2920	2792	cmd.exe	33
PID 2792 wrote to memory of 2920	2792	cmd.exe	33
PID 2792 wrote to memory of 2920	2792	cmd.exe	33
PID 2920 wrote to memory of 1868	2920	DllCommonsvc.exe	44
PID 2920 wrote to memory of 1868	2920	DllCommonsvc.exe	44
PID 2920 wrote to memory of 1868	2920	DllCommonsvc.exe	44
PID 2920 wrote to memory of 2844	2920	DllCommonsvc.exe	45
PID 2920 wrote to memory of 2844	2920	DllCommonsvc.exe	45
PID 2920 wrote to memory of 2844	2920	DllCommonsvc.exe	45
PID 2920 wrote to memory of 1312	2920	DllCommonsvc.exe	46
PID 2920 wrote to memory of 1312	2920	DllCommonsvc.exe	46
PID 2920 wrote to memory of 1312	2920	DllCommonsvc.exe	46
PID 2920 wrote to memory of 2828	2920	DllCommonsvc.exe	48
PID 2920 wrote to memory of 2828	2920	DllCommonsvc.exe	48
PID 2920 wrote to memory of 2828	2920	DllCommonsvc.exe	48
PID 2920 wrote to memory of 1660	2920	DllCommonsvc.exe	52
PID 2920 wrote to memory of 1660	2920	DllCommonsvc.exe	52
PID 2920 wrote to memory of 1660	2920	DllCommonsvc.exe	52
PID 1660 wrote to memory of 1548	1660	cmd.exe	54
PID 1660 wrote to memory of 1548	1660	cmd.exe	54
PID 1660 wrote to memory of 1548	1660	cmd.exe	54
PID 1660 wrote to memory of 2352	1660	cmd.exe	55
PID 1660 wrote to memory of 2352	1660	cmd.exe	55
PID 1660 wrote to memory of 2352	1660	cmd.exe	55
PID 2352 wrote to memory of 2976	2352	smss.exe	57
PID 2352 wrote to memory of 2976	2352	smss.exe	57
PID 2352 wrote to memory of 2976	2352	smss.exe	57
PID 2976 wrote to memory of 2444	2976	cmd.exe	59
PID 2976 wrote to memory of 2444	2976	cmd.exe	59
PID 2976 wrote to memory of 2444	2976	cmd.exe	59
PID 2976 wrote to memory of 2432	2976	cmd.exe	60
PID 2976 wrote to memory of 2432	2976	cmd.exe	60
PID 2976 wrote to memory of 2432	2976	cmd.exe	60
PID 2432 wrote to memory of 2864	2432	smss.exe	61
PID 2432 wrote to memory of 2864	2432	smss.exe	61
PID 2432 wrote to memory of 2864	2432	smss.exe	61
PID 2864 wrote to memory of 2336	2864	cmd.exe	63
PID 2864 wrote to memory of 2336	2864	cmd.exe	63
PID 2864 wrote to memory of 2336	2864	cmd.exe	63
PID 2864 wrote to memory of 2604	2864	cmd.exe	64
PID 2864 wrote to memory of 2604	2864	cmd.exe	64
PID 2864 wrote to memory of 2604	2864	cmd.exe	64
PID 2604 wrote to memory of 2868	2604	smss.exe	65
PID 2604 wrote to memory of 2868	2604	smss.exe	65
PID 2604 wrote to memory of 2868	2604	smss.exe	65
PID 2868 wrote to memory of 2888	2868	cmd.exe	67
PID 2868 wrote to memory of 2888	2868	cmd.exe	67
PID 2868 wrote to memory of 2888	2868	cmd.exe	67
PID 2868 wrote to memory of 2232	2868	cmd.exe	68
PID 2868 wrote to memory of 2232	2868	cmd.exe	68
PID 2868 wrote to memory of 2232	2868	cmd.exe	68
PID 2232 wrote to memory of 376	2232	smss.exe	69
PID 2232 wrote to memory of 376	2232	smss.exe	69
PID 2232 wrote to memory of 376	2232	smss.exe	69
PID 376 wrote to memory of 656	376	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d166771b6f2157714749fde6a4f24c538468d7046ba720c5023492cd625f87f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d166771b6f2157714749fde6a4f24c538468d7046ba720c5023492cd625f87f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n01dVjYKVw.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1548
      - C:\Program Files (x86)\Uninstall Information\smss.exe
        
        "C:\Program Files (x86)\Uninstall Information\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2444
        
        C:\Program Files (x86)\Uninstall Information\smss.exe
        
        "C:\Program Files (x86)\Uninstall Information\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2336
        
        C:\Program Files (x86)\Uninstall Information\smss.exe
        
        "C:\Program Files (x86)\Uninstall Information\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2888
        
        C:\Program Files (x86)\Uninstall Information\smss.exe
        
        "C:\Program Files (x86)\Uninstall Information\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:656
        
        C:\Program Files (x86)\Uninstall Information\smss.exe
        
        "C:\Program Files (x86)\Uninstall Information\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat"
        15⤵
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2292
        
        C:\Program Files (x86)\Uninstall Information\smss.exe
        
        "C:\Program Files (x86)\Uninstall Information\smss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"
        17⤵
        
        PID:1868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2904
        
        C:\Program Files (x86)\Uninstall Information\smss.exe
        
        "C:\Program Files (x86)\Uninstall Information\smss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"
        19⤵
        
        PID:1396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1656
        
        C:\Program Files (x86)\Uninstall Information\smss.exe
        
        "C:\Program Files (x86)\Uninstall Information\smss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"
        21⤵
        
        PID:2628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2672
        
        C:\Program Files (x86)\Uninstall Information\smss.exe
        
        "C:\Program Files (x86)\Uninstall Information\smss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
        23⤵
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1448
        
        C:\Program Files (x86)\Uninstall Information\smss.exe
        
        "C:\Program Files (x86)\Uninstall Information\smss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"
        25⤵
        
        PID:2960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:984
        
        C:\Program Files (x86)\Uninstall Information\smss.exe
        
        "C:\Program Files (x86)\Uninstall Information\smss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd67db1e984d2653482526f8b0053ef9

SHA1
e35e59e9be5e83879d6376ac06307524c6916d43

SHA256
df7d23809f22dfb280b0ea9e465a2a44c8deebbc375683f79a267760f0f29a6f

SHA512
a058deb1fd093586c6867398ee4b5dd89763f8acf605b5bd4f05eb0179059ee099fb8ea62afec5891c1c36310c59d3f5c72311f5b91dde46a7becf8e86e53a15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a76571e5deaef04df27274fc0913a8a3

SHA1
50766991c1688bde48a554183b11418ce26a89ff

SHA256
6fa58ec57ac811583252f45edaea5cdd57d6a95a90c5af2f8ed5e05fe92120de

SHA512
71a118bad337b7deefadcf77c9077e9317d6d56063e7e05e70dc94b23086d67835b77fd77fda1267520d22b5a5823e4c42a8ebab462e1a8c8f7c4d7d393a7755

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b2a62f2da2966be6a69690f36ddc4da

SHA1
8c9dfa56ca2aef33df78f424c47e49869d07d08f

SHA256
576d95270e1306ad8fb077b9b4faa2be3ab1e6539f3fc692ed5c094f1646fbe2

SHA512
510f9517b2e5c51848a3ee6f71d6c416e8ee56b184215a796f967bed834b6c42e944b84d63f0229e7997f73c6c3046f3faff999c031cf8975c99aff10cf08094

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5737947f90017c4a86666b765ba79131

SHA1
d0d74e814e293f504955efd3f928e135126ac656

SHA256
a530fd1d34a4d483c5f53c2db00428094242af8d6cac888a084f98cfc5abe267

SHA512
072ceb9154e3d75867a8fcf20d15f8bb69d3cd7b80861c76a3c617d4adcc950ae22a6ef5510ea5bc316f6da8a76548337c9471909f36885ea73d851e706734cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7338d95e593cb8952894ff8d13928df

SHA1
dc44df712417a81415775e185ba52eb85c84221b

SHA256
20f88fb83886500fbaa64c43bf1241c2cd965eb93f61a0d8b0629c18acd7e540

SHA512
74287fce2c0894a67c7fda1279e4dcb2e295d302ca376e9a5ca21e843a948dd90a428890e540510a05a5fac2c8699b4544c2808838a6ac03c1a39e8fdf1873e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2398e039b92ba47a47ba38f1fe472e1

SHA1
42281bdae4ab7f242c10699da80023b106b7f3f4

SHA256
d7407b6e7b8dec8cbfa8bbf0a4963dcb9d7560d78b1a1e11ccef6dfbd6d104ee

SHA512
ee3d5bb2fdadd3244c75707463f4dc0aa791cb9af19e761cd8bd8313011581b2f9f5e2261b8e2b2071599c2c481baa37e39b8fe13879a0b36e4c109c31c94ef3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68b65d495d7cb5debdb53c0a140addf6

SHA1
fda8a484a6c35b44aa9bf3db1e86afc48fad67de

SHA256
6275545e3fa1868bfb0126eb55155b948825fc6dc8c90fb1ab423996938922ef

SHA512
716971467b96c96994ebe8fb9b2a1a32581550f4399537e7b80c6d04b8a5db69a1db9448df583c2fe804a686b1d1d8b8fd4ae334e5ebad101918df326d3f4461

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bfaaeb657bb952110b494a31a421545

SHA1
6f49f8a71a2b57680917b122bc245f5801f726fd

SHA256
5542d7c239dbe8b3c770805c77084556e7fced27a38471aa2bb300e50a4053f4

SHA512
6c5ad9f3d4c3699248e928ab7a2e7c4ee113d2d06604f2f091341197468528a159d4ff9ce42b420c34bbd2c8be35cc37e99fdff786f09b688c43b4f327c12991

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0db0fbfcecfd50fe68779ba9bff903e

SHA1
ce689ad1192c813a3c29e69bcb9d69ca17f850bf

SHA256
df131c4177b15eb4e0860cd43c7068abed6be61705f3fb983bb0f37b0da2e540

SHA512
f3985d4193fde348a56bc6a583f8e8ae526a2b62a25d2678a8235df96a1c2ce715e90b5fa53a91d2b1f2261271d596e84713dab634123bc12c9c92e05e6c1fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat

Filesize
218B

MD5
712fb0a2dea75290149fe505354db39d

SHA1
852f88856da9154d7f6a0d51dc8be7673c3785f1

SHA256
3f1b341601141c9ad409dcfe9b108f417a37fb2851026daa18e7ea343e9a47da

SHA512
f5d65784944922d9ffd01cca2fd8baf1e021de9fa7d45e710de4563956b606f49a226578197c8ae87df75deb88941fffadd3e2268a87071d611670e92e3382fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat

Filesize
218B

MD5
2ed3f2139a8a369c0ece9d2d56fe595e

SHA1
7281f69d1c906e53c78945d8762efd5fa1ba2149

SHA256
63a23a3d25f0c960cb1b63e95e47b7206d8cb98f64358f258634c27cd0a3bbb6

SHA512
aea185d055a5c421fbd37c9922f8ef4cf2109bcf2dbd056907a1f3607c64434bfcd61add9350f31b21b4c0b45714232c126a3ae49083c90e2f10138f641f69df

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE17B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat

Filesize
218B

MD5
14e9ccb089157ee5d021b54e6021205c

SHA1
201485ca151fb22c4878498a117008090267784c

SHA256
ba7cd11d6473a37b2e2e370fca808b9b08b24fd92d66683696104b3b2dcf1375

SHA512
9d289f3eac68d536cceaabb3fc316107365dcada442f58e7600570d32b4f16b264fe58db763cc5aa306d53d89ca03b517b6729d9683af3a8de400489df866cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat

Filesize
218B

MD5
14da99bf14c563b32c60bb53aa5d39ef

SHA1
5c3ff236fb810dd86207b284a999162b3dc1bdfa

SHA256
e0456b4ac0a9fcb192475f7f843c5929be352936f751c3b65c7a1b78d1b1192a

SHA512
4e49119dc8c6fb10184a36804b365b527159eb3eb0a8a584a8591b291651920538dfcec2e9db0e5ba0ed7516c31d54fc642c0884e119194190054890bd1754fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE19D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat

Filesize
218B

MD5
154f331153d56f22abec7a8c5e01f202

SHA1
e0c89a690d996e08f376f3b1e6030baf2a000e25

SHA256
fdaf92e736af08697aeac3376c43d6105045c62c8405ec0e2ac4f11664ce0c01

SHA512
c8784d45ff1d5b42b05ee26961bab8265984c25071ecf99c24065adeb5f1bfe28f57564893a3c06650b5bcef9bee665b81b2491ca28ec3badfc40696bab1c697

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat

Filesize
218B

MD5
6a23e38596eb90924fe441e90cb5c03a

SHA1
3332c3fb528df11094b8190b248b7d0af420235a

SHA256
5aa05ad138109313fdd8f592bd2a2259afe60a587b0d2a51dd8a274bed3fb181

SHA512
d46796c1fcf07184acfda7d4170faf5609800d7deb377186ab52d39ebaf2cdfd11963fa851692c89b4dcdf4446cb0baa4f881168e4bbf2b90515ffabda81d233

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat

Filesize
218B

MD5
661de5344f6a77e9469006a1c37a986c

SHA1
505a83ae76a94c8eefd9dcf855d1bd8455946178

SHA256
2bcdb18ecce1564d9af628df2ce464578006bd426ba0fc63b5b5b24cee314eca

SHA512
effbaa65c78da8685c7bf2d40831a5f05f019f55da18ae05e8e7144cb010b6b403cae9e04de55ee38b22b6bb2a5bc145cdff12feb81202c08e3b1d7e320c6f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat

Filesize
218B

MD5
46286894871afbbd58c1705621ca7502

SHA1
008d31fbc6b79843fd60f4baeb777862393ea7f7

SHA256
49e57dae3d51719b98157deee7f6310c88aa1b0d3e45ecad5b9fad42eb5dfc7f

SHA512
478648a1d35d8c740fa5f9f53a4a1c8ab574b6ba5cdcb171fcf61cd66fa7b9e56347d09439dd94d78d44a6531405c496f28ea3202d17e6a0f365a2200868aa5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat

Filesize
218B

MD5
ab4577038740b09879ecf279cf542a3a

SHA1
46998d0c54f050aec5f6a66c233263ec7fd3b084

SHA256
6f133f0b3e4b410f63a661addbeb133e075a977862e09830de17aeed9a1121a6

SHA512
bbaa9cb90b17aa59754c4389fc0ab89fc0ea7158250bad6c0bdcb217f0b53fa838d4c8891a572d41c2137d5a856f35c2c8ca5a8d1069acf5e14c9031d9605a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\n01dVjYKVw.bat

Filesize
218B

MD5
5be950df96614aa96cfc7f3e92a4b57b

SHA1
2b6ea8a1b4405a0920619c0a09f9594b2362520c

SHA256
a2228076831c924c135fded391ba0568455022d1e3d85844750d94d45611da21

SHA512
b365a22a4ffdfb9fcf13f8c072845369dc7cbbefe2cf2420e9d170bd420f028ab6223a2ac63801c215a599bf5004a89078f6c24ddac1d8e4773d4707d526268e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat

Filesize
218B

MD5
9ae49a880bbf03a37f0a7ea2b82bff26

SHA1
a0ef6bd0bf673e7ce198272a6a1660884ab32848

SHA256
ab9aee5f2161c11807e1bf72a77334a85ee02160fb170d9d156ccc4424bfbe82

SHA512
f9ba43410c8569c1d848f373a1974bc475fa506daadfbaf7c7f63b42d6552182e6fecfc52c82022618df41849d3da1bcbdef5c3eacc706eaa8be61203571fa2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cfeb05ceb1e48153093cb818016b6b1f

SHA1
32315b3680fdd386193612cb723be07fc3a60bbb

SHA256
ed4a2b58ec63217e37fcdfd171ab727e8e6b90d33dc79ed6377ff1c5ee7a4207

SHA512
95e7bd8287b88dc58975d87d3fa704b456d4cfd817b4dfeac2bd088eac9a0322ee069c8c2518963f08f96129770a543869e1646db4a09618d9f69ff3b540187e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1724-650-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/1724-651-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1940-412-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2232-232-0x0000000001230000-0x0000000001340000-memory.dmp

Filesize
1.1MB

Download
memory/2352-52-0x0000000000940000-0x0000000000A50000-memory.dmp

Filesize
1.1MB

Download
memory/2432-111-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

Filesize
1.1MB

Download
memory/2488-590-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/2604-172-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2604-171-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/2612-352-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2612-351-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/2828-42-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2828-48-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2920-13-0x0000000000E90000-0x0000000000FA0000-memory.dmp

Filesize
1.1MB

Download
memory/2920-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2920-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2920-16-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2920-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download