dcrat | 8a350bdac64ffc53c7705be98ca93221c8f866046d4e042ae7dbc3c2b605a2bc

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8a350bdac64ffc53c7705be98ca93221c8f866046d4e042ae7dbc3c2b605a2bc.exe
Size

1.3MB
MD5

1d670884d4b4fd4c74bffc5a5f23d666
SHA1

db6cfd8beb17e312b02596154b953a2d3584b4cf
SHA256

8a350bdac64ffc53c7705be98ca93221c8f866046d4e042ae7dbc3c2b605a2bc
SHA512

1a97481e747a42d1905bd6c1346d6dfb49c62f94988277af5c70f0b24c4c2eb9558b397066563fd1398b6bc7ad1a7ec826377d510fc6cd057a0c93d746d30334
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2880	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016855-12.dat	dcrat
behavioral1/memory/2732-13-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/2652-37-0x0000000001160000-0x0000000001270000-memory.dmp	dcrat
behavioral1/memory/1492-110-0x00000000012E0000-0x00000000013F0000-memory.dmp	dcrat
behavioral1/memory/632-229-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/1456-289-0x0000000000FF0000-0x0000000001100000-memory.dmp	dcrat
behavioral1/memory/1976-349-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2460	powershell.exe
2932	powershell.exe
1092	powershell.exe
2820	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2732	DllCommonsvc.exe
2652	WmiPrvSE.exe
1492	WmiPrvSE.exe
2800	WmiPrvSE.exe
632	WmiPrvSE.exe
1456	WmiPrvSE.exe
1976	WmiPrvSE.exe
1004	WmiPrvSE.exe
2460	WmiPrvSE.exe
2892	WmiPrvSE.exe
2724	WmiPrvSE.exe
1260	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
1964	cmd.exe
1964	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
32	raw.githubusercontent.com
36	raw.githubusercontent.com
39	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
25	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\de-DE\explorer.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\7a0fd90576e088	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8a350bdac64ffc53c7705be98ca93221c8f866046d4e042ae7dbc3c2b605a2bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2800	schtasks.exe
2764	schtasks.exe
2644	schtasks.exe
2240	schtasks.exe
2376	schtasks.exe
2624	schtasks.exe
1884	schtasks.exe
2836	schtasks.exe
1560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2932	powershell.exe
2820	powershell.exe
2460	powershell.exe
1092	powershell.exe
2652	WmiPrvSE.exe
1492	WmiPrvSE.exe
2800	WmiPrvSE.exe
632	WmiPrvSE.exe
1456	WmiPrvSE.exe
1976	WmiPrvSE.exe
1004	WmiPrvSE.exe
2460	WmiPrvSE.exe
2892	WmiPrvSE.exe
2724	WmiPrvSE.exe
1260	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	DllCommonsvc.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2652	WmiPrvSE.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	1492	WmiPrvSE.exe
Token: SeDebugPrivilege	2800	WmiPrvSE.exe
Token: SeDebugPrivilege	632	WmiPrvSE.exe
Token: SeDebugPrivilege	1456	WmiPrvSE.exe
Token: SeDebugPrivilege	1976	WmiPrvSE.exe
Token: SeDebugPrivilege	1004	WmiPrvSE.exe
Token: SeDebugPrivilege	2460	WmiPrvSE.exe
Token: SeDebugPrivilege	2892	WmiPrvSE.exe
Token: SeDebugPrivilege	2724	WmiPrvSE.exe
Token: SeDebugPrivilege	1260	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 1716	2900	JaffaCakes118_8a350bdac64ffc53c7705be98ca93221c8f866046d4e042ae7dbc3c2b605a2bc.exe	30
PID 2900 wrote to memory of 1716	2900	JaffaCakes118_8a350bdac64ffc53c7705be98ca93221c8f866046d4e042ae7dbc3c2b605a2bc.exe	30
PID 2900 wrote to memory of 1716	2900	JaffaCakes118_8a350bdac64ffc53c7705be98ca93221c8f866046d4e042ae7dbc3c2b605a2bc.exe	30
PID 2900 wrote to memory of 1716	2900	JaffaCakes118_8a350bdac64ffc53c7705be98ca93221c8f866046d4e042ae7dbc3c2b605a2bc.exe	30
PID 1716 wrote to memory of 1964	1716	WScript.exe	31
PID 1716 wrote to memory of 1964	1716	WScript.exe	31
PID 1716 wrote to memory of 1964	1716	WScript.exe	31
PID 1716 wrote to memory of 1964	1716	WScript.exe	31
PID 1964 wrote to memory of 2732	1964	cmd.exe	33
PID 1964 wrote to memory of 2732	1964	cmd.exe	33
PID 1964 wrote to memory of 2732	1964	cmd.exe	33
PID 1964 wrote to memory of 2732	1964	cmd.exe	33
PID 2732 wrote to memory of 1092	2732	DllCommonsvc.exe	44
PID 2732 wrote to memory of 1092	2732	DllCommonsvc.exe	44
PID 2732 wrote to memory of 1092	2732	DllCommonsvc.exe	44
PID 2732 wrote to memory of 2820	2732	DllCommonsvc.exe	45
PID 2732 wrote to memory of 2820	2732	DllCommonsvc.exe	45
PID 2732 wrote to memory of 2820	2732	DllCommonsvc.exe	45
PID 2732 wrote to memory of 2460	2732	DllCommonsvc.exe	46
PID 2732 wrote to memory of 2460	2732	DllCommonsvc.exe	46
PID 2732 wrote to memory of 2460	2732	DllCommonsvc.exe	46
PID 2732 wrote to memory of 2932	2732	DllCommonsvc.exe	47
PID 2732 wrote to memory of 2932	2732	DllCommonsvc.exe	47
PID 2732 wrote to memory of 2932	2732	DllCommonsvc.exe	47
PID 2732 wrote to memory of 2652	2732	DllCommonsvc.exe	52
PID 2732 wrote to memory of 2652	2732	DllCommonsvc.exe	52
PID 2732 wrote to memory of 2652	2732	DllCommonsvc.exe	52
PID 2652 wrote to memory of 564	2652	WmiPrvSE.exe	53
PID 2652 wrote to memory of 564	2652	WmiPrvSE.exe	53
PID 2652 wrote to memory of 564	2652	WmiPrvSE.exe	53
PID 564 wrote to memory of 2456	564	cmd.exe	55
PID 564 wrote to memory of 2456	564	cmd.exe	55
PID 564 wrote to memory of 2456	564	cmd.exe	55
PID 564 wrote to memory of 1492	564	cmd.exe	57
PID 564 wrote to memory of 1492	564	cmd.exe	57
PID 564 wrote to memory of 1492	564	cmd.exe	57
PID 1492 wrote to memory of 2604	1492	WmiPrvSE.exe	58
PID 1492 wrote to memory of 2604	1492	WmiPrvSE.exe	58
PID 1492 wrote to memory of 2604	1492	WmiPrvSE.exe	58
PID 2604 wrote to memory of 2288	2604	cmd.exe	60
PID 2604 wrote to memory of 2288	2604	cmd.exe	60
PID 2604 wrote to memory of 2288	2604	cmd.exe	60
PID 2604 wrote to memory of 2800	2604	cmd.exe	61
PID 2604 wrote to memory of 2800	2604	cmd.exe	61
PID 2604 wrote to memory of 2800	2604	cmd.exe	61
PID 2800 wrote to memory of 2820	2800	WmiPrvSE.exe	62
PID 2800 wrote to memory of 2820	2800	WmiPrvSE.exe	62
PID 2800 wrote to memory of 2820	2800	WmiPrvSE.exe	62
PID 2820 wrote to memory of 2528	2820	cmd.exe	64
PID 2820 wrote to memory of 2528	2820	cmd.exe	64
PID 2820 wrote to memory of 2528	2820	cmd.exe	64
PID 2820 wrote to memory of 632	2820	cmd.exe	65
PID 2820 wrote to memory of 632	2820	cmd.exe	65
PID 2820 wrote to memory of 632	2820	cmd.exe	65
PID 632 wrote to memory of 492	632	WmiPrvSE.exe	66
PID 632 wrote to memory of 492	632	WmiPrvSE.exe	66
PID 632 wrote to memory of 492	632	WmiPrvSE.exe	66
PID 492 wrote to memory of 1708	492	cmd.exe	68
PID 492 wrote to memory of 1708	492	cmd.exe	68
PID 492 wrote to memory of 1708	492	cmd.exe	68
PID 492 wrote to memory of 1456	492	cmd.exe	69
PID 492 wrote to memory of 1456	492	cmd.exe	69
PID 492 wrote to memory of 1456	492	cmd.exe	69
PID 1456 wrote to memory of 2808	1456	WmiPrvSE.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a350bdac64ffc53c7705be98ca93221c8f866046d4e042ae7dbc3c2b605a2bc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a350bdac64ffc53c7705be98ca93221c8f866046d4e042ae7dbc3c2b605a2bc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\de-DE\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2456
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2288
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2528
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1708
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"
        14⤵
        
        PID:2808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2596
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"
        16⤵
        
        PID:1496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2040
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat"
        18⤵
        
        PID:756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2824
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
        20⤵
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1292
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"
        22⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2792
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"
        24⤵
        
        PID:2188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3000
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat"
        26⤵
        
        PID:2032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ec462ea00dec46fb21568dc519af925

SHA1
692f04f17165ecd4ea1e460a3af005ca14409f1c

SHA256
f72b24edecfdb9f9438fba49da5b535415c89765b07ca6dcadd9b13cbf7cf6e3

SHA512
ee44694b3b42da8706008f3eb67642dd16b2e23b3a0c79663d79a7a83adc8c0bd3192aa01c7308d384222b1936952afd01703dc3a5d286ef2023d7e2e648085f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe8b3c884032c234ac7f9575806179bc

SHA1
23d4b15bec025728e5d3a36ec3630b31917c50a4

SHA256
c13a5af91615e0576e35c17aaf2d7dd96ddaf597843ade21967ef98f12e13b1d

SHA512
9d40505abc8aa7ade1788f7c78c389dc75582b171a83d943925738ff32fa31e122b87f076f3f0fb3b5f991601867e0af8e46095819074aa1ab0f75c908ff17a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de8e79edb7c41d13f720bc7d18a278fc

SHA1
b5348eb8ce40540a97093740c07d84319bb22867

SHA256
b01bc24eb7cef6cae4ae22fb4ee0a267b8f9bb0cd700e414317c974bab7a8078

SHA512
84bac98116ebc4870199d90cfba82843d5334867d716fb06000d491d562a335a1af4b1ae188f4f38eee4db6762c7bd6d2d88cd9890a7d368368bef96edc2b08e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f221ebd3e8d0a64b9e529777b45bd451

SHA1
23ee1fd8e5b28a1838bbaf2ef49444e49b6ebfe0

SHA256
a1a8a7fff31422bc506b5fbdc83750a8d36304303bc41d46780f06d1e4ae6c0a

SHA512
6b4718ad6a1658e04cc7e5a52d4cf898dbcd5252e5211aa3644f267b76f5cd9d08145bd4df90e1d1614874eba32fc54f230bc8b4c90ab7149557a47a746a294c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df0776145fb07fe0ad8eea54560a8658

SHA1
28206f9fa5e913df007055594beeaa541d5f07fc

SHA256
3bc643a5921410ac51569e11fc8579932070a56ddb33f1d819809d04f9a88b90

SHA512
79754fe5d9b54c06648ff909f43d3f069086ab421bd1a963ed98ccab651afa0926bc33c1e4a70878aa67f7b8911ae5af201387655e3d6708cd9e2e33f8de20d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b745d63d2d68a1a5998958654f16ff2d

SHA1
fe97218b7f581f229073407ca1c67c44e02c6e76

SHA256
18759de9814bf709e68d0379823672a63ab41d21b4012bb16a45da49ba825bd1

SHA512
94e23c34ea4768edeb1d073a143c8fd443e1bf83cafe5539fcfe3d07a72a60618e9adbbb5e4dead40e8f1e9cedc45665850f265d7dbc9768a8d90e1871b798b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b0c9843b544666b83fbf67c5b30b6e3

SHA1
4cc9fd08c6f46b2233ca11a092520b21a2fb1a28

SHA256
38fd5eed45f9eae4a46dd193e8175acabc5e070fc6acfcd7dc5003456f6f67f9

SHA512
18c4498ff31f2db72245e13f3b1d57769a13bb14cc33ca7cfb9c6aee611c6d2f1fdaf837c350a77dbec7868ddda5e68da6ec4356c2def783c51daa6cd6086456

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
451e8d22e72678481d0dcf864ca76877

SHA1
16e216ae4b54bc546417fa17247abfef6de2686d

SHA256
6199ea957c8c7fbff6976272e945be7a94ed308d8b9a03510eb7467f4dd12e23

SHA512
23859c77942aeded254f1b260833e91c42569b989e4151275992583c612b4a54c975c3f9653ed355f4c2ab2fad6fb385138eb51527d2db0ac7886e79945d48f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7279c9ed0538b6fde9948ddd3ab6ede

SHA1
209d228e3c92b6c4dc7f9f1ef438cbab6a65466a

SHA256
97e90c0b456a25e3c3493be366004c1787f258f23c9eb8ee982f6f9cc30ef853

SHA512
5ed2f856c809d8cf68a8eef110eda4fb85813f64ec0b76d34926c78fd18573d898c2558e91050425b65f213d50e50aa09f0cb2e483225420f358b65efff8b3c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27d050c83aca71d749930091ba71a21e

SHA1
f87beac760d64a8011f836e0732994f3ffd0c312

SHA256
a9de5a1f1275f571eb9ac98040207ea2e0f08088ad55742b5af31b439ce2b7ea

SHA512
7b974ee3c5db9e8b71ca1daf79185417771d7f4e33731ef217e00797158731b86810c0eb0af5888cfbea159782c54c5922040dcf840302f45ed4e8b6577c4256

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCB7B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat

Filesize
195B

MD5
1f92f8aeb22549293ce25ab0db44d356

SHA1
2000c519cf639ae987c7c0228c4c66f805048541

SHA256
54ea2e5e200a8fd06da3c7a5df685977254dd705c5f4b9881e164663e534c6e3

SHA512
4757fcad174dec199afe413c53703cc0c7fd22857ff446d5e2baffb9afa6fc0e72049fa8ec80f322350275a90ce0bfea00de7b0ee5ebc8cb698ecfc1a8a5bcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat

Filesize
195B

MD5
0c6330788ee41f947e43fa45e455a706

SHA1
1705af8d26acfcccacbe1cc68afdc549ad24e25a

SHA256
06853db278cf9e489db9fb40d46104c5517c783c9865f446423c8f57bffeae62

SHA512
a79744b5fb8ef918cb0b7452ed6d12dd9f7bec44de8748379b88cd9723782b113456f20d096327c14cb9feffaa4c197a4e9bf89aef11d0157857ad489e6aaab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat

Filesize
195B

MD5
ca47d17d25a15eb609cb706c8cbe9293

SHA1
1a11a5862803119dfadec63a234dc6a2061552cc

SHA256
03d14de990214f2ac6c7d5bb02504dd18721e6b03a01b2bddbb9f3977efbeb11

SHA512
98c0d9aa7940d25d0dccd15c472f68d4279d3dd7d35a9caa43f584bf88e2308ff963d7b68001d8d91201b2d9dcbbea8738e9654aeb524b3721f32798388e6dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCB9E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat

Filesize
195B

MD5
33be19a66a9edfc75bff7c8041246d19

SHA1
8a2fb15fc86d9c26b025091151e16244fd4f12e6

SHA256
2d8a23bb816721088842013293f8134422527a9ef610508c68264b3a23e55e71

SHA512
5d2c471b4525bacfc73a1da98c011b697f0604e44f97bbcadbb26f17cb46914c647ec1928534980e96cf885121c66d2d76fb40aa19dac0b1b86baa6a1f9a9435

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat

Filesize
195B

MD5
e9c27b9aaa2b0521af9287cfea6e1792

SHA1
10095ab41ebf1ead4f1c50feaf764ca907de6dd3

SHA256
31c88779116c3eba2dee74a5d83a30cef36746f70bb7a2c0b5d86a17febfa4f3

SHA512
dacd86dfa8b39dfee3d9badf5be585047d9ab1dc81e76645956375ad554ee9bc71a3f5bff3452d52f823517972c196977a718b56e0935a69996529072322c833

Download Submit
C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat

Filesize
195B

MD5
d5a77d85a29b3f4aa2b01be75a44ec77

SHA1
17c503d653629a2b19fa15da3582c6e00402d94a

SHA256
a30bbd239071e012ec2e1630398f37fa78b17cb5dc3af5ecd2e899a1bbb6782d

SHA512
9ecfc8f39262b36e06fd9c4f3f1a2646ed089a20690e0f0dec84bc365fb7247b36d2982326e37c604a0420e3c1a68b141a4f6970141120ad257b8134b18a3539

Download Submit
C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat

Filesize
195B

MD5
814b31072dc2442fbcdb96ac0e3f3a78

SHA1
02db70aeb9d97f6f5e3a0c777151b5546daea1ed

SHA256
37f21d6da48f0a97fd360d3a78c39824618e3c21c0a7d902f6fab4649307d57f

SHA512
fcbb796f06196f372efb59086fbddc5d73da00fe82d86fa919292528fdc4fc5703feb4ad5d51b1546ead316e01888ef820e4260d01aef5f5860c1a7bb824843e

Download Submit
C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat

Filesize
195B

MD5
c0c5298b800cfac944807ba1e3314521

SHA1
d260ae57e3130210b5c86aecc9ae3c871538c7f3

SHA256
fd9fccb587d9fc124fbeeb250c01c05a0ffa703ee204949c4b18470011ffc685

SHA512
61f1a3be092cb2bf64c08715236b4d57e009a5943fdfbac534e71665a447ae9aa26addb33e19cc73f25bc344366ef54997c36531489df8dcc4aa448e7997cf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat

Filesize
195B

MD5
32978dcb1038bb33de3c7cb66582e967

SHA1
77519e0bf8aaafa682510b47be291d7b5ca8cabd

SHA256
c1093633f6a6263c8c6dc2162fe576d3b9c19a3bd0c9389ca078bebf0023e305

SHA512
bea7ea232d1129bac48d3def4943e6cfbe0d570d0a0b94690f62ae00852b98b034f950999cdc84ebb92be468d00a80d8cc60c8cfcb4b03af1eaff0e05f10456d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat

Filesize
195B

MD5
8142a605697ce63a74c7c2a9479b0d59

SHA1
806523bb279559e45559e11f3bb42958d543670f

SHA256
357092d043d5fcd89907e186f1811454002ea416979428743d3f5f8ef610c4b4

SHA512
020a6b483db95817a7a191693dea1764503ddc5350c78e74ae7dd7bcb9bae1334aaa31b688b30766d5a453d56f26e943b100f025b237a2f621d67a73783b2205

Download Submit
C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat

Filesize
195B

MD5
7a27a32102241d6b33d525d8cba740ad

SHA1
eef9978693fea3f2da5342558f4a05e5332b6467

SHA256
b8be54c561374005d85e676fa2247f73809e64cc2739fc95a5c952e0d367ac8b

SHA512
b4ff5019b4ffdb4e9966384d470a62125cb7ca83f7446c06c0cbcf1e11da40a1af8962c63e314e11becd68224d3af6030f88abdc453ea6bc53022bab69601cd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
170a309e56706ea0e8d7d775f16759f7

SHA1
9a21deba68b921a580e2764deed987c5a9dbc4f7

SHA256
e290f87e0ff3a4f6207a2ec4a1aee4fecafd944b004de90c0abd626f5c978805

SHA512
c2ae7c375247f28cd44174bee3cc3e2bd534c490b50a8ace5218a8c6bea7adf8ad6ee16801be8a4adfc6e83bc4d2d8594a7843210f6a182724be0c11f583e249

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/632-229-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/1456-289-0x0000000000FF0000-0x0000000001100000-memory.dmp

Filesize
1.1MB

Download
memory/1492-110-0x00000000012E0000-0x00000000013F0000-memory.dmp

Filesize
1.1MB

Download
memory/1976-349-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/2460-468-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2652-37-0x0000000001160000-0x0000000001270000-memory.dmp

Filesize
1.1MB

Download
memory/2732-14-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/2732-16-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2732-15-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/2732-17-0x0000000000780000-0x000000000078C000-memory.dmp

Filesize
48KB

Download
memory/2732-13-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/2932-36-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2932-35-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download