dcrat | 2ae997066fa48e384c86905e188d016a82d1f1b4e5c2d73d03770413214a3a8e

Analysis

max time kernel
146s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2ae997066fa48e384c86905e188d016a82d1f1b4e5c2d73d03770413214a3a8e.exe
Size

1.3MB
MD5

112af2cbc851f200a8ad915c0fa3fd5e
SHA1

b5af95d4ff66f2725249d932df7db4a6c1c0afbd
SHA256

2ae997066fa48e384c86905e188d016a82d1f1b4e5c2d73d03770413214a3a8e
SHA512

fc55a95588f8a1db633aa51711ff801f7d364988fc9ce87b23e805f7f6afcecd06735c8e0c23dc890cb8d091139953108424a429c1cfb6fc0f8922e192772c28
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2812	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2812	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2812	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2812	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2812	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2812	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000f000000018662-9.dat	dcrat
behavioral1/memory/2752-13-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/memory/1344-45-0x00000000008F0000-0x0000000000A00000-memory.dmp	dcrat
behavioral1/memory/1772-104-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2824-165-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2544	powershell.exe
2580	powershell.exe
2564	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2752	DllCommonsvc.exe
1344	explorer.exe
1772	explorer.exe
2824	explorer.exe
2620	explorer.exe
2864	explorer.exe
2780	explorer.exe
1032	explorer.exe
2320	explorer.exe
1360	explorer.exe
1060	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
1928	cmd.exe
1928	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2ae997066fa48e384c86905e188d016a82d1f1b4e5c2d73d03770413214a3a8e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2708	schtasks.exe
2860	schtasks.exe
2740	schtasks.exe
2596	schtasks.exe
2556	schtasks.exe
2880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2752	DllCommonsvc.exe
2564	powershell.exe
2580	powershell.exe
2544	powershell.exe
1344	explorer.exe
1772	explorer.exe
2824	explorer.exe
2620	explorer.exe
2864	explorer.exe
2780	explorer.exe
1032	explorer.exe
2320	explorer.exe
1360	explorer.exe
1060	explorer.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	DllCommonsvc.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	1344	explorer.exe
Token: SeDebugPrivilege	1772	explorer.exe
Token: SeDebugPrivilege	2824	explorer.exe
Token: SeDebugPrivilege	2620	explorer.exe
Token: SeDebugPrivilege	2864	explorer.exe
Token: SeDebugPrivilege	2780	explorer.exe
Token: SeDebugPrivilege	1032	explorer.exe
Token: SeDebugPrivilege	2320	explorer.exe
Token: SeDebugPrivilege	1360	explorer.exe
Token: SeDebugPrivilege	1060	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2476	2980	JaffaCakes118_2ae997066fa48e384c86905e188d016a82d1f1b4e5c2d73d03770413214a3a8e.exe	30
PID 2980 wrote to memory of 2476	2980	JaffaCakes118_2ae997066fa48e384c86905e188d016a82d1f1b4e5c2d73d03770413214a3a8e.exe	30
PID 2980 wrote to memory of 2476	2980	JaffaCakes118_2ae997066fa48e384c86905e188d016a82d1f1b4e5c2d73d03770413214a3a8e.exe	30
PID 2980 wrote to memory of 2476	2980	JaffaCakes118_2ae997066fa48e384c86905e188d016a82d1f1b4e5c2d73d03770413214a3a8e.exe	30
PID 2476 wrote to memory of 1928	2476	WScript.exe	31
PID 2476 wrote to memory of 1928	2476	WScript.exe	31
PID 2476 wrote to memory of 1928	2476	WScript.exe	31
PID 2476 wrote to memory of 1928	2476	WScript.exe	31
PID 1928 wrote to memory of 2752	1928	cmd.exe	33
PID 1928 wrote to memory of 2752	1928	cmd.exe	33
PID 1928 wrote to memory of 2752	1928	cmd.exe	33
PID 1928 wrote to memory of 2752	1928	cmd.exe	33
PID 2752 wrote to memory of 2544	2752	DllCommonsvc.exe	41
PID 2752 wrote to memory of 2544	2752	DllCommonsvc.exe	41
PID 2752 wrote to memory of 2544	2752	DllCommonsvc.exe	41
PID 2752 wrote to memory of 2564	2752	DllCommonsvc.exe	42
PID 2752 wrote to memory of 2564	2752	DllCommonsvc.exe	42
PID 2752 wrote to memory of 2564	2752	DllCommonsvc.exe	42
PID 2752 wrote to memory of 2580	2752	DllCommonsvc.exe	43
PID 2752 wrote to memory of 2580	2752	DllCommonsvc.exe	43
PID 2752 wrote to memory of 2580	2752	DllCommonsvc.exe	43
PID 2752 wrote to memory of 1644	2752	DllCommonsvc.exe	47
PID 2752 wrote to memory of 1644	2752	DllCommonsvc.exe	47
PID 2752 wrote to memory of 1644	2752	DllCommonsvc.exe	47
PID 1644 wrote to memory of 1816	1644	cmd.exe	49
PID 1644 wrote to memory of 1816	1644	cmd.exe	49
PID 1644 wrote to memory of 1816	1644	cmd.exe	49
PID 1644 wrote to memory of 1344	1644	cmd.exe	51
PID 1644 wrote to memory of 1344	1644	cmd.exe	51
PID 1644 wrote to memory of 1344	1644	cmd.exe	51
PID 1344 wrote to memory of 1744	1344	explorer.exe	52
PID 1344 wrote to memory of 1744	1344	explorer.exe	52
PID 1344 wrote to memory of 1744	1344	explorer.exe	52
PID 1744 wrote to memory of 780	1744	cmd.exe	54
PID 1744 wrote to memory of 780	1744	cmd.exe	54
PID 1744 wrote to memory of 780	1744	cmd.exe	54
PID 1744 wrote to memory of 1772	1744	cmd.exe	55
PID 1744 wrote to memory of 1772	1744	cmd.exe	55
PID 1744 wrote to memory of 1772	1744	cmd.exe	55
PID 1772 wrote to memory of 2784	1772	explorer.exe	56
PID 1772 wrote to memory of 2784	1772	explorer.exe	56
PID 1772 wrote to memory of 2784	1772	explorer.exe	56
PID 2784 wrote to memory of 2776	2784	cmd.exe	58
PID 2784 wrote to memory of 2776	2784	cmd.exe	58
PID 2784 wrote to memory of 2776	2784	cmd.exe	58
PID 2784 wrote to memory of 2824	2784	cmd.exe	59
PID 2784 wrote to memory of 2824	2784	cmd.exe	59
PID 2784 wrote to memory of 2824	2784	cmd.exe	59
PID 2824 wrote to memory of 2300	2824	explorer.exe	60
PID 2824 wrote to memory of 2300	2824	explorer.exe	60
PID 2824 wrote to memory of 2300	2824	explorer.exe	60
PID 2300 wrote to memory of 2084	2300	cmd.exe	62
PID 2300 wrote to memory of 2084	2300	cmd.exe	62
PID 2300 wrote to memory of 2084	2300	cmd.exe	62
PID 2300 wrote to memory of 2620	2300	cmd.exe	63
PID 2300 wrote to memory of 2620	2300	cmd.exe	63
PID 2300 wrote to memory of 2620	2300	cmd.exe	63
PID 2620 wrote to memory of 1716	2620	explorer.exe	64
PID 2620 wrote to memory of 1716	2620	explorer.exe	64
PID 2620 wrote to memory of 1716	2620	explorer.exe	64
PID 1716 wrote to memory of 2028	1716	cmd.exe	66
PID 1716 wrote to memory of 2028	1716	cmd.exe	66
PID 1716 wrote to memory of 2028	1716	cmd.exe	66
PID 1716 wrote to memory of 2864	1716	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2ae997066fa48e384c86905e188d016a82d1f1b4e5c2d73d03770413214a3a8e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2ae997066fa48e384c86905e188d016a82d1f1b4e5c2d73d03770413214a3a8e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3qIDwt1oDr.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1816
      - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:780
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2776
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2084
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2028
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat"
        15⤵
        
        PID:2980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2516
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat"
        17⤵
        
        PID:2788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:688
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat"
        19⤵
        
        PID:2380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1684
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
        21⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2108
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat"
        23⤵
        
        PID:2556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2860
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fcdc861e274069b8d5733936a0f3523

SHA1
8a93bb7c85781214b7de52512d860d87e0dd9974

SHA256
be4bfb512aee1c8a7c4f10cc3167ae46400668abc4618b6bf6df9506af37d182

SHA512
2245b57aab06f3f2d73684702d15dbe0db6d75f00ca10e3b941445ddc660c34a86ead46e54933463c8d1f6d4f89d307ed6a8789159d36f3bb77c669ebd67e83e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ad734ba0019688c5d632350af7b96cf

SHA1
39414f48dda08bcddcfe2ddf77a8443494a756bf

SHA256
ad761aa5e61a0cfbc05693ed5fa4491088228497e178c893be3087bbe7bf6629

SHA512
90ffca1f73c01b45a9f833a5d526c865219a30c8a6cb92e7afeac066910c5e2d03f20c323ef9aeb44d39906ccce39183a716578f167b09b09d97ffb8a23c81d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f26881a1684080670648576aeda649e9

SHA1
3c4782c993098f816f278fcc66dc323aaa2b60cf

SHA256
4750129e45c5816f15417d2b44c2aeaaa173083e1ad9bdfc135bd4a055b85023

SHA512
e10d6f982e6433728b57ba6597a04ae3fb33f5b423a4a9895c7fae52b2488c5fd9728ba123aa7cc2ff5d4de1b6234f20f4244db8437af176c56522f21e1eab53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b8c505f678caf6e051e64a69f20148e

SHA1
c6e98803ec53d02a312fa245455e9e2b7206b29b

SHA256
9390a3111c1aad938e6c3a9a1e3e1d1bed907a2d11a3cdf4e46d6f0f5ec8b8f0

SHA512
e04f2c6a51fca04fdddf7794e4ed78df15106bfc585fb9c9382c25149ad2980263b7df19cafea08094885fc940328ffd2bbce2f4a05aa065cc61f27a433171f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29d6ceb931fb7b206f3b1a8ab2489e2a

SHA1
9854195143c0368171069c65de96fed668421321

SHA256
f18c2b0c0aedabce6503bdd520f6821b3adec1fd0cde1299ea8f9867ad2c1bed

SHA512
d164466855ca852a81bd7a82fc21a6cf651502c090d336e880a7385705fb930ebb768bab7b33ca6385fb23c4bc99887bb6ce1d47d2f0c9ccceba7d5e831a87bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9715343a8c6d33d27057fb45854c864f

SHA1
b23a8f027d105d8d78459bf2c1ccdf523cd344b3

SHA256
cc9a4aa29e279bc367a689147bf98c7f4284bb11cdb1605e957e3c6803d4bb04

SHA512
c98489ae1027c9e752a1fc0d0f4cf47cb5f1c1bed397f210b4d54df2e3cefd1cc80b7c3ef127598c9115e57ee5d96690a867c403d3d7fb617ec39278be3a438b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86be946e047630e2b4873e89dac58e5b

SHA1
8a334489a3ab9d0b7e217efee376089aa48928ba

SHA256
a16400d99d95fe6e822f81e4ce4c732b7826b35a34b603c3ebd951b668e8a3a0

SHA512
2d32146215e3446e7b35f9557f5c2423b0116059d32564a22e596e692829956ee7c4c7a9aab6ef1b881c74ce9511f0376c5ebc91ca60967601f2ee5d96004fec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a49aa79479ef0031149e6e83542542f

SHA1
5edea749a172e53bf0da03b823e27afa17c43cd5

SHA256
8c0721b806e483533437a8b101b863e9839c9640c87e65e43e3e4447e3b840e9

SHA512
dc3b78e6513591088a68184a1fc2692607852168dcd1b447fb31356de68ae92d470be789ebf01cb9135a34d71cbcb4f12bb88d84927b9750e165313d4ae9c5dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3qIDwt1oDr.bat

Filesize
240B

MD5
e929bac05925e4eb710bd7da86b0ced7

SHA1
8d5fd1b50340ab12b2d34b760c74b465e0e3a099

SHA256
6585dd173e1dcfa5e79994264a8bd7728929b235f73310d16eb9468e1ed56e00

SHA512
df4484530dc469e16fe661ec9442d49fd67203002b5306ad0cfe735aa0514b7691e4deddfe0478ae97c48e9614077151f43d1f6d279c905ab7cb0b7534721bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9B3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat

Filesize
240B

MD5
68034fef08def4442e083f875e0edbb8

SHA1
0d7a386e305184c2011937e83652d76a2bf5307a

SHA256
f794bdc975c07b0c9fc65bec4becb6e28d1a16cd3a5f3093235e4a0ec49ed776

SHA512
11f15f09e6764a332450af1715c9a1bff0d5dec43c92a823a3891f3cf99a20b76d7ec38de494ff820bf4fa2a13e8be8b7278f6d07658a0933f52f323c30bd3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9D5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat

Filesize
240B

MD5
bca3f0173214bd9b35c1c5065d48d7ba

SHA1
b6028c55b28e689bb784b96dce1930bdc69e06a1

SHA256
dd4a11dcaaf77dde80e3468842356641d38ca525d74117b02217dca81a7b8177

SHA512
4d1cf9ae3bb89602ce5aff262156d65071a088d558541e77b0eb2924a0bd12536b341c2e194ded0898b6942196b1ae9eced19cbd6e19581edd6451adfbd68d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat

Filesize
240B

MD5
e01c50b8e2f5fde56df0ad800294e77a

SHA1
66b80b4f336070e71fe0b1eb0f4a58ca0ec789cb

SHA256
a7916b52134439dd6caa308c69726690c2884d0858c30e0091b362d8c7230502

SHA512
59703f56a722d97e6e27ae0d9e37b81c3e03716a04c79d7b1aa5a18ff0c3a26fd3de30bc372684354336b42177e3455789dfe3f2031d789dc7a820710a594a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

Filesize
240B

MD5
b095652acd525208031c89815f6bb51b

SHA1
4cc9d74b56f9bf9990b1f7106a5d16091f3cd7db

SHA256
0221810edef46828a3a90e4d84493b720a6de66dd59c7cb57e996d8dbadfa14f

SHA512
a00440ed2a49b4594cbcecef5a57e2f5d1abb92eba7db71da14773a8da614d88080dcd46844b85d325d9a7154d3b3ee2c48932bcc68513a9360998c3883497c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat

Filesize
240B

MD5
f48d9f1d6774dcb451c5c1ad922d7f48

SHA1
f991ac76433893053ab91b59104aecf0b7862da1

SHA256
c2721e4304a8ef96552adc1aed373bad890cbab47896996953e778bb2940aa91

SHA512
15e8d6ab7ba42ca94dae21359df513b894b6801c0bb3601dce0cc402190470f08dfe9fb672e6ef5546ba69b1779d90e6230f4ddbed9aff90518783419e41a24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat

Filesize
240B

MD5
f2b4064b0cbeb323c9989c37049dfe86

SHA1
098262c4a0f95d5afba42c904c653db886c6147a

SHA256
10f0ee8881d075139973c80536440d36841eed0baa23ed70e53cf1e07ec31198

SHA512
ebb75f5f6c7c10ca16edd5c432d9310a3a28cb2d6e521d38fad42c3b5e676d7ea5e35b10c5f3b142c115f6ef855440f61761e7a87cb2a9cda4c54ce34c4c04c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat

Filesize
240B

MD5
a5a4bb205f84ee5533915e47d3b40e37

SHA1
e0733237ba1e0cc733745cb68017cf72e863cd94

SHA256
8fb1eac9baf0c0dab1b41e1b5a45daf6169f8be07e129f2ab17eb7dcc4b53cb4

SHA512
9b5a6ca63eaa77783140896806186fc12d4e4343d1826f3f98c9456a972e7697bd57362112d47645563353ed062007cb63dc85e796b7f8bff487108ba943ddca

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat

Filesize
240B

MD5
c19ab4d4da27da00dc86e1cc0400fc80

SHA1
735df841f498a48d4346c1e1ddee99e43c7bd776

SHA256
96f7a5b48b6a5bb0ccd489438c033510a213c03a5360e514f94a5ffc22371cfb

SHA512
a676cb6a3a70e079f58198bba5a97f38f9ed837ce7c474e79d45724c47962b5bcfdf1744116dd7540940f3ce5a4d79b69594f1d700f199be7116f09363abf47d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat

Filesize
240B

MD5
df6872099297d0d954c7815eb03154f7

SHA1
d8af895085e1b08d9179c723a7a8abc5422a28bf

SHA256
381d641cfe9728d26fe48179edb652f8ed54991bb126f7e1fdbd36f586a425f1

SHA512
a60e3082ecad8ddc0fa6f2e3bd8f55b7ed60e1a23b87ddcf8be0e6ee569902068e4b5af382abc3762dd7f22dc97e2e26d841282ed31236b10ef58190b6a016f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BGQXXB10TDFOMJRWNL8X.temp

Filesize
7KB

MD5
d044b0054ac241358a0f80dc5517fdb2

SHA1
d8659656da15dd13c122a6217a376b389dbbe1aa

SHA256
2ba0f00bf968f926c8b39e7b3618d530be5acaa1df3a5ba73aa9d74a38dd187c

SHA512
0868575472f46d2263e2734d30487969c9b7d2e9f47f928aecfc76b933413ccf0c9bfe2beb83faed4437d8077c3503f29139c470eadb0e3afb69299d9592d0bf

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1344-45-0x00000000008F0000-0x0000000000A00000-memory.dmp

Filesize
1.1MB

Download
memory/1772-105-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1772-104-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2564-40-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2564-41-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/2752-15-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2752-16-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/2752-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2752-13-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/2752-17-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2824-166-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2824-165-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download