dcrat | c0b6a8de77504999c276aa2e278bdde864105b199f5749382da5c77d074e90ed

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c0b6a8de77504999c276aa2e278bdde864105b199f5749382da5c77d074e90ed.exe
Size

1.3MB
MD5

4cc6adc2389458feaf41c2487d013eca
SHA1

430c0eef494e465ff1c6b3e36d3d59051b2e33cf
SHA256

c0b6a8de77504999c276aa2e278bdde864105b199f5749382da5c77d074e90ed
SHA512

877bacdc7b20975a221d3a3a85c08fbe8dd3c6994a8d3d0307206714233d3831f7d4f81b512dafc721d86357a4955c3f23bcbfa212f37ceb833cb5c180530093
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2840	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001706d-10.dat	dcrat
behavioral1/memory/2712-13-0x0000000001010000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/2396-58-0x0000000000CA0000-0x0000000000DB0000-memory.dmp	dcrat
behavioral1/memory/2764-235-0x0000000001040000-0x0000000001150000-memory.dmp	dcrat
behavioral1/memory/2392-296-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/1156-356-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/372-416-0x0000000000950000-0x0000000000A60000-memory.dmp	dcrat
behavioral1/memory/1732-477-0x0000000000AB0000-0x0000000000BC0000-memory.dmp	dcrat
behavioral1/memory/2232-657-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/1292-717-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1940	powershell.exe
756	powershell.exe
788	powershell.exe
1680	powershell.exe
1640	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2712	DllCommonsvc.exe
2396	conhost.exe
2964	conhost.exe
2112	conhost.exe
2764	conhost.exe
2392	conhost.exe
1156	conhost.exe
372	conhost.exe
1732	conhost.exe
1268	conhost.exe
1736	conhost.exe
2232	conhost.exe
1292	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
3064	cmd.exe
3064	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
32	raw.githubusercontent.com
39	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
26	raw.githubusercontent.com
35	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\addins\cmd.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\addins\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\addins\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\TAPI\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\TAPI\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c0b6a8de77504999c276aa2e278bdde864105b199f5749382da5c77d074e90ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1240	schtasks.exe
1092	schtasks.exe
2652	schtasks.exe
2704	schtasks.exe
2844	schtasks.exe
2552	schtasks.exe
2656	schtasks.exe
2356	schtasks.exe
2152	schtasks.exe
2884	schtasks.exe
2584	schtasks.exe
852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2712	DllCommonsvc.exe
2712	DllCommonsvc.exe
2712	DllCommonsvc.exe
1940	powershell.exe
788	powershell.exe
756	powershell.exe
1640	powershell.exe
1680	powershell.exe
2396	conhost.exe
2964	conhost.exe
2112	conhost.exe
2764	conhost.exe
2392	conhost.exe
1156	conhost.exe
372	conhost.exe
1732	conhost.exe
1268	conhost.exe
1736	conhost.exe
2232	conhost.exe
1292	conhost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	DllCommonsvc.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	2396	conhost.exe
Token: SeDebugPrivilege	2964	conhost.exe
Token: SeDebugPrivilege	2112	conhost.exe
Token: SeDebugPrivilege	2764	conhost.exe
Token: SeDebugPrivilege	2392	conhost.exe
Token: SeDebugPrivilege	1156	conhost.exe
Token: SeDebugPrivilege	372	conhost.exe
Token: SeDebugPrivilege	1732	conhost.exe
Token: SeDebugPrivilege	1268	conhost.exe
Token: SeDebugPrivilege	1736	conhost.exe
Token: SeDebugPrivilege	2232	conhost.exe
Token: SeDebugPrivilege	1292	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2500	1708	JaffaCakes118_c0b6a8de77504999c276aa2e278bdde864105b199f5749382da5c77d074e90ed.exe	31
PID 1708 wrote to memory of 2500	1708	JaffaCakes118_c0b6a8de77504999c276aa2e278bdde864105b199f5749382da5c77d074e90ed.exe	31
PID 1708 wrote to memory of 2500	1708	JaffaCakes118_c0b6a8de77504999c276aa2e278bdde864105b199f5749382da5c77d074e90ed.exe	31
PID 1708 wrote to memory of 2500	1708	JaffaCakes118_c0b6a8de77504999c276aa2e278bdde864105b199f5749382da5c77d074e90ed.exe	31
PID 2500 wrote to memory of 3064	2500	WScript.exe	32
PID 2500 wrote to memory of 3064	2500	WScript.exe	32
PID 2500 wrote to memory of 3064	2500	WScript.exe	32
PID 2500 wrote to memory of 3064	2500	WScript.exe	32
PID 3064 wrote to memory of 2712	3064	cmd.exe	34
PID 3064 wrote to memory of 2712	3064	cmd.exe	34
PID 3064 wrote to memory of 2712	3064	cmd.exe	34
PID 3064 wrote to memory of 2712	3064	cmd.exe	34
PID 2712 wrote to memory of 1940	2712	DllCommonsvc.exe	48
PID 2712 wrote to memory of 1940	2712	DllCommonsvc.exe	48
PID 2712 wrote to memory of 1940	2712	DllCommonsvc.exe	48
PID 2712 wrote to memory of 1640	2712	DllCommonsvc.exe	49
PID 2712 wrote to memory of 1640	2712	DllCommonsvc.exe	49
PID 2712 wrote to memory of 1640	2712	DllCommonsvc.exe	49
PID 2712 wrote to memory of 1680	2712	DllCommonsvc.exe	50
PID 2712 wrote to memory of 1680	2712	DllCommonsvc.exe	50
PID 2712 wrote to memory of 1680	2712	DllCommonsvc.exe	50
PID 2712 wrote to memory of 788	2712	DllCommonsvc.exe	51
PID 2712 wrote to memory of 788	2712	DllCommonsvc.exe	51
PID 2712 wrote to memory of 788	2712	DllCommonsvc.exe	51
PID 2712 wrote to memory of 756	2712	DllCommonsvc.exe	52
PID 2712 wrote to memory of 756	2712	DllCommonsvc.exe	52
PID 2712 wrote to memory of 756	2712	DllCommonsvc.exe	52
PID 2712 wrote to memory of 2396	2712	DllCommonsvc.exe	58
PID 2712 wrote to memory of 2396	2712	DllCommonsvc.exe	58
PID 2712 wrote to memory of 2396	2712	DllCommonsvc.exe	58
PID 2396 wrote to memory of 2332	2396	conhost.exe	59
PID 2396 wrote to memory of 2332	2396	conhost.exe	59
PID 2396 wrote to memory of 2332	2396	conhost.exe	59
PID 2332 wrote to memory of 2336	2332	cmd.exe	61
PID 2332 wrote to memory of 2336	2332	cmd.exe	61
PID 2332 wrote to memory of 2336	2332	cmd.exe	61
PID 2332 wrote to memory of 2964	2332	cmd.exe	62
PID 2332 wrote to memory of 2964	2332	cmd.exe	62
PID 2332 wrote to memory of 2964	2332	cmd.exe	62
PID 2964 wrote to memory of 1440	2964	conhost.exe	63
PID 2964 wrote to memory of 1440	2964	conhost.exe	63
PID 2964 wrote to memory of 1440	2964	conhost.exe	63
PID 1440 wrote to memory of 2868	1440	cmd.exe	65
PID 1440 wrote to memory of 2868	1440	cmd.exe	65
PID 1440 wrote to memory of 2868	1440	cmd.exe	65
PID 1440 wrote to memory of 2112	1440	cmd.exe	66
PID 1440 wrote to memory of 2112	1440	cmd.exe	66
PID 1440 wrote to memory of 2112	1440	cmd.exe	66
PID 2112 wrote to memory of 2068	2112	conhost.exe	67
PID 2112 wrote to memory of 2068	2112	conhost.exe	67
PID 2112 wrote to memory of 2068	2112	conhost.exe	67
PID 2068 wrote to memory of 1356	2068	cmd.exe	69
PID 2068 wrote to memory of 1356	2068	cmd.exe	69
PID 2068 wrote to memory of 1356	2068	cmd.exe	69
PID 2068 wrote to memory of 2764	2068	cmd.exe	70
PID 2068 wrote to memory of 2764	2068	cmd.exe	70
PID 2068 wrote to memory of 2764	2068	cmd.exe	70
PID 2764 wrote to memory of 2264	2764	conhost.exe	71
PID 2764 wrote to memory of 2264	2764	conhost.exe	71
PID 2764 wrote to memory of 2264	2764	conhost.exe	71
PID 2264 wrote to memory of 1732	2264	cmd.exe	73
PID 2264 wrote to memory of 1732	2264	cmd.exe	73
PID 2264 wrote to memory of 1732	2264	cmd.exe	73
PID 2264 wrote to memory of 2392	2264	cmd.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b6a8de77504999c276aa2e278bdde864105b199f5749382da5c77d074e90ed.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b6a8de77504999c276aa2e278bdde864105b199f5749382da5c77d074e90ed.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
    - - C:\Windows\TAPI\conhost.exe
        
        "C:\Windows\TAPI\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2336
        
        C:\Windows\TAPI\conhost.exe
        
        "C:\Windows\TAPI\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Q74CISUeM.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2868
        
        C:\Windows\TAPI\conhost.exe
        
        "C:\Windows\TAPI\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1356
        
        C:\Windows\TAPI\conhost.exe
        
        "C:\Windows\TAPI\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1732
        
        C:\Windows\TAPI\conhost.exe
        
        "C:\Windows\TAPI\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat"
        14⤵
        
        PID:2568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1928
        
        C:\Windows\TAPI\conhost.exe
        
        "C:\Windows\TAPI\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GptcLQn9Ec.bat"
        16⤵
        
        PID:2848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2132
        
        C:\Windows\TAPI\conhost.exe
        
        "C:\Windows\TAPI\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"
        18⤵
        
        PID:2728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2136
        
        C:\Windows\TAPI\conhost.exe
        
        "C:\Windows\TAPI\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat"
        20⤵
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1808
        
        C:\Windows\TAPI\conhost.exe
        
        "C:\Windows\TAPI\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat"
        22⤵
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1036
        
        C:\Windows\TAPI\conhost.exe
        
        "C:\Windows\TAPI\conhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat"
        24⤵
        
        PID:2496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2776
        
        C:\Windows\TAPI\conhost.exe
        
        "C:\Windows\TAPI\conhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat"
        26⤵
        
        PID:1576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2956
        
        C:\Windows\TAPI\conhost.exe
        
        "C:\Windows\TAPI\conhost.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\addins\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\TAPI\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c4e6384060cf3f6a890b604d0a1e218

SHA1
a96e136e97a6a895888c98031ca133ab5a43a7b3

SHA256
06bd2f3f6ff674d54cdcf9108568fdbce8e679037ed097a23c62d5a9d7e19ad5

SHA512
1a1e52370dcad606cc4b86ee5330f67dbe58f77a01c66cb9b87c9b6d1fb02358728672e79d65526eee38326a9b8c6b2a9f905041f541c2cacf740b61f0389cd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
630e8c3fbbae2d8253ec32bb351af2ac

SHA1
f5db0344b79cf68634968a94122f549bbc55d18c

SHA256
61487e5a81910357c00daa03f004a1e087f7fc736ef6f6950f05b224c8d0c590

SHA512
69be5ca1b33b05f0792ef59c002ba86afdd0880bf6ecd3ce6ca939509e434b75c58a9495954d1a3576df420ed4e40676058ee066a66c8e68b35d57e363cff90c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71335e06216f2ce08eb51369d726abc0

SHA1
9609b36845108eca2f4caf9267fd1b1374163655

SHA256
4346871464cfd454b10f215c3cc0be6ec3d6206bdf3bf7d04d02039a930535c3

SHA512
b0574ddbcaa91aa46cf4d532e5af80ba1d6a59e095dc9320e8839c06034a57857ff8f26819d79347bea517212d7c07c1cd61cbd6fa4874c9bc24876f3b2b357d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5d597a6d125818e711df89d8bcbee21

SHA1
91d56a6be4b504781c37d9acef86a2d0310581d7

SHA256
f874255bababfe344380490f27a247f1efd784d835ecdb89d44d13d4bcf555c4

SHA512
459de84bccf04d9c4f6249f3a37dc9ef1ce87da4790a19807f40cc862521db0ad60d6b9cdb4bb46ab0811bb3e329f2c4ca90699043368fabc547ecf0d2b25da2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74e4e2ffdce2191b486c35255bf2868b

SHA1
2abbd0936dc03f21361b3cbb6bd88c2225b7b1ab

SHA256
53bf4e8ad5dbf12ca749031abbbb6368cadaef4f670a3cb8be1b318cc2e4a02c

SHA512
ceebf528f95d1ce56898cb56eb232e9535367156a20cb364c489dc8b16030a1d4fa2a761d18e000f26c952b9c443546491971ec292a1ddafaa7b636b7483f330

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6982fc1320baa904245462e08d21eca2

SHA1
c6570abd6720bb950c66f8435c3ce92dac28aa93

SHA256
2747d59009b6c8af81518f21967f26c215c29cd56959a822227a09a4e934d0d2

SHA512
774c6e013bc2f235b9695016b6c0612a0e1a2e72ae8efb2432aad0899abf813bacfd8ff96df9eb1e49032f13cbeeedd8859f0853182ade4da80fba709cc0d075

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab22a6afc2dc2a31a58b6b69bf388b6e

SHA1
33dd79ff881b55f4c09a835e1150221979be629f

SHA256
a39a2527b73116f358a581de84aa9ca0f11a80e58656fe532a9789224aa933c9

SHA512
35bca4c42e3c07d544206394c90358453ebb60b0a7d0312e8559275dcfc6aa643683f2885e2198b890cc59b0ec7f2e2150f441808cdf10673184d2669cb11933

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
caf60ca1309e8e182994c9e23dd3f1e6

SHA1
deeb90e052796efdf98d0e9960c300a73e2d7ec1

SHA256
b67412bd6d55b02150d4c29a775ee984fec28c80296aa97822e585f063c3a1ef

SHA512
06ea5f50140d70ddafd9d84fe632e5fcd581cc05b1def93a44991e10b90c9f32e97a745b2f9213928853399a98023cc43bf1afa72e4c7c542c1239a717da49dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1754500ca5ddacd52dca9e2d0d7ced7b

SHA1
4c3d003c5b576f9212249e5a0a208665c84162cc

SHA256
d3ac169690c7a56e05b3e6e201eed370709514d759991b372b0d65d47df74009

SHA512
913f5c35da950832a3dae663e0f4d86b57d27823e6576cd0dd377e591d95ff7211e1b5a1f462fc27d491730df2d33ac550eb6faf4c215106fd5d861ed9b39e54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3b1bd3d9cf607aefa8eb0d4552c54a2

SHA1
48d688a5d3e4dfc7b2f73ca4592dc232dc08d2bb

SHA256
a79838c3440385a34ef3069b958cf7ea6e2defd69460845aaad9b24ba53a4d7d

SHA512
8b8c117b59845371e88ab2cab194328e3fdf362de34c5308a66b295f726cac0ebeaff991f4504a01537d3ad21be6452a5840bef38def727d12bf12b0aba25e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Q74CISUeM.bat

Filesize
192B

MD5
aa5cfcd7f6b9f90a4c36e90af6b009e0

SHA1
297bc3c3cdb8141b27d6ac6520768797671c182c

SHA256
71af9c740286974cfd384dc666996094a2678a56fc2a0b9a04b4601b3825dac5

SHA512
a1087d0271e961b46102f132125a60d368e0ecc9109f62e0161174051f1ea98decafa06efba7e22f7975e43256510780bbe2e4aa36a1a1bb4e59b18e7c1f8e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2E82.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GptcLQn9Ec.bat

Filesize
192B

MD5
f163f40588e812e67ccd8df3d3c69a61

SHA1
c9994c3bfdc51c9c559964743b80b2f82c685a2f

SHA256
9141777b5a0f61bb37c1a7fa465755d15eb6de8d8abc2a2fa334972ab5b78cb1

SHA512
250b64028a710cc53bfb53f5f7b7cb6aa1e4ff24333458afd0f2e043fe0e2a1ed62fbd7e9c0a53ec885a90a29c0b96da68295b85274ed1146650598a21776f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat

Filesize
192B

MD5
db549e5aa355f774fc6af114e38b5eb9

SHA1
28e3b7447d6bd0c9b885c1ce455ae7915874caa0

SHA256
431364c40ccb4d122c3cfd9a95bc8bc3bcce44cbd9c6ef35d376c13156339710

SHA512
9c17c37fe63931c7bc8b1105c336428ac182bd512095daadd7b6e37aa33d5a58e006400a0aca22323d63dbb73baba8933bc389ffc40359bfa5de069c09c66a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat

Filesize
192B

MD5
5b2738fcc6b73023247b9ab0d39b1d3d

SHA1
9a212dcc41c6c850591f735ce5b2e8467b76f1cc

SHA256
1e99743c1a72eb402cd109a0d5651587b8b43e4169dfa18e02a72c91764c6db9

SHA512
c894f386ff712320356e79c421e579e15f5f64d3b0077042700bf23c52b9e886f80c70a49cd675962b87a94db01b063cef8f0da3a4d78b811ae6a5e5737ca66f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat

Filesize
192B

MD5
4826d4bf2708056fef5e47bf37f81bc4

SHA1
586fd3e405f71d7574b87defac3e885d9997f4df

SHA256
3e9616b89f989b9c5e8378bafc8098d78e45403bb1dd8c75b09fb23fa702ed52

SHA512
982155eb05814afac59c016ef9b74f577d511de15d92c00d9d51ec8158d12332fb12b2511e8b2262b31f931a9fe4746ed52a56d203591b40bd57143086629f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2EA4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat

Filesize
192B

MD5
3316b96e2ef91300a78f19d69d550230

SHA1
c93c3b81866ead16638bc135b736b40c17abdc1a

SHA256
9fe83e47828850b53b2c29a43577a944efa6461cfa53067724bd7e6d80f0dea4

SHA512
3444dd0325ab5fec80286003e5f9f14a7aeaba23bd21c0507e0e2138b31419a98f8c120e3eb94312681d976f02c0b44869024f7268047849c0b93ccb77445233

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat

Filesize
192B

MD5
0599ebfdc4e96b424b9d813332c7414d

SHA1
eceb9bbf2eec8a6da36271d38157418231dba7df

SHA256
39a87bb1b506f0cc40511a609061146dfec64965834a9b46c70f5f5a5a41cd18

SHA512
46305fa9a2161f5c9d2287c4e753b35beebaf34e33b730035bed243adbe1fcd183d11b2c433889bde770ff104bd4030b57f7954ba538c4f57fedc5a35cc1e9cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat

Filesize
192B

MD5
d396b3a48a22f50224410d581f992b1d

SHA1
bfc577284af1747364473fbdb7d2769b8958883b

SHA256
a6900d712b7a12e44acd10edc36e0ec056fd1fb07a0dc684419a8db77ab96e25

SHA512
0e7039914147b7bea6801387f6224d2660294ce84293a1a545901fc6b71cb697a037dbbcb5cfa41a4599317d30c1b476f0545e2cb82b70249ab2d4da494aedd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat

Filesize
192B

MD5
719820177ee777bc40e585bbe6270e31

SHA1
1e791e1232ed15ca925c3ce1b105fddf5a4393d0

SHA256
922b085670a9d2eda47460a9d787080f7d0b68dec20cff6440c0dbcee01ee531

SHA512
adafb3444ece58f8f2aaa4cebfdceb34a845abc761df0aa2b9d15ef35c037db01d4912c7add286c130ebfbfc6b7cf2db850d3ddd57163e6be73248ccb4e6a4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat

Filesize
192B

MD5
50e0e7207fc641b20749ef4d362046c8

SHA1
f2a250f87cc2061a02c62e10979da3498b56fc9f

SHA256
0ebc81d565b08ea2c84ed7c8ae50a3ba54e179c9eb2811825e4cc2ded0c5011e

SHA512
e1af6ed96db7a0a7358fe1bdc46b2b70963352ee48ac43c15ab7826378e426e9d68e7431f7128ffb2acbc23d3a580b6b6911dfff4d0d36a8d2537302f97d3d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat

Filesize
192B

MD5
21f8175bf7d96a8e9e7236f8d72a3e29

SHA1
1fc255e618631db3a33fff85cde44809c57b355f

SHA256
a3a7376ba4cfb4398d1d62ee38b7417aca0fd7b8686e5ec97cdd4867886d48d5

SHA512
a6a42c1ec5c9607ef02ff2f593446385f5896a90b24f52b21a9e85bc5afdf5c1395a5ee03c00387f7ca4fafab81bbd2c51b23f543070452abca6a73de13d8461

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
31f942d694ec21d9e9caecab126efe72

SHA1
685684fbf1f1a309d8985ff795e9da54a6c12e8f

SHA256
b2e92b582a19d387b21a657e6f082fabb4a32ff3283c0ef1948119ff8e03904f

SHA512
266d3a3c22bc7b348ea57e3446845bb88965460aa5c963f4ad78696cf3d895712404b0680c958fac9c4ed2cdc8ce91d77874766d5b3e3cfbae322a57861d8a88

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/372-416-0x0000000000950000-0x0000000000A60000-memory.dmp

Filesize
1.1MB

Download
memory/372-417-0x0000000000700000-0x0000000000712000-memory.dmp

Filesize
72KB

Download
memory/1156-356-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/1268-537-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1292-717-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/1732-477-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

Filesize
1.1MB

Download
memory/1736-597-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/1940-51-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/1940-52-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2232-657-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/2392-296-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2396-58-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2712-17-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2712-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2712-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2712-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2712-13-0x0000000001010000-0x0000000001120000-memory.dmp

Filesize
1.1MB

Download
memory/2764-235-0x0000000001040000-0x0000000001150000-memory.dmp

Filesize
1.1MB

Download
memory/2764-236-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download