dcrat | 65049ffbc80f902999368b36db59ef7ba3223b56cc47d0100161129c896566e4

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_65049ffbc80f902999368b36db59ef7ba3223b56cc47d0100161129c896566e4.exe
Size

1.3MB
MD5

5574031a8622a66b3ab12391c6ae51a7
SHA1

4b9c020c54c7f13d665b3109ac20b835e891a953
SHA256

65049ffbc80f902999368b36db59ef7ba3223b56cc47d0100161129c896566e4
SHA512

37a8eeda1fee0d4c4fc7b76dc30872a22bd586c6dfc9e1edcca7494d6f211fc28139f96797d02cfa61acd3734b99597e23690598c267ae5309354ddc32977030
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2596	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2596	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2596	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2596	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2596	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2596	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2596	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2596	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2596	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d07-9.dat	dcrat
behavioral1/memory/1632-13-0x00000000010A0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/2044-52-0x0000000000CC0000-0x0000000000DD0000-memory.dmp	dcrat
behavioral1/memory/2468-111-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/memory/2192-290-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/1932-527-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/1876-587-0x0000000000C50000-0x0000000000D60000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2856	powershell.exe
672	powershell.exe
2924	powershell.exe
848	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1632	DllCommonsvc.exe
2044	cmd.exe
2468	cmd.exe
1844	cmd.exe
1840	cmd.exe
2192	cmd.exe
2808	cmd.exe
544	cmd.exe
1676	cmd.exe
1932	cmd.exe
1876	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2976	cmd.exe
2976	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
21	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
18	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_65049ffbc80f902999368b36db59ef7ba3223b56cc47d0100161129c896566e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1556	schtasks.exe
1844	schtasks.exe
2148	schtasks.exe
700	schtasks.exe
2908	schtasks.exe
1976	schtasks.exe
2920	schtasks.exe
2968	schtasks.exe
1720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1632	DllCommonsvc.exe
2856	powershell.exe
2924	powershell.exe
848	powershell.exe
672	powershell.exe
2044	cmd.exe
2468	cmd.exe
1844	cmd.exe
1840	cmd.exe
2192	cmd.exe
2808	cmd.exe
544	cmd.exe
1676	cmd.exe
1932	cmd.exe
1876	cmd.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	DllCommonsvc.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	2044	cmd.exe
Token: SeDebugPrivilege	2468	cmd.exe
Token: SeDebugPrivilege	1844	cmd.exe
Token: SeDebugPrivilege	1840	cmd.exe
Token: SeDebugPrivilege	2192	cmd.exe
Token: SeDebugPrivilege	2808	cmd.exe
Token: SeDebugPrivilege	544	cmd.exe
Token: SeDebugPrivilege	1676	cmd.exe
Token: SeDebugPrivilege	1932	cmd.exe
Token: SeDebugPrivilege	1876	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 3028	2744	JaffaCakes118_65049ffbc80f902999368b36db59ef7ba3223b56cc47d0100161129c896566e4.exe	31
PID 2744 wrote to memory of 3028	2744	JaffaCakes118_65049ffbc80f902999368b36db59ef7ba3223b56cc47d0100161129c896566e4.exe	31
PID 2744 wrote to memory of 3028	2744	JaffaCakes118_65049ffbc80f902999368b36db59ef7ba3223b56cc47d0100161129c896566e4.exe	31
PID 2744 wrote to memory of 3028	2744	JaffaCakes118_65049ffbc80f902999368b36db59ef7ba3223b56cc47d0100161129c896566e4.exe	31
PID 3028 wrote to memory of 2976	3028	WScript.exe	32
PID 3028 wrote to memory of 2976	3028	WScript.exe	32
PID 3028 wrote to memory of 2976	3028	WScript.exe	32
PID 3028 wrote to memory of 2976	3028	WScript.exe	32
PID 2976 wrote to memory of 1632	2976	cmd.exe	34
PID 2976 wrote to memory of 1632	2976	cmd.exe	34
PID 2976 wrote to memory of 1632	2976	cmd.exe	34
PID 2976 wrote to memory of 1632	2976	cmd.exe	34
PID 1632 wrote to memory of 672	1632	DllCommonsvc.exe	45
PID 1632 wrote to memory of 672	1632	DllCommonsvc.exe	45
PID 1632 wrote to memory of 672	1632	DllCommonsvc.exe	45
PID 1632 wrote to memory of 2924	1632	DllCommonsvc.exe	46
PID 1632 wrote to memory of 2924	1632	DllCommonsvc.exe	46
PID 1632 wrote to memory of 2924	1632	DllCommonsvc.exe	46
PID 1632 wrote to memory of 848	1632	DllCommonsvc.exe	47
PID 1632 wrote to memory of 848	1632	DllCommonsvc.exe	47
PID 1632 wrote to memory of 848	1632	DllCommonsvc.exe	47
PID 1632 wrote to memory of 2856	1632	DllCommonsvc.exe	48
PID 1632 wrote to memory of 2856	1632	DllCommonsvc.exe	48
PID 1632 wrote to memory of 2856	1632	DllCommonsvc.exe	48
PID 1632 wrote to memory of 2948	1632	DllCommonsvc.exe	53
PID 1632 wrote to memory of 2948	1632	DllCommonsvc.exe	53
PID 1632 wrote to memory of 2948	1632	DllCommonsvc.exe	53
PID 2948 wrote to memory of 828	2948	cmd.exe	55
PID 2948 wrote to memory of 828	2948	cmd.exe	55
PID 2948 wrote to memory of 828	2948	cmd.exe	55
PID 2948 wrote to memory of 2044	2948	cmd.exe	56
PID 2948 wrote to memory of 2044	2948	cmd.exe	56
PID 2948 wrote to memory of 2044	2948	cmd.exe	56
PID 2044 wrote to memory of 2260	2044	cmd.exe	57
PID 2044 wrote to memory of 2260	2044	cmd.exe	57
PID 2044 wrote to memory of 2260	2044	cmd.exe	57
PID 2260 wrote to memory of 2496	2260	cmd.exe	59
PID 2260 wrote to memory of 2496	2260	cmd.exe	59
PID 2260 wrote to memory of 2496	2260	cmd.exe	59
PID 2260 wrote to memory of 2468	2260	cmd.exe	60
PID 2260 wrote to memory of 2468	2260	cmd.exe	60
PID 2260 wrote to memory of 2468	2260	cmd.exe	60
PID 2468 wrote to memory of 2252	2468	cmd.exe	61
PID 2468 wrote to memory of 2252	2468	cmd.exe	61
PID 2468 wrote to memory of 2252	2468	cmd.exe	61
PID 2252 wrote to memory of 2280	2252	cmd.exe	63
PID 2252 wrote to memory of 2280	2252	cmd.exe	63
PID 2252 wrote to memory of 2280	2252	cmd.exe	63
PID 2252 wrote to memory of 1844	2252	cmd.exe	64
PID 2252 wrote to memory of 1844	2252	cmd.exe	64
PID 2252 wrote to memory of 1844	2252	cmd.exe	64
PID 1844 wrote to memory of 2912	1844	cmd.exe	65
PID 1844 wrote to memory of 2912	1844	cmd.exe	65
PID 1844 wrote to memory of 2912	1844	cmd.exe	65
PID 2912 wrote to memory of 2360	2912	cmd.exe	67
PID 2912 wrote to memory of 2360	2912	cmd.exe	67
PID 2912 wrote to memory of 2360	2912	cmd.exe	67
PID 2912 wrote to memory of 1840	2912	cmd.exe	68
PID 2912 wrote to memory of 1840	2912	cmd.exe	68
PID 2912 wrote to memory of 1840	2912	cmd.exe	68
PID 1840 wrote to memory of 1044	1840	cmd.exe	69
PID 1840 wrote to memory of 1044	1840	cmd.exe	69
PID 1840 wrote to memory of 1044	1840	cmd.exe	69
PID 1044 wrote to memory of 2012	1044	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_65049ffbc80f902999368b36db59ef7ba3223b56cc47d0100161129c896566e4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_65049ffbc80f902999368b36db59ef7ba3223b56cc47d0100161129c896566e4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\amHMU2DnZz.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:828
      - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2496
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2280
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2360
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2012
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat"
        15⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1404
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
        17⤵
        
        PID:2188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2224
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat"
        19⤵
        
        PID:1908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2832
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat"
        21⤵
        
        PID:2592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1960
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"
        23⤵
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1936
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"
        25⤵
        
        PID:1228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa31b1f7c0ab5301192a31b872bb0518

SHA1
28483f3d50dc5f47409cd01123f1531155d19c54

SHA256
19673d8276477d0c73f3fb3f57ca0cde6681b66c974563c9f3d9b568b2c60346

SHA512
c3f8a62b9b469fb693d6fca8f857e9c4f5963e5468f7557e5dd3e4b82ff568aed20d02580e9cbe8bc35603d6b7c26fc4364d428585af94d544828244fc70b182

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4afffb0be279492bdf2ce15a9928705

SHA1
77f2038e837e8bd83868edcc18693f9a82768e44

SHA256
a3dba970a9291b6dee74cab3d3c2d9dac12c8309afdf7bcf2b43c1c48bed9599

SHA512
097a69a9602f3d0af5339158e468c7f5d63a8f02bef817fee2871738e13577e9c4e0cc487877753b32f354cbe47e391a4ca0136d56150d5311d19a2387200b4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46ab4e1363a39407a8bbe1fe6fd42496

SHA1
3917ed58af4106b13cf735e2642b0372e798950b

SHA256
12f89c416cb8e8f399ac4fc214903c87c0fd43b8a24aed40b2897dcc6e5ecb83

SHA512
434352116e1346e2e3c333f2f8216c99941bcc6601973b9785d4cf359974997f65ca317c5e49a454602aae02a07bea47b5bd48463e313b3979da916183d40de4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dff31f0fd0a440c025d58fb0913e9af

SHA1
0910a99d5645439e669d86478bc4fbec605b2d23

SHA256
9f2c30c1c295f787a24a6037a9ab0272dc4bdd2220a88392134dc769f16fe3dd

SHA512
a16d9b5bda7acaf1314c62ccaa5477fcaa5d4fdf2c655d49daed3fd8574fa770c53b0051a4d6a445bcb35edd17a3126e9b006af0ed5234acbbe95e924f26026c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
771a20ac252a993846aff4742f39f769

SHA1
21ff565ed8bf6ad71d8459c11a2e8053924993cb

SHA256
0e61a1cb5657f55e319678371f03f077041c891c8cee7d03ec94b6382bb27660

SHA512
18cb856cd97d0fe60908d5603b0bd039f397d689ae626463af3a8ab096d588322e07e11f0be6b24d50ea3102105223895d5dd483a0c2b4e531ec3dd3b2fdfb80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
818c0edaf7c54a991a53beda48494f63

SHA1
2d73d4c429381191476de680a107f728599ddcf8

SHA256
0490244ac7b2345e275fb9f8b7d92a52ebd549e8231b6238c05e098349076628

SHA512
ee10ab62b59d016fde816f2ed9504eb36ab06e0e830633221ebf2460df1ebad3611eea99d71e4926b0be47b4b7d0a60afcb1ed0e431422010aab52c2377b1bc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05474609981f4fcf3d5f2ec4331876d8

SHA1
c6b55c353f606ba376ba8c7d2b72bedfea731ad9

SHA256
8ff910a8b4c3fc499cc2d70ad71a89be30775744322e004614fb657d3bfe76a4

SHA512
f94dee5db492cf9f7e1d7d1852450cf6935b31d1317046480454b129bbf0163ee865c1843bb925b4f1bec574e5b6a3678af146e6a4b85cdc04ed6910adc71cb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8f350f94eb7494ae03526523c3d68c2

SHA1
11fcff8d44e4f05413df42f310035ad70655b606

SHA256
ddf78f5b85c1126061ea96195d83deea3cdb898a0d0baa7ffb35c954e4a73ba9

SHA512
70c2a97326d4956a53941525fc59008d560b3d611cc20db897c905263d97c85851dcc1c6f8d0c3baac23b978f6f3858dd27b17e9fc19a7d36edfafde83d9e979

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
575d52df520edb6a1e4a3f87611b28d7

SHA1
f77ee695d72b2d9fa32dec6e216a7a0b619ea131

SHA256
97dc7628b1283a613554efe63526585002808930364fd88095545a9b93158e67

SHA512
cf167c2d893a60748fd166cf69f2a11ed8c675ecdb8ecfba781f8ddbb114fc64212a70d04cd3e4f57a42aeded51dd09351cbcf78202ef023db79d799e801f39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat

Filesize
235B

MD5
05be59acba0e3d1dfd7f590281050e01

SHA1
52a980bbc7fe982ca51621c44cfe6c191bb60a98

SHA256
32027f43558140985d3ee39b55f61b2c1f77402938e4046f544e9e2b271504c2

SHA512
61aef0c386ef8cdcd5e500ef9ad88fc8aa872c8ea72030718cbde60cd5245779fae1725d1a26ce3fe0dfb0f2a57921a8d029b44c7cba369c26741510e8b07ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat

Filesize
235B

MD5
925fd0c199075f56014e6e662d6ddd1f

SHA1
f280c7c79355ee61673d14184e7fb3ca735acd6e

SHA256
a67691211567fe56188b3b98a29d11ce5a6cfbb73f372d411f287899f5a29017

SHA512
1d1f77fddb37e28f7fce43894f32d6b82dcb282f27e7acddd82169ae86aa26c60f69fc127f43fc0b4deac9b45ec3094f65ecf323959c906ef0b23d117bceec3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2CEC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat

Filesize
235B

MD5
d2b7e779fa7830ebd77caccd000ddd04

SHA1
efb3a82652c68a5b052cd582b4e674e9ae000fe4

SHA256
ddadf255b58461f53fa9aacdb31adc35445d0599cf03faf18a3c4f3c4fb17118

SHA512
840b24c1bd3e003528ed066f31c5c5c50cbeca8d28287b3c832ed813da482ebac2c8612306b14e9123aec7502e658bf7c8ae49f4e1e5e41c99d188bdaffc0cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat

Filesize
235B

MD5
9cb4374da1845d6542539c03d2053d68

SHA1
e32cc4d8d3a51f8d2a0ac0dba9584bbf9ed90971

SHA256
0cd539f8285347b11bce87d973a27771779c84e92de226a07ac7108ec35da481

SHA512
b616f8f6536b901bb4be60ad56930b1f60bf6fb609ad8350b266a9845ecaa7a5d0d2d27e679259ca552e029400d86b7315c69b83b5212be24423f8148df74bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat

Filesize
235B

MD5
f4bb1aa20e043aced5faaca580938c25

SHA1
e60b1d44ce8cd63c146677820875278dad7c53d0

SHA256
119aa6d37d1b7af26a6845e8c43536f95b0b822f1515b37cfe11367e1e78cfa4

SHA512
e658a364412d2c43df6570ed00fd9b7f9cf6be98edeaf44cea4e642864d5bcf5d9e7986d75ebd9f3fba175f3a1b9aa7189a8b09ad502f10ad1b62811fe818494

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2CFF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

Filesize
235B

MD5
b044b0a50a5da6427ebfad0c25c81372

SHA1
65214b63baed4ef394264122f85b4a160082b36b

SHA256
5e1e5f10a7934aa1e10e63c4822db3c61171b246e81333a4c64f283ff0e5af97

SHA512
b70c7dce9c9f7fa382a6b1dc369f514a8125eee6b3e4d0cb1a5581b7779ba23a611b5e0a6cffd8b85d39a5688688726c18b6211032ba5ad071addbca071192d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\amHMU2DnZz.bat

Filesize
235B

MD5
4b648ab84dd0cb255f66fc65e16ebd40

SHA1
b4a7edb689e79915507105d0927b9467734795e9

SHA256
c12c238788a7d8c89beb5cdb62dcf216fb5b0a33cec9fc19c28dd90aff0c09ba

SHA512
c6de9c2aaacce733b4624a88b4adf245b003403b2a851dfca7d826a2cd3096ce1f654e890053d361006c333de01babbed549c984ee27b5e470de2f39418c02fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat

Filesize
235B

MD5
78b07c836c179a8e972559b537c0446a

SHA1
cca3334979d6958d108b5f5dd1f7b00061f41964

SHA256
b83b19779cb7bc58f84affc02c874dfda04d3cbe098deccc1fe71c0c1c5e884d

SHA512
0e3e3026e60cc2d49187ebdb21065e33be5c01b6d96911745508484b253eba6f08a0b977b748a0fdb395f02b84ea29b936f283e18fff84d297d89ee52b1befdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat

Filesize
235B

MD5
c01776584c249e3828587a5d7b8b2437

SHA1
61da1c5994284b651d04e028b2b6561d5f9ae507

SHA256
679f31ad6a3f532d06b30a9b582716ee35a0dbf2db7de6e338d9e4b0f88117b5

SHA512
cb72ab4a35b2e3ca55ecf0920923341b8e3c1567840e4c68e3666ce528a0c3f913ffd90afec430f37c81b2d8ee582dd74123e3e897e4be59eb87e071c2b7903a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat

Filesize
235B

MD5
d6dc36501524ed1a27a8b7cb1cd206df

SHA1
cbd8fbd624f68bdbcddad5d62b19296ac9db222f

SHA256
dfbacbebac3dc296c0205640ec0abd01b1f16f9a136272620415ca64e28252ac

SHA512
1dad7d6a7b94c107d5fc1e1b858230d3575f7e212e34d0620ce83ff7ca6982c3db9fac555f27fb8c5e616f74deab5b3344641553c6a7ef4dbc641ee7e78138f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat

Filesize
235B

MD5
664cff4cd13f9e48e19dfe541b123b3a

SHA1
774987acbcb2a4b762beb2fa88204b0cf1e19fcb

SHA256
a6e36207f48f47e8082011796d611e2aa148b53d6844d64dc240f238493edc80

SHA512
594ed3474ae17780ab3d4cf7dab1b8fe46b623c4f30fe5bca4c21485cbd144637f6ff019402121fca4a5f21c4ea99644a0a9e0424e42cc60296a24bf14149921

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
db5228ba006bbc91b990f4a26340ac23

SHA1
8d3b7f70c728e81504cb82c39350e9f25d8d99a0

SHA256
fc412aa2cc3f46136ea13141e6e9d45f5cd63d28422022460487e0ec7093f8d2

SHA512
87e7305ece5ce33013bdefee44de8f98dbafb82eafc7b9ccc8b8926217548eccca33d3a38983ee752b54a93f58ba6686f37697bf580d2058cc9d8b13b6e93620

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1632-15-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/1632-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1632-16-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/1632-13-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download
memory/1632-17-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/1844-171-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1876-587-0x0000000000C50000-0x0000000000D60000-memory.dmp

Filesize
1.1MB

Download
memory/1876-588-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download
memory/1932-527-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/2044-52-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2192-290-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/2468-111-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download
memory/2856-37-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2856-43-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download