dcrat | 1cdfb7c505c015641a936f6aad1b41fd8ded34e237891baa922c4c6a22d363d3

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cdfb7c505c015641a936f6aad1b41fd8ded34e237891baa922c4c6a22d363d3.exe
Size

1.3MB
MD5

689d84536b36152faaff0f7071c80ff2
SHA1

a86ebd45d43a4168b0fa8919881fd5b6c664b98b
SHA256

1cdfb7c505c015641a936f6aad1b41fd8ded34e237891baa922c4c6a22d363d3
SHA512

b5a4dbbc683c23a0d368e0fbd743c553bd56231745c473d7f2274b04b6d403c1610a1cc5e04bb99c3c861cfddd866e145caa319c07d5f1038c73cb3c0b9c8024
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjCD:UbA30GnzV/q+DnsXg1

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2624	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016edc-12.dat	dcrat
behavioral1/memory/2712-13-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/1236-52-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/2632-112-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/1308-172-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/1736-232-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/1588-353-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/1284-413-0x0000000000B90000-0x0000000000CA0000-memory.dmp	dcrat
behavioral1/memory/1676-473-0x0000000000EC0000-0x0000000000FD0000-memory.dmp	dcrat
behavioral1/memory/2548-533-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/2420-593-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1980	powershell.exe
2004	powershell.exe
1504	powershell.exe
1736	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2712	DllCommonsvc.exe
1236	dllhost.exe
2632	dllhost.exe
1308	dllhost.exe
1736	dllhost.exe
2636	dllhost.exe
1588	dllhost.exe
1284	dllhost.exe
1676	dllhost.exe
2548	dllhost.exe
2420	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	cmd.exe
2380	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
25	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
22	raw.githubusercontent.com
32	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cdfb7c505c015641a936f6aad1b41fd8ded34e237891baa922c4c6a22d363d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2348	schtasks.exe
2220	schtasks.exe
812	schtasks.exe
2620	schtasks.exe
2788	schtasks.exe
1724	schtasks.exe
1524	schtasks.exe
1320	schtasks.exe
764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2712	DllCommonsvc.exe
2004	powershell.exe
1736	powershell.exe
1504	powershell.exe
1980	powershell.exe
1236	dllhost.exe
2632	dllhost.exe
1308	dllhost.exe
1736	dllhost.exe
2636	dllhost.exe
1588	dllhost.exe
1284	dllhost.exe
1676	dllhost.exe
2548	dllhost.exe
2420	dllhost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	DllCommonsvc.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1236	dllhost.exe
Token: SeDebugPrivilege	2632	dllhost.exe
Token: SeDebugPrivilege	1308	dllhost.exe
Token: SeDebugPrivilege	1736	dllhost.exe
Token: SeDebugPrivilege	2636	dllhost.exe
Token: SeDebugPrivilege	1588	dllhost.exe
Token: SeDebugPrivilege	1284	dllhost.exe
Token: SeDebugPrivilege	1676	dllhost.exe
Token: SeDebugPrivilege	2548	dllhost.exe
Token: SeDebugPrivilege	2420	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2764	2396	1cdfb7c505c015641a936f6aad1b41fd8ded34e237891baa922c4c6a22d363d3.exe	30
PID 2396 wrote to memory of 2764	2396	1cdfb7c505c015641a936f6aad1b41fd8ded34e237891baa922c4c6a22d363d3.exe	30
PID 2396 wrote to memory of 2764	2396	1cdfb7c505c015641a936f6aad1b41fd8ded34e237891baa922c4c6a22d363d3.exe	30
PID 2396 wrote to memory of 2764	2396	1cdfb7c505c015641a936f6aad1b41fd8ded34e237891baa922c4c6a22d363d3.exe	30
PID 2764 wrote to memory of 2380	2764	WScript.exe	31
PID 2764 wrote to memory of 2380	2764	WScript.exe	31
PID 2764 wrote to memory of 2380	2764	WScript.exe	31
PID 2764 wrote to memory of 2380	2764	WScript.exe	31
PID 2380 wrote to memory of 2712	2380	cmd.exe	33
PID 2380 wrote to memory of 2712	2380	cmd.exe	33
PID 2380 wrote to memory of 2712	2380	cmd.exe	33
PID 2380 wrote to memory of 2712	2380	cmd.exe	33
PID 2712 wrote to memory of 1504	2712	DllCommonsvc.exe	44
PID 2712 wrote to memory of 1504	2712	DllCommonsvc.exe	44
PID 2712 wrote to memory of 1504	2712	DllCommonsvc.exe	44
PID 2712 wrote to memory of 1736	2712	DllCommonsvc.exe	45
PID 2712 wrote to memory of 1736	2712	DllCommonsvc.exe	45
PID 2712 wrote to memory of 1736	2712	DllCommonsvc.exe	45
PID 2712 wrote to memory of 1980	2712	DllCommonsvc.exe	46
PID 2712 wrote to memory of 1980	2712	DllCommonsvc.exe	46
PID 2712 wrote to memory of 1980	2712	DllCommonsvc.exe	46
PID 2712 wrote to memory of 2004	2712	DllCommonsvc.exe	47
PID 2712 wrote to memory of 2004	2712	DllCommonsvc.exe	47
PID 2712 wrote to memory of 2004	2712	DllCommonsvc.exe	47
PID 2712 wrote to memory of 2292	2712	DllCommonsvc.exe	52
PID 2712 wrote to memory of 2292	2712	DllCommonsvc.exe	52
PID 2712 wrote to memory of 2292	2712	DllCommonsvc.exe	52
PID 2292 wrote to memory of 2388	2292	cmd.exe	54
PID 2292 wrote to memory of 2388	2292	cmd.exe	54
PID 2292 wrote to memory of 2388	2292	cmd.exe	54
PID 2292 wrote to memory of 1236	2292	cmd.exe	55
PID 2292 wrote to memory of 1236	2292	cmd.exe	55
PID 2292 wrote to memory of 1236	2292	cmd.exe	55
PID 1236 wrote to memory of 2040	1236	dllhost.exe	56
PID 1236 wrote to memory of 2040	1236	dllhost.exe	56
PID 1236 wrote to memory of 2040	1236	dllhost.exe	56
PID 2040 wrote to memory of 632	2040	cmd.exe	58
PID 2040 wrote to memory of 632	2040	cmd.exe	58
PID 2040 wrote to memory of 632	2040	cmd.exe	58
PID 2040 wrote to memory of 2632	2040	cmd.exe	59
PID 2040 wrote to memory of 2632	2040	cmd.exe	59
PID 2040 wrote to memory of 2632	2040	cmd.exe	59
PID 2632 wrote to memory of 1696	2632	dllhost.exe	60
PID 2632 wrote to memory of 1696	2632	dllhost.exe	60
PID 2632 wrote to memory of 1696	2632	dllhost.exe	60
PID 1696 wrote to memory of 2876	1696	cmd.exe	62
PID 1696 wrote to memory of 2876	1696	cmd.exe	62
PID 1696 wrote to memory of 2876	1696	cmd.exe	62
PID 1696 wrote to memory of 1308	1696	cmd.exe	63
PID 1696 wrote to memory of 1308	1696	cmd.exe	63
PID 1696 wrote to memory of 1308	1696	cmd.exe	63
PID 1308 wrote to memory of 1992	1308	dllhost.exe	64
PID 1308 wrote to memory of 1992	1308	dllhost.exe	64
PID 1308 wrote to memory of 1992	1308	dllhost.exe	64
PID 1992 wrote to memory of 676	1992	cmd.exe	66
PID 1992 wrote to memory of 676	1992	cmd.exe	66
PID 1992 wrote to memory of 676	1992	cmd.exe	66
PID 1992 wrote to memory of 1736	1992	cmd.exe	67
PID 1992 wrote to memory of 1736	1992	cmd.exe	67
PID 1992 wrote to memory of 1736	1992	cmd.exe	67
PID 1736 wrote to memory of 1728	1736	dllhost.exe	68
PID 1736 wrote to memory of 1728	1736	dllhost.exe	68
PID 1736 wrote to memory of 1728	1736	dllhost.exe	68
PID 1728 wrote to memory of 1652	1728	cmd.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1cdfb7c505c015641a936f6aad1b41fd8ded34e237891baa922c4c6a22d363d3.exe
"C:\Users\Admin\AppData\Local\Temp\1cdfb7c505c015641a936f6aad1b41fd8ded34e237891baa922c4c6a22d363d3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QazrxQR9tJ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2388
      - C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:632
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2876
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:676
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xdvgpfy6bM.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1652
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"
        15⤵
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2572
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat"
        17⤵
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1156
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"
        19⤵
        
        PID:640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1756
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"
        21⤵
        
        PID:2232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2804
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"
        23⤵
        
        PID:320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1700
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\NetHood\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\NetHood\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2e7dab1e8991b264280ee9fa2e55f36

SHA1
aed3ff622fbebb6ac10e7aa2c85af069f159e9fb

SHA256
1b810cede3576dfdebc6d4bcfadb8947d1ba46037f2fe0fbc1b79215286a23cc

SHA512
e4f5db85347ce5290babea0d196da6d8d944364ebf2ca962d56706faee4a7111abe0f09d88b1ad94e9ca3522896744ca0cb7651fbb505186a686b2ec5d3d4d4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60f3564b28d4ac936d5f12d61e83071a

SHA1
feffa9d336d3342a8713fc78edd687683427a68c

SHA256
b0f51a7112271db3d8ad5b94a104e5988ee26408d4fa6b1f73659d0e52e61d36

SHA512
6ca3b1c1473ecb815839027933e1554bf346b9d4b31df737587c92d48132ab06c11afe4aff5cba13f4d72f3f3e2eda45ab7744ac744ee4a20e425f8bf56490d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b1327937236efda83c1a7f4b12de183

SHA1
e2963abd66d1f3d55590e627f94070640581fea9

SHA256
3857339365ba22070c909f99facd858bb81421d09b56148c90a8083a17da2c27

SHA512
77b0a68cebb8045a14624a1a5697b6c0671a0f9918009f96a6d1b8ee8914f8d8563ac0a89a31a575ddbb5a96b2aee4ca99df19f8b4f85949b3489560f3f24fca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3d362f4ae57dbf978b51267121160c8

SHA1
8fd5a2a5d2e107603857ade77660918b197caaea

SHA256
464c3dfe8d1fa3039df6467648e72cf6ea8a5f365543cb8c00fc8be341935215

SHA512
520d9dd6e54794094a8e0a3e9a20b12e6e8b3fadb39154998036d2521b05f7d36cfcc2191060b43330556e623bc1da867637ca6a3d30a2c921bb7c1fb0dc1664

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b1786ae9ece2587eb5043cea6eaf46c

SHA1
2452244f3d806e9c38eedd8eb2b41a37c111963d

SHA256
5023ea34f65bd8fc461f7b5b3bd0ba21a2de5c6229d92ab5e0ab2d98b634aab9

SHA512
fe0e191c1d8c20e3bb90c0758d5093a207c7eff50c87956895dd6d63eb89384f982246d3909b40269989fced8e4289aa31c75b87436692903f935659f6bf835d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfe04ae9e5e1b9c10195fce1bff4afc6

SHA1
875cfdae7d539428381ed66712f9dcf14d5a599b

SHA256
b92a59f8d72933c40192cd847e599e10e0864bd9c54447c66dc73d9a941c921e

SHA512
cab68c7cd9e11bbb11c6a8a9f8fbe2d380769e48a1bc9a425fc54a11f3b18dcfdc7a4b7124513a878ce81a30e1ad9378a89657b8411960a533822817f14389d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0de20a84258467adf540e7c834c0c66f

SHA1
43fe2a8b3d6421139d47660703ab8b2290c58e01

SHA256
90fd3a7f032a32944acf9096380a4c55665f0e7165a4265910ed853aaa5f1ca9

SHA512
202496b6c6cde7f476e35bc11858cacbede09ad3e135e07bd7afd20a90f30b31a6a20ed3405547b24f9b08323b79f94986b5e643f0ce14b6b2b382af5c1b9f49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68e0b639b1dfec781d8eb0fe132d6b71

SHA1
5c3fa2de51dc7fcbbe307dd1639d0bda4fb92749

SHA256
90a016610f2ecc3ed24a6eb382901f98ef4a11c0ea3f7a0793e51c9863b75c32

SHA512
0268ce733712786c9a3eb0a573b2ff92914e8d5e705482e7e339f29fd88003e1ecfa8eaaf80394e9537e84d5ef8311c7491f22e29cebeab65ac79519dbc03790

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab24A2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat

Filesize
194B

MD5
aa07dee29517be0d324cc03d63a043b8

SHA1
f65236833220780d5d9f973862b812bf3771cb2c

SHA256
2e1b701d8bca102719271bac480cb4b71cb9297286745799e45096db78241a3a

SHA512
1cbe3159b392e244ba595746a2d41b71b8f8cb54e21738de1736c4fb5387df33865982dccdd82a5f03e1b67dda733e3e90112992276a01b91a017c8fe60d842d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat

Filesize
194B

MD5
dbcfb1d753e780b7e13019ce0e62fa69

SHA1
c043e83002936c536e270ab43ed1270968952029

SHA256
c57fc99890e126627128f373e5e7e2006a3322cc1622d9ad298f23e6bfccabc6

SHA512
e877cac9c09113cf2b84a2a4f7b86e30808763c04c75bc657a743330a997c5aa0bc2ca00502ad56acb1b7e24d6379e8cd1428b261bae0c20bf8a3fd1e5bfab5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat

Filesize
194B

MD5
2f59f853102ce6b6525db507832f10b5

SHA1
87a26f098140ae79af2563b749666a5f4e552527

SHA256
63929ef4cc68601cb20716bc23fd486d1d98fd2f3f2639f4095a645454e86403

SHA512
df232b0945bec5e7e21085dc8051de0580c46cc1656981ff8c187c52d98f2dad6a1636df1acb6bf4d9bb1871b068b7205164ff1fd579a278de02c18cda98d7f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat

Filesize
194B

MD5
9b8b75788421ea79c13c845d95f8c2d9

SHA1
fb0c6f4916acc95e960b62f2b12c0e0be5131754

SHA256
0948343fe4429ecab5cd5d82c943416398a21e99063862c8fe930e91754ea963

SHA512
cb1d5eab45ae45a0f2642f3be7d55b3eafa4bfa35a5cb152be1ac944ef7bb7c325778469fca538692653cd038709239feefd9e86ba622fb90f798fbb38f924a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QazrxQR9tJ.bat

Filesize
194B

MD5
38ab32564b6cd3b4ec761fea984fd57f

SHA1
a1f70212941a5e11f3d9140881d161c3066917be

SHA256
d7d3e58d3a84353c7c34d9d464e3a707b71f22d52486f146b67ea7c548439cd6

SHA512
55a351c8f2afca410b4b779bff74b68c5f0193a9d9c59999ba6683fd4c1150afd11badfabcb8263da0bb9b5283f28a0f1158ab3945056693a929164cf9122e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar24B5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat

Filesize
194B

MD5
8f725334b445ae900a9e959f693471ad

SHA1
45047e781789c8f88159af695b2afb97046ecd53

SHA256
f939d15ce3b1fa313cd488c49eaf904407c592c672c1a14d776b1c2bbb27a5ca

SHA512
52fe1fa42627bbb1ea78a59cec79ba6efa3ca9f7389fab312e3a9c6509864abe4721c894faaec6ce1f5ae566c7c923510a4d9ee534236832b80d2761c82d6aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat

Filesize
194B

MD5
0d44e898c98adb36e3536af3b188013b

SHA1
9b4270bbf42d2b083c6dfee3c693c61c873b16ce

SHA256
5246c72ed3b0553a00f0384a3f4f74baeade8749fc35cf30a9be4e5fa55a78f3

SHA512
9d593c5e243369349fa06b376ed9d489c745850b20ed6db75f818af454febfb452732a798ecd434c94a3dcd217fbf82e3bfaff7f4dbd1aa864e18565c8f1567f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat

Filesize
194B

MD5
f12294dc528149cc2b7d91b9267b661f

SHA1
3c5b39f659ccc6bcfd9b146e19cf9eff57766595

SHA256
a8b1b8bbcfbd25141b285d6767dbe5dfcf7d21b4ca26f98a9e6f7bb817cfd464

SHA512
05595b5e4b2127df99dbb413e406fe191fdacfa6a637b77a1fa45be0c0c05de6c7c18e3aa05764f528b050d3f6d29bf10ef299ca5c3bccded0a0723708401483

Download Submit
C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat

Filesize
194B

MD5
28cfd97cb802602816b26b69921f1944

SHA1
1e46a203ceae7e557db64883be35929237bac62c

SHA256
2d8440be7c9b11cd94221fa8804ac5424b7b657ae45cbd2d71f283b4d71644df

SHA512
128ffcf71caca640189d6fd3a214cfe5cefef1d0c005364ec8574758c49dbcdaf1786b47227443261ed88ddd39880b982317bdc047a16e33998ee13c1b15d928

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdvgpfy6bM.bat

Filesize
194B

MD5
f1096093c4ffd64aed7d48bca962b830

SHA1
2565bdc62d11933078965066f5c6253575bd2bf4

SHA256
ab5ca7d5bb9fad9e603a78a947e164c1fc35881b6c68e5e31c277b972fe3b568

SHA512
a9cad05f827891fbf4afaf677ae3d6b6588968878d8c01cbffd50521cf9f6d5151099ddf59cab0f2b1c4248b3807e24ff68938eade16076e22840e9294d26791

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ef3a2368b464225fb405c458f0c7b377

SHA1
0e80b49fa080bd7a1dc5b1fa4039358ceaaf761f

SHA256
97d854b4bc1a10c3b6902a287b5548d3e87c2948cc8d15290dc83a6ad9d9cbbe

SHA512
7946500526787b4e198af0f4434f016423cd5b34b33ecb6574cff5cc2c2ba5cd47edc3f02b687ba2d81625f4fe31b5a817dee5360475d68d4dc43337aecf9417

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1236-53-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1236-52-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/1284-413-0x0000000000B90000-0x0000000000CA0000-memory.dmp

Filesize
1.1MB

Download
memory/1308-172-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/1588-353-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/1676-473-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

Filesize
1.1MB

Download
memory/1736-233-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/1736-232-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/2004-48-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2004-49-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2420-593-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download
memory/2548-533-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/2632-112-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/2636-293-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2712-17-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2712-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2712-15-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2712-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2712-13-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download