dcrat | 138eaba24e5abcd18648c4e80d1968da5d6917b8d0c380ac6ebc70d173efb10f

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_138eaba24e5abcd18648c4e80d1968da5d6917b8d0c380ac6ebc70d173efb10f.exe
Size

1.3MB
MD5

98c3a7956eb12c905453f1f4a6c27eff
SHA1

200d0d1baf4665c62d5b4b81de6216b1d29d3573
SHA256

138eaba24e5abcd18648c4e80d1968da5d6917b8d0c380ac6ebc70d173efb10f
SHA512

69e6ecc2206f49ed9912fae76750d081878e19c00c9b20f81e64a98f65056ff1ddf930a5cc7808e6794d0d634c7b71e7f15d0ecc34551065a2a80ed3fd7fb5ce
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2892	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0009000000016ccd-9.dat	dcrat
behavioral1/memory/2716-13-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat
behavioral1/memory/2480-45-0x0000000000E20000-0x0000000000F30000-memory.dmp	dcrat
behavioral1/memory/1688-342-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/2844-402-0x0000000001140000-0x0000000001250000-memory.dmp	dcrat
behavioral1/memory/2016-521-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/2932-581-0x0000000000AE0000-0x0000000000BF0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2444	powershell.exe
3056	powershell.exe
2660	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2716	DllCommonsvc.exe
2480	DllCommonsvc.exe
576	DllCommonsvc.exe
2852	DllCommonsvc.exe
860	DllCommonsvc.exe
2096	DllCommonsvc.exe
1688	DllCommonsvc.exe
2844	DllCommonsvc.exe
1320	DllCommonsvc.exe
2016	DllCommonsvc.exe
2932	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2348	cmd.exe
2348	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
34	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_138eaba24e5abcd18648c4e80d1968da5d6917b8d0c380ac6ebc70d173efb10f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3040	schtasks.exe
2792	schtasks.exe
2188	schtasks.exe
2832	schtasks.exe
2624	schtasks.exe
2684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2716	DllCommonsvc.exe
2716	DllCommonsvc.exe
2716	DllCommonsvc.exe
2444	powershell.exe
3056	powershell.exe
2660	powershell.exe
2480	DllCommonsvc.exe
576	DllCommonsvc.exe
2852	DllCommonsvc.exe
860	DllCommonsvc.exe
2096	DllCommonsvc.exe
1688	DllCommonsvc.exe
2844	DllCommonsvc.exe
1320	DllCommonsvc.exe
2016	DllCommonsvc.exe
2932	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	DllCommonsvc.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2480	DllCommonsvc.exe
Token: SeDebugPrivilege	576	DllCommonsvc.exe
Token: SeDebugPrivilege	2852	DllCommonsvc.exe
Token: SeDebugPrivilege	860	DllCommonsvc.exe
Token: SeDebugPrivilege	2096	DllCommonsvc.exe
Token: SeDebugPrivilege	1688	DllCommonsvc.exe
Token: SeDebugPrivilege	2844	DllCommonsvc.exe
Token: SeDebugPrivilege	1320	DllCommonsvc.exe
Token: SeDebugPrivilege	2016	DllCommonsvc.exe
Token: SeDebugPrivilege	2932	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2176	2092	JaffaCakes118_138eaba24e5abcd18648c4e80d1968da5d6917b8d0c380ac6ebc70d173efb10f.exe	30
PID 2092 wrote to memory of 2176	2092	JaffaCakes118_138eaba24e5abcd18648c4e80d1968da5d6917b8d0c380ac6ebc70d173efb10f.exe	30
PID 2092 wrote to memory of 2176	2092	JaffaCakes118_138eaba24e5abcd18648c4e80d1968da5d6917b8d0c380ac6ebc70d173efb10f.exe	30
PID 2092 wrote to memory of 2176	2092	JaffaCakes118_138eaba24e5abcd18648c4e80d1968da5d6917b8d0c380ac6ebc70d173efb10f.exe	30
PID 2176 wrote to memory of 2348	2176	WScript.exe	31
PID 2176 wrote to memory of 2348	2176	WScript.exe	31
PID 2176 wrote to memory of 2348	2176	WScript.exe	31
PID 2176 wrote to memory of 2348	2176	WScript.exe	31
PID 2348 wrote to memory of 2716	2348	cmd.exe	33
PID 2348 wrote to memory of 2716	2348	cmd.exe	33
PID 2348 wrote to memory of 2716	2348	cmd.exe	33
PID 2348 wrote to memory of 2716	2348	cmd.exe	33
PID 2716 wrote to memory of 2660	2716	DllCommonsvc.exe	41
PID 2716 wrote to memory of 2660	2716	DllCommonsvc.exe	41
PID 2716 wrote to memory of 2660	2716	DllCommonsvc.exe	41
PID 2716 wrote to memory of 2444	2716	DllCommonsvc.exe	42
PID 2716 wrote to memory of 2444	2716	DllCommonsvc.exe	42
PID 2716 wrote to memory of 2444	2716	DllCommonsvc.exe	42
PID 2716 wrote to memory of 3056	2716	DllCommonsvc.exe	43
PID 2716 wrote to memory of 3056	2716	DllCommonsvc.exe	43
PID 2716 wrote to memory of 3056	2716	DllCommonsvc.exe	43
PID 2716 wrote to memory of 1624	2716	DllCommonsvc.exe	47
PID 2716 wrote to memory of 1624	2716	DllCommonsvc.exe	47
PID 2716 wrote to memory of 1624	2716	DllCommonsvc.exe	47
PID 1624 wrote to memory of 3020	1624	cmd.exe	49
PID 1624 wrote to memory of 3020	1624	cmd.exe	49
PID 1624 wrote to memory of 3020	1624	cmd.exe	49
PID 1624 wrote to memory of 2480	1624	cmd.exe	50
PID 1624 wrote to memory of 2480	1624	cmd.exe	50
PID 1624 wrote to memory of 2480	1624	cmd.exe	50
PID 2480 wrote to memory of 1668	2480	DllCommonsvc.exe	52
PID 2480 wrote to memory of 1668	2480	DllCommonsvc.exe	52
PID 2480 wrote to memory of 1668	2480	DllCommonsvc.exe	52
PID 1668 wrote to memory of 2520	1668	cmd.exe	54
PID 1668 wrote to memory of 2520	1668	cmd.exe	54
PID 1668 wrote to memory of 2520	1668	cmd.exe	54
PID 1668 wrote to memory of 576	1668	cmd.exe	55
PID 1668 wrote to memory of 576	1668	cmd.exe	55
PID 1668 wrote to memory of 576	1668	cmd.exe	55
PID 576 wrote to memory of 3068	576	DllCommonsvc.exe	56
PID 576 wrote to memory of 3068	576	DllCommonsvc.exe	56
PID 576 wrote to memory of 3068	576	DllCommonsvc.exe	56
PID 3068 wrote to memory of 2876	3068	cmd.exe	58
PID 3068 wrote to memory of 2876	3068	cmd.exe	58
PID 3068 wrote to memory of 2876	3068	cmd.exe	58
PID 3068 wrote to memory of 2852	3068	cmd.exe	59
PID 3068 wrote to memory of 2852	3068	cmd.exe	59
PID 3068 wrote to memory of 2852	3068	cmd.exe	59
PID 2852 wrote to memory of 2672	2852	DllCommonsvc.exe	60
PID 2852 wrote to memory of 2672	2852	DllCommonsvc.exe	60
PID 2852 wrote to memory of 2672	2852	DllCommonsvc.exe	60
PID 2672 wrote to memory of 1840	2672	cmd.exe	62
PID 2672 wrote to memory of 1840	2672	cmd.exe	62
PID 2672 wrote to memory of 1840	2672	cmd.exe	62
PID 2672 wrote to memory of 860	2672	cmd.exe	63
PID 2672 wrote to memory of 860	2672	cmd.exe	63
PID 2672 wrote to memory of 860	2672	cmd.exe	63
PID 860 wrote to memory of 2504	860	DllCommonsvc.exe	64
PID 860 wrote to memory of 2504	860	DllCommonsvc.exe	64
PID 860 wrote to memory of 2504	860	DllCommonsvc.exe	64
PID 2504 wrote to memory of 1384	2504	cmd.exe	66
PID 2504 wrote to memory of 1384	2504	cmd.exe	66
PID 2504 wrote to memory of 1384	2504	cmd.exe	66
PID 2504 wrote to memory of 2096	2504	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_138eaba24e5abcd18648c4e80d1968da5d6917b8d0c380ac6ebc70d173efb10f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_138eaba24e5abcd18648c4e80d1968da5d6917b8d0c380ac6ebc70d173efb10f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1VfyMFqhT.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3020
      - C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe
        
        "C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2520
        
        C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe
        
        "C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2876
        
        C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe
        
        "C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1840
        
        C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe
        
        "C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1384
        
        C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe
        
        "C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
        15⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2548
        
        C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe
        
        "C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat"
        17⤵
        
        PID:1524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3032
        
        C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe
        
        "C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat"
        19⤵
        
        PID:1700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1972
        
        C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe
        
        "C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiBdOqTAMf.bat"
        21⤵
        
        PID:2060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2392
        
        C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe
        
        "C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QVLs15dYuc.bat"
        23⤵
        
        PID:1812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1076
        
        C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe
        
        "C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\Local\Application Data\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fd2d0f1a63f460d3da19f1b7a2b7c0e

SHA1
b1d346cc99421ced7441b1c0b334cbb47ab1e707

SHA256
4abd86f5fee4103d8eddb3a84a0d9617d02cc9222db13d8ce45ccef2be9606d1

SHA512
c24550bd5cab2911a3e9d97b42aa93b852c545228a57e97473852ff78d345a8be922b9945aeb6afea712f34de47bbdc427ec7f3cc0d784b7aac2571784824558

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc51b4a2edce4d631bb79e0c6ad20cf1

SHA1
7f0ca2b1ee92935b4d777169caff07a298a16d2f

SHA256
6c11696eed93995dc1dbbeaeea246fbc2d2b06f0392da23eb54bc0006c12c1cf

SHA512
fc4b86b91d4306a1ec7d8d832f7ff694b5167695e7414be8eab7b704cbb3a729712d5c0c8ba83ff05406d1dceed72ef6820e0206e16f4bdf34ec8429434790e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccdf45b3c98ab85718d80edfaea9d7e5

SHA1
d0f4018bbc736a0d6e93a05a62f82edc440f2ced

SHA256
f0483cb540b12101eebed3e503d9c30907f6f011199cd525a8e044af8a35616d

SHA512
2e25cd813a120d2300388c14c22ab1b027435375977f732d0e79a6c0ee9f411f9b8b5f8618ffe943ba600bbad7e7188398829cf562ebecf0faae415406aa83aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09b2798e09a3c3f0ed84144d313afedb

SHA1
86c2e32c6902b20adb52c21edbff57b81c1d04dc

SHA256
f8cdcb1621c41ccda204e9f9506dce501b1a56fe9d0746388d39b10e4349f70c

SHA512
4b2dd4b325b56de70e0609ab4200c7dc86d41cc7f80fd561b3027e9c577d655902da5aac5e93388f4815bf4dbdb86ddc6c1b8a15342f6a02fdc941fb4c7fc916

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c4902b102d45def4983cc56f30ff0f1

SHA1
5a416defed9279b67df4dbc1b8ea9943aadc4242

SHA256
caf9d2c39ed9bfdc7caed660d3aade041033fce50221ae7cd64368adde27e12f

SHA512
ee02d6f8579b6fef55edc30024bf78c4f144c1fd0d286ab19ed8618f061f304a4e59f0c39d49ada387caefda4f672e0906d096450e14ad520a2b2ae09c4c75d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f082cf8c39fa1944cf4aa87dfa8c4d0e

SHA1
0405ddf747ea9b2f5df2ba9711330943c4bac182

SHA256
8e24e8c63d3118fa964f9cf21bddf75f984f70cb7021e646b1235f0bb8c1bcec

SHA512
a4178ccd72c49cc7b26c3d3ea08309da579c7b1bf7743045827064649c4484dfef1205415b622b14cb8b53db926dc4451abb20b68e33b5caa1aedd6c39dda6a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba906888b2d96405d615784d0ca9f8a8

SHA1
72ecaf73af82d9338b0cc57658dcc98ab2bf9434

SHA256
373e99ef53e94ff9d6402023d6de5200cfc5aaf8a8b3589d4358610243c05ae9

SHA512
5565facbede6e28c60558b6adbcc988a5c2295c1ca180a5fcdf47204da1e6c6e8974e90170383d2a6499c847ef0a226b3143ce40acf412c84598293907a59be2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87b93a3f4ccb9885bcc7f1a44b4afa3b

SHA1
ad8b0a6f2e7492335d9399d0a99c24fe64cfa799

SHA256
ec5a6a8427677dfc78146f0659572fd36f1eed8315ad5fb2c1c422b8a0e09221

SHA512
32b81afdfc48b121312e4fe75330a70a24120d9f4a49d8f17e7e79971d38c2ee57d9660d5bf278e1ca02f60e93c6aa63afd26fa16856d7c6f660212d9ce9c54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

Filesize
229B

MD5
af08963e65ba071ba6720c04a6e9f427

SHA1
905aabed211c9023bac1843537e4fc1d3c6b7525

SHA256
f6ff62985ddf0a1c2fe1216868abdf1a1675d834929f685747ddf6d1ad68da4e

SHA512
495bee48db268a2491c4a6878c12e80abd39cb7ea409591bfa2ed1399adfac58dd94b394169fc0d45669761c090275635e55f32061d1bcd7145fff9e76a9b4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDE7F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat

Filesize
229B

MD5
8642b290e8b02a9a8668d0fd05567479

SHA1
8ec4e17716133e981911add4600f80f3bc5f3263

SHA256
ae699fd5df295d414797d120f6632c5cdc7615f17d3843b062f8086295c05d07

SHA512
aa4166de26fa4b4f73357c8608d8774dad76654b2ba46c7925ed4137f26b1aa4d61956bbfb79b408a2c87419d7940b7604823ef3d8d9df48c19793f39e3944f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QVLs15dYuc.bat

Filesize
229B

MD5
bb092eec02fe15539d6b845f56b01975

SHA1
81cc4135179569f938de2128fc261362f041c5d6

SHA256
ae77fff3a0e9460bdde878617bbbeac076cf8b06f09635aae6f92b596759f00b

SHA512
a3449f5381b3778c4848befe37d558a752ab32b1ab49d776addd74545a6d7bd1d91c587d156c3d153df9da4b03c97497999d155adfa1a8ef47330bfc28b52b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDEA1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat

Filesize
229B

MD5
d91cf1a36be731a587c30a6615461cd9

SHA1
f9f9066cc5962a49ad0efd2a1731b386e9eec2af

SHA256
383f9f258ff341ec887565848b69fd889309ad941aa824d4c0598a2e2ef8e1eb

SHA512
7a6148790fcb0f7121acfcb1af804e3d0d8f484ecab91999495801ba0208d0b5c373eac7031b95204ad1840ed3b3da13ae7ed758870d339f0aa4de47b3b87e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat

Filesize
229B

MD5
368066abad006803f12caf8fef0e2d26

SHA1
ff94d17bfcb3749834987d2deb7933d1d2a865df

SHA256
288d675d4e89a9d2c806872a78e21b468972c62e814c9b44de4993aa5f72884c

SHA512
6b2d9284510ee5c1fc76f19c719573ecf036eb8eb5eeafdc4068d90202fb07c7549b17f40611700fb7f4bc6dba80cd7d153b7b4c2bb7935cce61ce4018670607

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat

Filesize
229B

MD5
caa0b518e2672ad55c946c7dafbf332d

SHA1
ed18adb90c43b873bab1e5f30fd90519bf91f044

SHA256
391bcb2f500b37d88a5572ff4bb2b71ab268ababf3b3f65d666ec1936cae99bb

SHA512
7eda9c41bdab9a004e36dc32114ed0a5d41e169a8cd93629cfb667ea41f2d83ad2f59be22f2aa1e7ca40f672193d92e38b155b6ad21b8dbd4963701fb030f40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat

Filesize
229B

MD5
51a5b40f8004d1c110be0775196362bd

SHA1
e0c890ebac8f562c71ce669b2b1fc42b08fe1d31

SHA256
b90ad6a60886bd0e0fa2f8d6958de832edf9c6d4f11a53322bfcb78b8f1f10a5

SHA512
64b5fe086cc31b82881ac8eae77431cfc61943d39ae5b6b13b20704fe39e2917c90cc471162efd86ed90677badea2f0abf62eb16646215bfbdcd5e0317f0b193

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiBdOqTAMf.bat

Filesize
229B

MD5
90fd743e84528bbe1a9deb016a476740

SHA1
1790cd9addf6400047e670dd5cf2723d36915320

SHA256
877ca2a0eb26071b277b3a7be71225d6eae9a6ddd8dcf0f352d094db1baa2545

SHA512
32540e92277076f9bc8381e600c57ebcd934a6273196afbe029bb95f3875226fb1b15f794e3650af4697ab4af2a873c6aa4c44da777d02fb21682f7763b3f407

Download Submit
C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat

Filesize
229B

MD5
bd87ba76bc6effe598c5323bab24370e

SHA1
a1a364f4460e73e903f4b4cbb771535ce1d59f31

SHA256
f7e621c8c208806013f30e2c20c2ea493fa67e556f17e1aba36510f8226978e4

SHA512
4705ab157837934b4798d931fd840b51213b5811756b36490cf53e7f7d0a938247acc30e770fa7697864d41b50c0d4074d12689d9a45e077be3cf101d00d2a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1VfyMFqhT.bat

Filesize
229B

MD5
1ac29f9413ff2a762329373a8d833186

SHA1
cbc1863efbd6dda9ec7242c5fb1baf0ee59dbd06

SHA256
2945ce7c5aeaf514f4a3c70eafe9ba4759d72f3efb2a27cc181857004686983f

SHA512
29caebe8ddb0a5bdb28aff605bf67a7d222b2076067c63dc4f64eaad32d807560604e55584f5fc12c36c59c029b247b1a58a9660003846558620966d9478251e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1a47b751982d370f26380becfd7c346c

SHA1
13d49ce4686ae3dbf78f66a6c412f85bea4f6b4b

SHA256
c2c1d2589a0950e93f2207c593999703935a142b22b3c48ea47093654fa51445

SHA512
f2cc1dedf81ccc8e8d3ec77a931505e72ad2b34e036309b365c8aa61c61b98cc11701bfdb91be55715627b4e31efa860c503e883d1310155ada3160f82ba6e3c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/576-105-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1688-342-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/2016-521-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/2444-35-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2444-31-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2480-46-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2480-45-0x0000000000E20000-0x0000000000F30000-memory.dmp

Filesize
1.1MB

Download
memory/2716-13-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download
memory/2716-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2716-15-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2716-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2716-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2844-402-0x0000000001140000-0x0000000001250000-memory.dmp

Filesize
1.1MB

Download
memory/2932-581-0x0000000000AE0000-0x0000000000BF0000-memory.dmp

Filesize
1.1MB

Download