dcrat | 80fb14dd63f45c3ab4f35a934142e30ec5d48f809a7faf4cae142e779e7be219

Analysis

max time kernel
148s
max time network
143s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80fb14dd63f45c3ab4f35a934142e30ec5d48f809a7faf4cae142e779e7be219.exe
Size

1.3MB
MD5

d35636fd3b468b2af7bc37c0dacd2f99
SHA1

b647bf0419bb76f48fc2858b8ce0e7e3395beb4a
SHA256

80fb14dd63f45c3ab4f35a934142e30ec5d48f809a7faf4cae142e779e7be219
SHA512

1ca88114f6b0bf250508c6d08593d8de5e1a85069c77844303f53067e0c67f2dad0a7c61d7523650b3a2e586493d30edc4f856a95291e9c0630072a2f0e6a97f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2476	schtasks.exe	35

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d42-9.dat	dcrat
behavioral1/memory/2492-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp	dcrat
behavioral1/memory/1556-35-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/2236-110-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat
behavioral1/memory/2492-466-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1144	powershell.exe
1092	powershell.exe
536	powershell.exe
1684	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2492	DllCommonsvc.exe
1556	dllhost.exe
2236	dllhost.exe
2264	dllhost.exe
2016	dllhost.exe
1368	dllhost.exe
2504	dllhost.exe
1512	dllhost.exe
2492	dllhost.exe
2452	dllhost.exe
1828	dllhost.exe
1576	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2964	cmd.exe
2964	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
26	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DigitalLocker\es-ES\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\es-ES\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\es-ES\dllhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80fb14dd63f45c3ab4f35a934142e30ec5d48f809a7faf4cae142e779e7be219.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2708	schtasks.exe
1804	schtasks.exe
2720	schtasks.exe
2968	schtasks.exe
2628	schtasks.exe
2912	schtasks.exe
1664	schtasks.exe
2256	schtasks.exe
2260	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2492	DllCommonsvc.exe
1092	powershell.exe
1684	powershell.exe
536	powershell.exe
1144	powershell.exe
1556	dllhost.exe
2236	dllhost.exe
2264	dllhost.exe
2016	dllhost.exe
1368	dllhost.exe
2504	dllhost.exe
1512	dllhost.exe
2492	dllhost.exe
2452	dllhost.exe
1828	dllhost.exe
1576	dllhost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	DllCommonsvc.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	1556	dllhost.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	2236	dllhost.exe
Token: SeDebugPrivilege	2264	dllhost.exe
Token: SeDebugPrivilege	2016	dllhost.exe
Token: SeDebugPrivilege	1368	dllhost.exe
Token: SeDebugPrivilege	2504	dllhost.exe
Token: SeDebugPrivilege	1512	dllhost.exe
Token: SeDebugPrivilege	2492	dllhost.exe
Token: SeDebugPrivilege	2452	dllhost.exe
Token: SeDebugPrivilege	1828	dllhost.exe
Token: SeDebugPrivilege	1576	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1440	2000	80fb14dd63f45c3ab4f35a934142e30ec5d48f809a7faf4cae142e779e7be219.exe	31
PID 2000 wrote to memory of 1440	2000	80fb14dd63f45c3ab4f35a934142e30ec5d48f809a7faf4cae142e779e7be219.exe	31
PID 2000 wrote to memory of 1440	2000	80fb14dd63f45c3ab4f35a934142e30ec5d48f809a7faf4cae142e779e7be219.exe	31
PID 2000 wrote to memory of 1440	2000	80fb14dd63f45c3ab4f35a934142e30ec5d48f809a7faf4cae142e779e7be219.exe	31
PID 1440 wrote to memory of 2964	1440	WScript.exe	32
PID 1440 wrote to memory of 2964	1440	WScript.exe	32
PID 1440 wrote to memory of 2964	1440	WScript.exe	32
PID 1440 wrote to memory of 2964	1440	WScript.exe	32
PID 2964 wrote to memory of 2492	2964	cmd.exe	34
PID 2964 wrote to memory of 2492	2964	cmd.exe	34
PID 2964 wrote to memory of 2492	2964	cmd.exe	34
PID 2964 wrote to memory of 2492	2964	cmd.exe	34
PID 2492 wrote to memory of 1684	2492	DllCommonsvc.exe	45
PID 2492 wrote to memory of 1684	2492	DllCommonsvc.exe	45
PID 2492 wrote to memory of 1684	2492	DllCommonsvc.exe	45
PID 2492 wrote to memory of 536	2492	DllCommonsvc.exe	46
PID 2492 wrote to memory of 536	2492	DllCommonsvc.exe	46
PID 2492 wrote to memory of 536	2492	DllCommonsvc.exe	46
PID 2492 wrote to memory of 1092	2492	DllCommonsvc.exe	48
PID 2492 wrote to memory of 1092	2492	DllCommonsvc.exe	48
PID 2492 wrote to memory of 1092	2492	DllCommonsvc.exe	48
PID 2492 wrote to memory of 1144	2492	DllCommonsvc.exe	49
PID 2492 wrote to memory of 1144	2492	DllCommonsvc.exe	49
PID 2492 wrote to memory of 1144	2492	DllCommonsvc.exe	49
PID 2492 wrote to memory of 1556	2492	DllCommonsvc.exe	53
PID 2492 wrote to memory of 1556	2492	DllCommonsvc.exe	53
PID 2492 wrote to memory of 1556	2492	DllCommonsvc.exe	53
PID 1556 wrote to memory of 1676	1556	dllhost.exe	54
PID 1556 wrote to memory of 1676	1556	dllhost.exe	54
PID 1556 wrote to memory of 1676	1556	dllhost.exe	54
PID 1676 wrote to memory of 804	1676	cmd.exe	56
PID 1676 wrote to memory of 804	1676	cmd.exe	56
PID 1676 wrote to memory of 804	1676	cmd.exe	56
PID 1676 wrote to memory of 2236	1676	cmd.exe	57
PID 1676 wrote to memory of 2236	1676	cmd.exe	57
PID 1676 wrote to memory of 2236	1676	cmd.exe	57
PID 2236 wrote to memory of 2908	2236	dllhost.exe	58
PID 2236 wrote to memory of 2908	2236	dllhost.exe	58
PID 2236 wrote to memory of 2908	2236	dllhost.exe	58
PID 2908 wrote to memory of 2880	2908	cmd.exe	60
PID 2908 wrote to memory of 2880	2908	cmd.exe	60
PID 2908 wrote to memory of 2880	2908	cmd.exe	60
PID 2908 wrote to memory of 2264	2908	cmd.exe	61
PID 2908 wrote to memory of 2264	2908	cmd.exe	61
PID 2908 wrote to memory of 2264	2908	cmd.exe	61
PID 2264 wrote to memory of 1336	2264	dllhost.exe	62
PID 2264 wrote to memory of 1336	2264	dllhost.exe	62
PID 2264 wrote to memory of 1336	2264	dllhost.exe	62
PID 1336 wrote to memory of 2704	1336	cmd.exe	64
PID 1336 wrote to memory of 2704	1336	cmd.exe	64
PID 1336 wrote to memory of 2704	1336	cmd.exe	64
PID 1336 wrote to memory of 2016	1336	cmd.exe	65
PID 1336 wrote to memory of 2016	1336	cmd.exe	65
PID 1336 wrote to memory of 2016	1336	cmd.exe	65
PID 2016 wrote to memory of 768	2016	dllhost.exe	66
PID 2016 wrote to memory of 768	2016	dllhost.exe	66
PID 2016 wrote to memory of 768	2016	dllhost.exe	66
PID 768 wrote to memory of 752	768	cmd.exe	68
PID 768 wrote to memory of 752	768	cmd.exe	68
PID 768 wrote to memory of 752	768	cmd.exe	68
PID 768 wrote to memory of 1368	768	cmd.exe	69
PID 768 wrote to memory of 1368	768	cmd.exe	69
PID 768 wrote to memory of 1368	768	cmd.exe	69
PID 1368 wrote to memory of 2192	1368	dllhost.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\80fb14dd63f45c3ab4f35a934142e30ec5d48f809a7faf4cae142e779e7be219.exe
"C:\Users\Admin\AppData\Local\Temp\80fb14dd63f45c3ab4f35a934142e30ec5d48f809a7faf4cae142e779e7be219.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\es-ES\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
    - - C:\Windows\DigitalLocker\es-ES\dllhost.exe
        
        "C:\Windows\DigitalLocker\es-ES\dllhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:804
        
        C:\Windows\DigitalLocker\es-ES\dllhost.exe
        
        "C:\Windows\DigitalLocker\es-ES\dllhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fH1ASKIIFN.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2880
        
        C:\Windows\DigitalLocker\es-ES\dllhost.exe
        
        "C:\Windows\DigitalLocker\es-ES\dllhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2704
        
        C:\Windows\DigitalLocker\es-ES\dllhost.exe
        
        "C:\Windows\DigitalLocker\es-ES\dllhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:752
        
        C:\Windows\DigitalLocker\es-ES\dllhost.exe
        
        "C:\Windows\DigitalLocker\es-ES\dllhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"
        14⤵
        
        PID:2192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2072
        
        C:\Windows\DigitalLocker\es-ES\dllhost.exe
        
        "C:\Windows\DigitalLocker\es-ES\dllhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat"
        16⤵
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:316
        
        C:\Windows\DigitalLocker\es-ES\dllhost.exe
        
        "C:\Windows\DigitalLocker\es-ES\dllhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"
        18⤵
        
        PID:1380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2952
        
        C:\Windows\DigitalLocker\es-ES\dllhost.exe
        
        "C:\Windows\DigitalLocker\es-ES\dllhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat"
        20⤵
        
        PID:2288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1968
        
        C:\Windows\DigitalLocker\es-ES\dllhost.exe
        
        "C:\Windows\DigitalLocker\es-ES\dllhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat"
        22⤵
        
        PID:1596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2912
        
        C:\Windows\DigitalLocker\es-ES\dllhost.exe
        
        "C:\Windows\DigitalLocker\es-ES\dllhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"
        24⤵
        
        PID:2976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:952
        
        C:\Windows\DigitalLocker\es-ES\dllhost.exe
        
        "C:\Windows\DigitalLocker\es-ES\dllhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Cookies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Cookies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b38c5a37aebe89f63e6dbb702c06c882

SHA1
d59ed55c5a64fc0cfb6c666f2e734e8eae62f222

SHA256
4b515a4c7020a796cff74d83c026858199b70566a58d63729cd279bcfc38d292

SHA512
47c042647ef1eb1f53e8d1a769d2ddc02efdbcbda10896d0625e63752687421d98c47936ca74e93594c595793580b14979dc8248d3136c1af1dcb642cc75612b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6f77935a1cb6896c4e6ad484ad6c762

SHA1
62bf6ad28de48a392e650a581b6adce9e5f82fd4

SHA256
4eb75d2fb52bff77bccc786b1f842972959c892082c96649218260b45a5b2cfc

SHA512
7174f3a340bdf4cbe5758623b7dae4f49c9dd92a002d2ef483402dacb7da49b6b7c75d1fe02a1a8f38b3fca9cef710e1d5824b4b3b3bd645444461dab1805c88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
500238b8b8c9f00af7564b14eda7c7ef

SHA1
9fa43aa8f319d625e55f42ed7b5b7fe23edffa07

SHA256
8709507078b302a4a24d034523b3e7fdfb424c72e845ca8c0b4d737fa2bd66de

SHA512
21583140f9e27958634c2c6f44552356d4e4dbfa6e599dbb746b80d37a71bfe5175aab82ee1a62b7405f2c25aa19dc0802200c543787e93d71f114919a7d6245

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e4066d0406e7d401a246a3b3c9469f0

SHA1
9f03733220443032372131fa0c8b6f2826997951

SHA256
4193c68e727b63667909f559c4cb7b3bfd90c03f1b837be271dd382d8b3046bb

SHA512
a0b5f45bf6b7c7d0d80e4e1a3a3adfffb1ce3c05dab1c8db411eafb8221f43c69c62681bab74aa915d5f8bf2171228d83b621cd11bcd342329fc36b881ac3942

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
facb6592ba4ec887a4912158c72477f0

SHA1
d19f6ab511ddb26bf4768195fe669e0163230dd3

SHA256
db5db402681e3386047c5de9fde8e02a16dc28a08892ba3f99d643261ac07833

SHA512
389b694c1d4ec1731336137e385691099a02c9c68adbf2583588fed3a48f514ba4e7ee9325201f1f95babf15bd37cdb367347b0f959dd233256f2603f4eef510

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c74090e6010cc5ed3f4181a6cfd831e

SHA1
0e1bf514defc33a249b2721bd014ad3587fb76e7

SHA256
2c0e9408c2f157b27f3b5abfe42238705a7143e8dddede6b1ae5f7fb6d9353d9

SHA512
71bdcdd2c3750adf1eba630e79579d7de186830bddc1f6ed619208453000330e6f3a655e7895d05da01d81f70cca3836ae324d6b48d2c9609daae386e9d05032

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a6bab15d131ed8b0b2b1d8ca801f030

SHA1
76fa64cb3d024eb2a8e1468b6b9a0125df6b174f

SHA256
7d9a743f7134aa240280675549fddbf28f73031d69f433dccc3d36eddee8a899

SHA512
de2115aae9e59908ccceeb1cf35b327521ec1accf1e9d35d367b64d0699f985b4cb8fa2390d7fe5c5baaaabb368fb9b9b753ebb961a64543c1e9bd6c13b2869c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b27353948e2742a586a661c29b54f110

SHA1
b036d4ad1c2f7689bbf07230a2a9914b3fb911d2

SHA256
853259bc627fd4cdbc04abadf161ab16500e7c4702a676575ffc1387d27b0e70

SHA512
a7fbcfd1f4513b6897f2d6783c6191cc31f83b3689981953c1a84f512e6cbd8efee65090e34a279dc1fb742c6a587d4af5df4aaf77e062c633884557260d4330

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f52e02e38ff270f1bd03f6ab1912079c

SHA1
e61037c23b42f168356ffe98b20850a4ab98ee54

SHA256
ad5c02bbee128f47b1ec8dfc3b81a849fa56b229e1ec0e469743d6df7621f7ec

SHA512
a55985469757fcc6705c189a9975291f4ea3e5f0bb4c55cb1fca1781b045d50aea154f9fd6ad7202210e95974d9659fb5a1d190b4ebc769fe449aeb49c998bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE26.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat

Filesize
207B

MD5
9d154b5ea07061b84259304bd586a92b

SHA1
a57d976d7269bb73a9ab095fb57b7fed1265f5e5

SHA256
788abe05d08e5234a242d1771bb8cff6f61ac5e5488af98cac33c320f48138e2

SHA512
7a90fbf47f4a61c62ac3aca36d530d03fabe89a25bd02c25d9c12900e232c31d3cad311aa3c7500f6c80ca0289e13843bb750c931e24a839ab72d69ada1ce2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat

Filesize
207B

MD5
416d30cf33f6e589147f0f02fef7ff13

SHA1
d38c0d84f145c62b95b16bf1da843fd179ca2176

SHA256
124d0f996ea244791bd279cac416dc873a05f6db3493d137c570613454d8ed09

SHA512
3ca03bb11d85f94da3ae297144d38498b949ba5e4099583d72e043190d145bfee7c451b3ac77976a0eec862fbc105f583c4289809b7022f926844f54969fa230

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat

Filesize
207B

MD5
169aed8dbc35de5a4a537d12607fef1c

SHA1
bf578896889c5cc9895b3cf89a310e65545e2552

SHA256
5edade0d81cdc934d21ee2bccfdd5e3835f0c62d12d50e775f8e7d813072b532

SHA512
2fc00991e28292664500fe9b82e3f0ed3a8bf5e4bf3ab667446b47dfa2d3f78e3a2024e7f013901fabceb50a9b4e3cf2304510f99d33106018ea4b98f930dd30

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE39.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fH1ASKIIFN.bat

Filesize
207B

MD5
110b33ac69a27cf6d3ebe94c8a48c482

SHA1
5a156e675ebd94c1b3bb683c63d350294ca6a4d9

SHA256
9e1d503982456aed953567c9546c6e2bd419a25be9ce6f52f210f40fc2de74ec

SHA512
2d51bcd7994ba360d065d52d6452669f2e0a6811da770d6939d38072b3a1cb0a2ebf7d1982e7b3696f9404963fc6c567578687979fde4891db25c293ebd48a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat

Filesize
207B

MD5
622ed2aa58fa33ce72763da9c6f7aaab

SHA1
681a35908899a50e4a466b0011906255bbcb28c5

SHA256
1539eea8a26dbe2f6ddae7540cea454c09a94831d1a62b181bdc497736c44955

SHA512
d047612df035e53058824adb37f5c0c2af0b12d504d27c3e0449ba319a9a6a8cb1b726dfd3b65690d442f84838be116e97ca05a829bcf17e084f7bae9dc75c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat

Filesize
207B

MD5
0a08628e4daaddcdebd6fc032aacaf2e

SHA1
c97c70037e9e7e70d190f5659d12326b52433f01

SHA256
2b1c0d0fb790ac4c1d2801513ede9ca58458c875e87e935a26052dc2e5f95879

SHA512
1d2f9c8ce85dd7fef4efbebb6d8661b7aa3e39948267db29e6931d17a298888998d41996c8c7dd6231d67ea3499b63769c1c29c45e88b9d64e649698c1c7815b

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat

Filesize
207B

MD5
661f43d42c8536f129454caa09d04873

SHA1
fd90bae13f3cf28751723465d6a0fd929efbcb08

SHA256
436cbcdc27ff150fbae3982d8389a772bf1c5c27b5b5ee5846eb1b57fb65b2d7

SHA512
c1875e47231b59ac772bfdab4c8c7c14d7297251664a2173388d331fc51d112603413116dcbf49e668354b77d109d2c147d524957a7cbc1978d57f8dd43d54e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat

Filesize
207B

MD5
745fecdf1fb93c5bcb7091beb9a045a5

SHA1
473d89da79b4f33f89b40a731758ef7fa2467dc3

SHA256
741b9994a2d11025e86c59ac688cc30b9918cdd394849f5ed1e4a83fc26a76d6

SHA512
344991cb3b79ec23d489f3d879e1771bf6d33a305b25dfafa31f57b98f7e0eca3bbb9eab0c89727edd142c341da1afdcbed33e9a13b4ae169bc674146f3995ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat

Filesize
207B

MD5
7e4e7afcc17d3e225da018b7435c7135

SHA1
d4cc5af66f4596fff1772606fc48bf676690a16f

SHA256
23bab818ec4f2f189dd76654f62d34bf4675124870ea67c9709097a2eba75014

SHA512
8608a4ed0eab4e89d8e71d225683f5c64b0387826f0c547123e0ff85bc90e174c41ef9318edbdc26c351d9409b4d2d9d7d9ceb234d51fc756e5b19db30fee2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat

Filesize
207B

MD5
5862f26bac68adf0b0380958122c0fb9

SHA1
c28c4848e66a07c28d0b489853229cbdb0805465

SHA256
428e5574a93e65b27b0dd1327f18c03c5ec892607fb78f44d0708f33fcecafb0

SHA512
5dd02497098b777b131e67a0f71ce10868588a799e96656a00eff081ed3bea627051f48829a00cdf4c76e2f29b8e68ee00095a1c85bafdad8bbb96e5c801d8f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8b7c3eb39549f7c8282c234170b34edc

SHA1
4d0c1a2fab58dedda946f4e90bae8f3139b1009e

SHA256
a9df7dd250df4fcd27ae0542d7642dc3abb6d365d7c7e4d48911724bff2b5f75

SHA512
260e26a5688913db6de2496b485dc5c2d293752e4458677f93bcb370b2122c16753afb6838f038e60583034666e52e3db062338acc1a6dc01401d622fa1aca97

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1092-41-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1556-35-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/1684-40-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2236-110-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/2236-111-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2492-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2492-466-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download
memory/2492-17-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2492-16-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2492-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2492-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp

Filesize
1.1MB

Download