dcrat | 9652559514c9e69855f2ccbf7bd48185b0bd7e9d253b9b4b57393bc84567265e

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9652559514c9e69855f2ccbf7bd48185b0bd7e9d253b9b4b57393bc84567265e.exe
Size

1.3MB
MD5

0c5befce97ca5c300c40df5b9502e863
SHA1

1a61439f550f745de3fe358c770950334fb02300
SHA256

9652559514c9e69855f2ccbf7bd48185b0bd7e9d253b9b4b57393bc84567265e
SHA512

a52607af5301e14ae9ffbd4166a8ebd69e5702ce4cf9a7200f5d857b176cbdb8bca4f6697fd2226f659c582f7078a69a8820a95997f210c1b91fcd5afc3e05c1
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2512	schtasks.exe	35

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d69-11.dat	dcrat
behavioral1/memory/2228-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp	dcrat
behavioral1/memory/560-52-0x0000000000DD0000-0x0000000000EE0000-memory.dmp	dcrat
behavioral1/memory/2492-348-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/2800-408-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1460	powershell.exe
1496	powershell.exe
2972	powershell.exe
2644	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2228	DllCommonsvc.exe
560	dllhost.exe
1724	dllhost.exe
2828	dllhost.exe
1808	dllhost.exe
2124	dllhost.exe
2492	dllhost.exe
2800	dllhost.exe
2132	dllhost.exe
2680	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2964	cmd.exe
2964	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
20	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\OSPPSVC.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\7a0fd90576e088	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\dllhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9652559514c9e69855f2ccbf7bd48185b0bd7e9d253b9b4b57393bc84567265e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2896	schtasks.exe
2012	schtasks.exe
2792	schtasks.exe
2688	schtasks.exe
2752	schtasks.exe
524	schtasks.exe
2032	schtasks.exe
3008	schtasks.exe
2948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2228	DllCommonsvc.exe
2644	powershell.exe
1496	powershell.exe
1460	powershell.exe
2972	powershell.exe
560	dllhost.exe
1724	dllhost.exe
2828	dllhost.exe
1808	dllhost.exe
2124	dllhost.exe
2492	dllhost.exe
2800	dllhost.exe
2132	dllhost.exe
2680	dllhost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	DllCommonsvc.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	560	dllhost.exe
Token: SeDebugPrivilege	1724	dllhost.exe
Token: SeDebugPrivilege	2828	dllhost.exe
Token: SeDebugPrivilege	1808	dllhost.exe
Token: SeDebugPrivilege	2124	dllhost.exe
Token: SeDebugPrivilege	2492	dllhost.exe
Token: SeDebugPrivilege	2800	dllhost.exe
Token: SeDebugPrivilege	2132	dllhost.exe
Token: SeDebugPrivilege	2680	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2620	2200	JaffaCakes118_9652559514c9e69855f2ccbf7bd48185b0bd7e9d253b9b4b57393bc84567265e.exe	30
PID 2200 wrote to memory of 2620	2200	JaffaCakes118_9652559514c9e69855f2ccbf7bd48185b0bd7e9d253b9b4b57393bc84567265e.exe	30
PID 2200 wrote to memory of 2620	2200	JaffaCakes118_9652559514c9e69855f2ccbf7bd48185b0bd7e9d253b9b4b57393bc84567265e.exe	30
PID 2200 wrote to memory of 2620	2200	JaffaCakes118_9652559514c9e69855f2ccbf7bd48185b0bd7e9d253b9b4b57393bc84567265e.exe	30
PID 2620 wrote to memory of 2964	2620	WScript.exe	32
PID 2620 wrote to memory of 2964	2620	WScript.exe	32
PID 2620 wrote to memory of 2964	2620	WScript.exe	32
PID 2620 wrote to memory of 2964	2620	WScript.exe	32
PID 2964 wrote to memory of 2228	2964	cmd.exe	34
PID 2964 wrote to memory of 2228	2964	cmd.exe	34
PID 2964 wrote to memory of 2228	2964	cmd.exe	34
PID 2964 wrote to memory of 2228	2964	cmd.exe	34
PID 2228 wrote to memory of 2972	2228	DllCommonsvc.exe	45
PID 2228 wrote to memory of 2972	2228	DllCommonsvc.exe	45
PID 2228 wrote to memory of 2972	2228	DllCommonsvc.exe	45
PID 2228 wrote to memory of 1496	2228	DllCommonsvc.exe	46
PID 2228 wrote to memory of 1496	2228	DllCommonsvc.exe	46
PID 2228 wrote to memory of 1496	2228	DllCommonsvc.exe	46
PID 2228 wrote to memory of 1460	2228	DllCommonsvc.exe	47
PID 2228 wrote to memory of 1460	2228	DllCommonsvc.exe	47
PID 2228 wrote to memory of 1460	2228	DllCommonsvc.exe	47
PID 2228 wrote to memory of 2644	2228	DllCommonsvc.exe	48
PID 2228 wrote to memory of 2644	2228	DllCommonsvc.exe	48
PID 2228 wrote to memory of 2644	2228	DllCommonsvc.exe	48
PID 2228 wrote to memory of 1772	2228	DllCommonsvc.exe	53
PID 2228 wrote to memory of 1772	2228	DllCommonsvc.exe	53
PID 2228 wrote to memory of 1772	2228	DllCommonsvc.exe	53
PID 1772 wrote to memory of 2276	1772	cmd.exe	55
PID 1772 wrote to memory of 2276	1772	cmd.exe	55
PID 1772 wrote to memory of 2276	1772	cmd.exe	55
PID 1772 wrote to memory of 560	1772	cmd.exe	56
PID 1772 wrote to memory of 560	1772	cmd.exe	56
PID 1772 wrote to memory of 560	1772	cmd.exe	56
PID 560 wrote to memory of 2160	560	dllhost.exe	57
PID 560 wrote to memory of 2160	560	dllhost.exe	57
PID 560 wrote to memory of 2160	560	dllhost.exe	57
PID 2160 wrote to memory of 288	2160	cmd.exe	59
PID 2160 wrote to memory of 288	2160	cmd.exe	59
PID 2160 wrote to memory of 288	2160	cmd.exe	59
PID 2160 wrote to memory of 1724	2160	cmd.exe	60
PID 2160 wrote to memory of 1724	2160	cmd.exe	60
PID 2160 wrote to memory of 1724	2160	cmd.exe	60
PID 1724 wrote to memory of 2696	1724	dllhost.exe	61
PID 1724 wrote to memory of 2696	1724	dllhost.exe	61
PID 1724 wrote to memory of 2696	1724	dllhost.exe	61
PID 2696 wrote to memory of 2660	2696	cmd.exe	63
PID 2696 wrote to memory of 2660	2696	cmd.exe	63
PID 2696 wrote to memory of 2660	2696	cmd.exe	63
PID 2696 wrote to memory of 2828	2696	cmd.exe	64
PID 2696 wrote to memory of 2828	2696	cmd.exe	64
PID 2696 wrote to memory of 2828	2696	cmd.exe	64
PID 2828 wrote to memory of 2340	2828	dllhost.exe	65
PID 2828 wrote to memory of 2340	2828	dllhost.exe	65
PID 2828 wrote to memory of 2340	2828	dllhost.exe	65
PID 2340 wrote to memory of 2464	2340	cmd.exe	67
PID 2340 wrote to memory of 2464	2340	cmd.exe	67
PID 2340 wrote to memory of 2464	2340	cmd.exe	67
PID 2340 wrote to memory of 1808	2340	cmd.exe	68
PID 2340 wrote to memory of 1808	2340	cmd.exe	68
PID 2340 wrote to memory of 1808	2340	cmd.exe	68
PID 1808 wrote to memory of 2400	1808	dllhost.exe	69
PID 1808 wrote to memory of 2400	1808	dllhost.exe	69
PID 1808 wrote to memory of 2400	1808	dllhost.exe	69
PID 2400 wrote to memory of 1284	2400	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9652559514c9e69855f2ccbf7bd48185b0bd7e9d253b9b4b57393bc84567265e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9652559514c9e69855f2ccbf7bd48185b0bd7e9d253b9b4b57393bc84567265e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6wfCw4TUb1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1772
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2276
      - C:\Windows\LiveKernelReports\dllhost.exe
        
        "C:\Windows\LiveKernelReports\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:288
        
        C:\Windows\LiveKernelReports\dllhost.exe
        
        "C:\Windows\LiveKernelReports\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2660
        
        C:\Windows\LiveKernelReports\dllhost.exe
        
        "C:\Windows\LiveKernelReports\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2464
        
        C:\Windows\LiveKernelReports\dllhost.exe
        
        "C:\Windows\LiveKernelReports\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1284
        
        C:\Windows\LiveKernelReports\dllhost.exe
        
        "C:\Windows\LiveKernelReports\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"
        15⤵
        
        PID:2204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2524
        
        C:\Windows\LiveKernelReports\dllhost.exe
        
        "C:\Windows\LiveKernelReports\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
        17⤵
        
        PID:1924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1984
        
        C:\Windows\LiveKernelReports\dllhost.exe
        
        "C:\Windows\LiveKernelReports\dllhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"
        19⤵
        
        PID:580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2248
        
        C:\Windows\LiveKernelReports\dllhost.exe
        
        "C:\Windows\LiveKernelReports\dllhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat"
        21⤵
        
        PID:2488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3000
        
        C:\Windows\LiveKernelReports\dllhost.exe
        
        "C:\Windows\LiveKernelReports\dllhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"
        23⤵
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52c1ca59540a4815de88df7dd7d472ee

SHA1
63582b42c281ad1b0ba7c7c55b050a5844520a13

SHA256
2ae8aab9f8c1974f1e37ef5e267b647a1319fe035988cc781d77adc69745dae5

SHA512
bd43069eaa57aef7d5bd3130e799e008da303d92f9f76fb613996699289203b99482743e7913071b1b2404591b9b7d9a05e557093bf50efe803cb6e51fc71024

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db27daba5783f442081012c212d0f19c

SHA1
f6d9ab54f9f91be0d0dd4118c56acf9e2efa8cd6

SHA256
37dc6e6a4cb12c67f45c4eae32d50cfe303e7322da31121cd6565d5e2c3892d3

SHA512
f0163475dea4c15f598e946e0c9d258562c0d67255cb0b9fe7e1f20e1a9d454e437742fa94d9f7d1460a5087da12d6013fbbf065b968bd9c99ee7332b8d155a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ba97886eda6d5725318b89483211e99

SHA1
6a1b73db30e32888b8c5862b36b584a88441577b

SHA256
9c7ddb67c9b32ea26a088d563a02dbd479455608710e135c76d21aefccc5e5cf

SHA512
009c740987a424bc530f107e95df48e79b5f6063e062124faddab25e37f702bd13a42d5acd391627ee405465de554ea8ab39c4b4f5beece6ac0d14362ed211be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2101d734b676c6c3a2a6bcaabe259ecf

SHA1
2466147d64d947d6505678f5b024cd8a144969fc

SHA256
c87892c2557d9d58f777e750413b5fbc03753397f5952494511af379af38965f

SHA512
55d4660cdbec962710173faf2c74b08af9b8d31335f883a079488543fb4fbe25f4309c1809552fc502a60729e423275ebd32acf7e3bc637f1d1e80a0dfe523c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbf30714472258536ac51f5d578941b4

SHA1
4229ffd18e1d186b0818148adf5d8d9682a0ec26

SHA256
409b699c78381e23e5b096337c9e6fb6a744b2e2eccbb49f849980c603f10a6e

SHA512
99421f522d0e95ebc51caf112e69a0d575a621d8fc4e80a29a7f7ddc289c8ee73b55212c2a47755b4b78b48245d113cd9c55228c1d4fadd58a7f44d50354d81b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fcc2f072031a90a1759a1e143922d14

SHA1
a93cb7eb5a2af2461108f0c5338fcb5f1b963f48

SHA256
a2f6612cb5813ba35e4de6cadd344757225c0cba2ddd1085b12eced85ac906bb

SHA512
f3c8ef0c3ced63b26b55d909d8652c0e094ffe7a74e4eb98f19f93bb43d678c77695083cfc6e7138bd287e1c34e4c420366b9cf6d8d67da03b8224ccf102c6f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d772dbfb4974fa436ad36eecc642af4

SHA1
de783e52b1a2b40e0eff72a04cb935f966c0922e

SHA256
135ce31ca34674c4fc0015de36e1560afc980a9c3850a785481bc7b3527bb0c8

SHA512
59305bd4dbfe9d8cfb5d1dbebc746f2ded61803b8d08ec69915b43235b4d24152ab88d2bf31608020525dcde56e986d8ed6f18badfff269a19eb4b28284ec129

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57d3f48277ceaacf546dd8526344574a

SHA1
1dbb3792ce1a0309179138461d956473948b16cf

SHA256
499ba2210629ee8ffb7304988b639b7b020f2e49d829badb393153245f1a8f2d

SHA512
aee897fef08d901c4bfc9caf0258e6341844271d9ed77e5b110386a1a240dc0b2de26ff652ef39696f13877b0252ef315774569031190f346ad75773f14d5543

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

Filesize
205B

MD5
4bc9e63b4e83cd1e039def2460a3ec3a

SHA1
fdb2c70caeac1c88ac9dcaa095174ef54171b03d

SHA256
ac2fff368482d1953171eeed131e72f4998a0b308764ec7fa658a4bd42a56a87

SHA512
dba07631e4e6de9d4ba3e87e44aefa1cff33738bfa1cca4090849b829dfc9a20ea6a83b5c4d92a2e67778a3eabaf7618b53d8bf4ee0c4a4f11e22ef5781201ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\6wfCw4TUb1.bat

Filesize
205B

MD5
f38df8308947d7fb058376ffe6cbd20f

SHA1
25b53a187861b1d275d41d7af7ba0288b7594aa1

SHA256
ca9d43352c51994ce3c90aa1db0d698702540af68bdd05476c95a482318e7826

SHA512
402fa4410197879d85592cd30c0115abcdcac7072636150735f155a613d0ae27352f14d73191106622873b46d4b4bfc3eb38152dbd7bac6214da4561a1525daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat

Filesize
205B

MD5
a6b914773c37d2c2f625e5a5d16b4154

SHA1
09e20779782cafa5ce358fd25aea3af95615d3bd

SHA256
7520755dc5c5bcdb0b51ae5063081a83e4da9b812154b5fa79b59f98d39de7e1

SHA512
9b48af56b67f3b810ddf1c3601865f00df2854e2e5d6e01bac2d3ea1c5eb834ac88c011f2e54c8a618a8607c0fabcd5dc05bbcb28706f1adf0c637f64234ff03

Download Submit
C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat

Filesize
205B

MD5
ed62e0505fbf936193a4bba5d8debede

SHA1
82d7ef2a33b860dc12db82bd4dc04accf224e2a2

SHA256
e879c95f4f509b891af5eff50a5d3d0c172fb5acfe1b0c26dba6f82ba049fab1

SHA512
3aa2dd18932b34b03614b628cec1344a3c40235dc4843e6359bd65bfb0382343b9df87f9ea0fa1c051fcfd068a0deb21c10d42680558b9c1718a2ac97a7bab81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab30E2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat

Filesize
205B

MD5
b76198a37ca04203153f94d77df8abdf

SHA1
9b5286b8ca02044fb54a3e6dd9cd397968995b04

SHA256
ef932e1da09f71d60b62ef9557f1c62d80593fcbeed9e634ff9271ee736c3710

SHA512
52e4afd3082bf448dc626477d34882e84c1fe3304686243fc2f5ea34015b112cd4a10598250de56debcfd2b32344c49bada1418c3a4dd5068e16fbdab54518a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat

Filesize
205B

MD5
7eab6f49ca772206fafa6934d513f26a

SHA1
0439a308264be0bdaf1acf55db2074133dac0b75

SHA256
8f604c595608c2e67392cab7a869931b68fddb9a808169822ed7f530a89277d5

SHA512
4bfe960837789839a9a5c7d6ec07b1a9a1d3a66d666cce67b744302a965747f652425d1ec83b6c2bd64501ef6b1494dcc3d836df102021b77cb1d1d195f1b78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat

Filesize
205B

MD5
45bbf2f2e02f846357c49d3399ef51b9

SHA1
10b9f58187859fdccd0ed90787e45f90f047be50

SHA256
faae2d3683519ddcd2e45a3b078008dc072fe5419d6111487ad0ee9fdbd52327

SHA512
b16a6743b017bb26ec90317fc84604b115438ff6e27736fb5644f553a62c597f0d97263c84fd3551d2230eab2a0ff8019f4dd577e04f115cfb1db3233eb19a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat

Filesize
205B

MD5
bccbad0072bd15d2347a5013db9fc159

SHA1
682c65a3310ef43e0304d4e003c4e5765f307aa4

SHA256
72ba3a8cc05149c8612b232adb3848b07f079bfb84a008ac18a878e1eefd1683

SHA512
7d9371e522a67bb0084dc4ef58d34518610f556fb40e598b1b73d773346c3badaa18b9091d899b6ec37aec997c36e07efb730bd14a2c351c0dae0efbb19d214a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3143.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat

Filesize
205B

MD5
199f495cc1193ce69b4113a6ae60230c

SHA1
aa290551dfee5f8298dc610f8599bd634ddbe7d3

SHA256
aa9ae89d8b5657a6703cc82efbd74396fefba5f9eac19242badbac72fb501002

SHA512
8500a47be792d6673ae841e9d6feaac9c91613b393d64550dfdb9064c97c70dba063052778ab25fd08eadcef9b81fd848879b109d34a24f4a5002220cda1ad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat

Filesize
205B

MD5
a0644f198ea940da13cc58ea233139e9

SHA1
85d2da8c705bc8aa1c90562d3df7b6f76a337977

SHA256
c2929f208e1f59a5670f301d7fdfc1cebd0daef892fd2cb8dd2a9a99388c7310

SHA512
25a8aea3afd7920ba8f4d18594ef4926292338558badbc0169d4666ae3caadbcbb629ceeb7de544e7178ddd5d617ef3b65636256ceb44fffb4f45c6d67ece654

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NB7YNKH2ZI6CIYZ42A97.temp

Filesize
7KB

MD5
cf48b71b86b4707d837822dd4fbfddec

SHA1
c6530d0c687caa01ccde348e3904823909d157ba

SHA256
561cedf0bc66c5fa11446f0f4c011e800d351001cb28d73dd6663ad3df7c3894

SHA512
26da74f8e79a6e18a9cec49847477e20fc20b90582cdb9aee8c98c62de3ac6786e8350017073017537c57ccc13776d7aa2426a8a34f4dfea2a835286f27bcd5a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/560-52-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

Filesize
1.1MB

Download
memory/1496-49-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2228-17-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2228-16-0x000000001AB40000-0x000000001AB4C000-memory.dmp

Filesize
48KB

Download
memory/2228-15-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2228-14-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2228-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

Filesize
1.1MB

Download
memory/2492-348-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2644-48-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/2800-408-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download
memory/2828-170-0x0000000000800000-0x0000000000812000-memory.dmp

Filesize
72KB

Download