dcrat | bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe
Size

1.3MB
MD5

eac7aabe3275c27dd1d139d9ee9bd879
SHA1

bc6f2466ca6c9d1b80a47d047f1bc881fe9553ca
SHA256

bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069
SHA512

0ec074e5d3d346bb7ace25c1370d1237521eff6d748ba11b8be8ac14abc123713a3bcf77f56dd38c72ed29150077ef355f096aca258ed4cad11a1f77c131192a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2796	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c89-9.dat	dcrat
behavioral1/memory/2812-13-0x0000000000A50000-0x0000000000B60000-memory.dmp	dcrat
behavioral1/memory/1684-47-0x0000000000840000-0x0000000000950000-memory.dmp	dcrat
behavioral1/memory/748-107-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/1928-167-0x0000000000C30000-0x0000000000D40000-memory.dmp	dcrat
behavioral1/memory/1264-227-0x0000000000EC0000-0x0000000000FD0000-memory.dmp	dcrat
behavioral1/memory/2072-346-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/2640-406-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/1720-466-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat
behavioral1/memory/1324-585-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2472	powershell.exe
1832	powershell.exe
1304	powershell.exe
2432	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2812	DllCommonsvc.exe
1684	lsm.exe
748	lsm.exe
1928	lsm.exe
1264	lsm.exe
2136	lsm.exe
2072	lsm.exe
2640	lsm.exe
1720	lsm.exe
2404	lsm.exe
1324	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2744	cmd.exe
2744	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe
2828	schtasks.exe
2496	schtasks.exe
1680	schtasks.exe
2776	schtasks.exe
2660	schtasks.exe
1772	schtasks.exe
1972	schtasks.exe
892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2812	DllCommonsvc.exe
2432	powershell.exe
1832	powershell.exe
1304	powershell.exe
2472	powershell.exe
1684	lsm.exe
748	lsm.exe
1928	lsm.exe
1264	lsm.exe
2136	lsm.exe
2072	lsm.exe
2640	lsm.exe
1720	lsm.exe
2404	lsm.exe
1324	lsm.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	DllCommonsvc.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	1684	lsm.exe
Token: SeDebugPrivilege	748	lsm.exe
Token: SeDebugPrivilege	1928	lsm.exe
Token: SeDebugPrivilege	1264	lsm.exe
Token: SeDebugPrivilege	2136	lsm.exe
Token: SeDebugPrivilege	2072	lsm.exe
Token: SeDebugPrivilege	2640	lsm.exe
Token: SeDebugPrivilege	1720	lsm.exe
Token: SeDebugPrivilege	2404	lsm.exe
Token: SeDebugPrivilege	1324	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2920	2504	JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe	30
PID 2504 wrote to memory of 2920	2504	JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe	30
PID 2504 wrote to memory of 2920	2504	JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe	30
PID 2504 wrote to memory of 2920	2504	JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe	30
PID 2920 wrote to memory of 2744	2920	WScript.exe	31
PID 2920 wrote to memory of 2744	2920	WScript.exe	31
PID 2920 wrote to memory of 2744	2920	WScript.exe	31
PID 2920 wrote to memory of 2744	2920	WScript.exe	31
PID 2744 wrote to memory of 2812	2744	cmd.exe	33
PID 2744 wrote to memory of 2812	2744	cmd.exe	33
PID 2744 wrote to memory of 2812	2744	cmd.exe	33
PID 2744 wrote to memory of 2812	2744	cmd.exe	33
PID 2812 wrote to memory of 2472	2812	DllCommonsvc.exe	44
PID 2812 wrote to memory of 2472	2812	DllCommonsvc.exe	44
PID 2812 wrote to memory of 2472	2812	DllCommonsvc.exe	44
PID 2812 wrote to memory of 1832	2812	DllCommonsvc.exe	45
PID 2812 wrote to memory of 1832	2812	DllCommonsvc.exe	45
PID 2812 wrote to memory of 1832	2812	DllCommonsvc.exe	45
PID 2812 wrote to memory of 2432	2812	DllCommonsvc.exe	46
PID 2812 wrote to memory of 2432	2812	DllCommonsvc.exe	46
PID 2812 wrote to memory of 2432	2812	DllCommonsvc.exe	46
PID 2812 wrote to memory of 1304	2812	DllCommonsvc.exe	47
PID 2812 wrote to memory of 1304	2812	DllCommonsvc.exe	47
PID 2812 wrote to memory of 1304	2812	DllCommonsvc.exe	47
PID 2812 wrote to memory of 1684	2812	DllCommonsvc.exe	52
PID 2812 wrote to memory of 1684	2812	DllCommonsvc.exe	52
PID 2812 wrote to memory of 1684	2812	DllCommonsvc.exe	52
PID 1684 wrote to memory of 2568	1684	lsm.exe	54
PID 1684 wrote to memory of 2568	1684	lsm.exe	54
PID 1684 wrote to memory of 2568	1684	lsm.exe	54
PID 2568 wrote to memory of 1244	2568	cmd.exe	56
PID 2568 wrote to memory of 1244	2568	cmd.exe	56
PID 2568 wrote to memory of 1244	2568	cmd.exe	56
PID 2568 wrote to memory of 748	2568	cmd.exe	57
PID 2568 wrote to memory of 748	2568	cmd.exe	57
PID 2568 wrote to memory of 748	2568	cmd.exe	57
PID 748 wrote to memory of 3060	748	lsm.exe	58
PID 748 wrote to memory of 3060	748	lsm.exe	58
PID 748 wrote to memory of 3060	748	lsm.exe	58
PID 3060 wrote to memory of 2656	3060	cmd.exe	60
PID 3060 wrote to memory of 2656	3060	cmd.exe	60
PID 3060 wrote to memory of 2656	3060	cmd.exe	60
PID 3060 wrote to memory of 1928	3060	cmd.exe	61
PID 3060 wrote to memory of 1928	3060	cmd.exe	61
PID 3060 wrote to memory of 1928	3060	cmd.exe	61
PID 1928 wrote to memory of 1512	1928	lsm.exe	62
PID 1928 wrote to memory of 1512	1928	lsm.exe	62
PID 1928 wrote to memory of 1512	1928	lsm.exe	62
PID 1512 wrote to memory of 1604	1512	cmd.exe	64
PID 1512 wrote to memory of 1604	1512	cmd.exe	64
PID 1512 wrote to memory of 1604	1512	cmd.exe	64
PID 1512 wrote to memory of 1264	1512	cmd.exe	65
PID 1512 wrote to memory of 1264	1512	cmd.exe	65
PID 1512 wrote to memory of 1264	1512	cmd.exe	65
PID 1264 wrote to memory of 440	1264	lsm.exe	66
PID 1264 wrote to memory of 440	1264	lsm.exe	66
PID 1264 wrote to memory of 440	1264	lsm.exe	66
PID 440 wrote to memory of 2132	440	cmd.exe	68
PID 440 wrote to memory of 2132	440	cmd.exe	68
PID 440 wrote to memory of 2132	440	cmd.exe	68
PID 440 wrote to memory of 2136	440	cmd.exe	69
PID 440 wrote to memory of 2136	440	cmd.exe	69
PID 440 wrote to memory of 2136	440	cmd.exe	69
PID 2136 wrote to memory of 2612	2136	lsm.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
    - - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1244
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2656
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1604
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2132
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"
        14⤵
        
        PID:2612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2528
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"
        16⤵
        
        PID:1036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1240
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"
        18⤵
        
        PID:1540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1692
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"
        20⤵
        
        PID:2684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2388
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat"
        22⤵
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2224
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3699d8be7181a47f38614d11ec0eb754

SHA1
080e75b00c7bb7fd5070e136aec87cecccd854a5

SHA256
561fc94862681e6be86e0132fdc8c469ea6db33b2413e3831b63007837a041be

SHA512
8c4c651f24093b32bdebec40c9fdb04196b8380cf7597873f7a948f3add79bb327d7771137592cbb643d21136b9181848baeb02a2a880d07c19e7191558dc498

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2027fe8a7342e0494b60e326f90f0767

SHA1
0d7a2f68a9cbe7c09b2b83672ca65f11ff95b836

SHA256
fcfae936e4d1e528959202652c9e855e5e45921cdbd286856c0f5db9d5bca588

SHA512
3ef04d37e2eee6b8f9b9517940d557853a23bc886d5e6041fa13cb6febb7908cd068e8483b469025220d69991f7cb344caead62160341316be23011a67b8f990

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c01a00f4d464f1969e8cdb29ae72f2a5

SHA1
618d0bba608bc9e2b91dd0e489d865b3c6c3a18a

SHA256
763e93d98e987bbec1d65d0f746b32e80259c7fccd95066afbaf52d8cda6f96d

SHA512
333ce9a16289994067f2d9675dd2da6b2da844e1c78f1380728aabdd703dba4cbd7b59d8a4b3da93f6ee9ed70396b84bdfdc37ac6e83f71e032af4be935f74f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
705f6d2916f1fe84842ed21b5d2268e9

SHA1
9f9a47516cc8329226c760677f330bfea2bdb4e2

SHA256
7a77703b5a0c16dc3e58fc99db730210c1f47cbad2db83a81a5d460d4d40f442

SHA512
9b227cc164e0fc1d8b3f2a412d75ab1a5d911c9a01a3fe4f2395f2fda544249ac52b91870a076e06718d75f5f6d4fb7cdc8fc35dcb73dd51b02eef4a50835dad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2db61d0110875c4fc839523e8efc87d

SHA1
7aa38bd4d3239fa0a936c66974c9d19470c9e931

SHA256
fcd79f15425dd6ef9a52f1c100b19996be90e0c89d0e8b9701d544ce34d6d4a8

SHA512
d0f8d34a5c8d996c18a447f2fd90c7d884a7a14e221aac244d0982f26cfea242bb424317a314b8ebda85fafa194852d044f52a295aa947ac80240e74aeaf6570

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30a3ca7ddde96439fae3bba0743988dc

SHA1
14a5719f2bdfd99f239922376967da05a701c492

SHA256
84e4e654230a4a4ce0b983657e151808ef3499a0e142eeb114dd0f6a4b04f794

SHA512
a40ae04342ee50461e8655d3d86182ecfd6048c21951af1ff1b5cc18b0ded58c977aa4de08cef950dd07f9de1e8dc67787163f147ec1870373ea1968a7e2bec4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32f24adac84618c3d1556c3dead507ff

SHA1
d66ae9b9a76720d79ec9fcf3e38100ade97aa108

SHA256
df7064ef0a2fa9ee79fbb2b36f8bf512f651797a2987d0b002d2335777f09832

SHA512
cd530406952df8db08a989e3b08ce0d54c127dd840bf613c68d372e345980a873bcd008bb050704240a9a7aebc371f338210958203e69f42534cd4aee852b89c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a34c3f7d360d4eff2108bd687c368253

SHA1
9f6555580a590005414cf62a0e11b8fb2eaf31bb

SHA256
8685054f1eed0db2694c65987eb4425d6410627b6db5147947bd259e8996d4b5

SHA512
a7b03d68b6229e10ceb72ac175df5a597e152deb76225d0ae3068e26ef7528c7499f103d38968275ce0a388dc12c76cf07b08ebc48b4114281c5226141479522

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat

Filesize
235B

MD5
572f5b34a6c93e02253262fb73922fc8

SHA1
afba3486d12a5f47e05c6ac1bb3a855b5fc20940

SHA256
847268b75d28235327e559c8f62510a42a3c5ed59766a9eaaea902c8e8813ab5

SHA512
51058d7cf8ddf137456059befbf2de0afba190b5a4d97a421e72e003eb7f5ddd6784d708af66ea613e456de9fc3dfeb4e5c5b01b6a94865672743a1dad4f635a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat

Filesize
235B

MD5
0b59c1c5bd33e784f783d5773ba27702

SHA1
8d96860e37eb1e2411520b822cafa39b4c8d53a4

SHA256
9ba6395eb3f1795193c9554671b3e1662db21cf599f4a0b403e2932d91780bf3

SHA512
249aa1cd2edfc2b1a6f1046f1fe94b6774930d0984a850fdcae070b7d0da5661dba9482f9c29d408e1e428771abc72cc20a2b53e02cd92acfae4f27b2b51263e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD5C8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD5DA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat

Filesize
235B

MD5
f4d9d146d00ee0b7b9f7edf94a360f94

SHA1
2bb038637f8abca3714b9b0f335dbbbe84c5a8f5

SHA256
c4fe1772edeacf2f35809718e5d135d647a590d0cd66bc83aae51a7366ef2542

SHA512
4721f2f51d6f2c1598b7ca73366249ecb9e741cafbd5e9a121e939ab6ede2281f54c863f5f93e2065e6a89945dabf63e5192a4e871b3375c4772bdcd62ef007d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat

Filesize
235B

MD5
68c3534030657c0d2657ee02dec4c4c2

SHA1
f28925ce7ca4cb95fd8e6c2d32e65cd70eb7f34e

SHA256
0b01e20800d361111004e8e8cfe2347ccfe4ce81c25894d7558c2c291b143ae2

SHA512
e018cc5a8466cd1060f1ad8efce720ec2b549769badd8ab474ef3c6bd23e74f677d575f74f608932cb4825803898b3671fa3909716e1bbdb7b08d9e6573f1bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat

Filesize
235B

MD5
3f3bc42b65c8faeaef7cb948162bca38

SHA1
5ef29fdc1c7959b97fb21931e6b495f4083c3314

SHA256
00bbff93de56eed7bbfac963590a8030f8f30949ab60ee3f2f071ab9546fef9f

SHA512
73ca7129624d8048893825e57fee6de8786762d9e87c94b586238e100cd5226987ea426f99996514e13056a2ce029d6527f9e162992ddafa3f6332f8c178fc6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat

Filesize
235B

MD5
9b5d44a6ceee15d8cc8d1945ca8ac665

SHA1
405c788290d430b4bfa802c3d94d27fde87419a9

SHA256
7c68f9f34014567c5e727601a2f62b41f9e5b9b5ed919ab9328f77561bf51efd

SHA512
a97c09d90860cdb2d70eccb30d3c01f923dc07f95ac806b007d4be8205f4e95b9b8f0bd4384fae541212a1b1f342bac0e8a1462b49dad6423e568aa8fa36b424

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

Filesize
235B

MD5
b7454b624236f630629bf7d9393c078d

SHA1
e406aa583e55e2430705a53a8dd2ef32f2cca6bc

SHA256
541a1fe81dd298e8706356cff7583553d44916709b2098cc5185b922008f9237

SHA512
6cd2075691fbf1ddc243aee9f75910f7643e272e7ceb43232c310334b7723931aa43d5d168dd5b2b37ae7f9c824600a3334b4d5b3f65552a0ddd2d123eb66b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat

Filesize
235B

MD5
89c5f11e8e81ef9ab8890355a6ca5754

SHA1
92490ba4059d8be553a124362f83cf839a431bb9

SHA256
e907953ad6b0755bc808c601ef0d2e0a25e86d93f0f03bfdebe9597ecdd6a5d3

SHA512
823f3952f3116712720285fd3e847415288e064b037e388cb4928477f7b5b0a07936ea8a28e58d26e1bcf1029b7e269610421d003c15d881fec255df79b1a9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat

Filesize
235B

MD5
92eab5453a989d6b591ec30baf35108c

SHA1
951279b50f32459231168d1b1710369f5e7d9685

SHA256
150bce0fe2e9d650f00dedb11069bb7902cbeff4eaeb38bd592036e21fedebcc

SHA512
528305d0c090f255359a2684a3699718ab2f96d63bdc0de96f55e62395963215d99621061a0008a2ed5289068698196ca861861febc994ac85a03ca1caf16f84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VLKUU8TDWMD3G5SG51D6.temp

Filesize
7KB

MD5
0def4346d31002f66ac454a7c4fed276

SHA1
23e46097267232db8563b1cbc87fcc1347e266c2

SHA256
385466dad603d9250f1c5227aea53c848e6b74cf03c37ac88cb27787656d8c0b

SHA512
120de62214689dcb255e53a72038266059edf227bdd55d67c1574b56fd42e12583b2a71730f04409af17d7eea751fe7d5b309fa3660d5a0d5e1f4abd979da70e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/748-107-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/1264-227-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

Filesize
1.1MB

Download
memory/1324-585-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/1684-47-0x0000000000840000-0x0000000000950000-memory.dmp

Filesize
1.1MB

Download
memory/1720-466-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/1928-167-0x0000000000C30000-0x0000000000D40000-memory.dmp

Filesize
1.1MB

Download
memory/2072-346-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/2432-48-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2432-41-0x000000001B8C0000-0x000000001BBA2000-memory.dmp

Filesize
2.9MB

Download
memory/2640-406-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/2812-17-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/2812-16-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/2812-15-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2812-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2812-13-0x0000000000A50000-0x0000000000B60000-memory.dmp

Filesize
1.1MB

Download