dcrat | 168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce

Analysis

max time kernel
139s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce.exe
Size

1.3MB
MD5

583151b2a3b04f60fec79c98215dfafc
SHA1

54a8397851774c36c6e2af1cf84fc0a27ed76967
SHA256

168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce
SHA512

913b552c0c5c1bf6aceec5f5c63689dd3b530880dbd4e38f9c2c86b77f5a2ad7fcbcc30307c15108c3beb669d8ec3f9b9f704e359fc8de3a15563c8779a987ae
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2580	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000017079-9.dat	dcrat
behavioral1/memory/2744-13-0x0000000000BB0000-0x0000000000CC0000-memory.dmp	dcrat
behavioral1/memory/1240-30-0x0000000000F60000-0x0000000001070000-memory.dmp	dcrat
behavioral1/memory/276-169-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/1156-229-0x0000000000FF0000-0x0000000001100000-memory.dmp	dcrat
behavioral1/memory/2424-289-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/2348-349-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/memory/1776-468-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/memory/2164-529-0x00000000012D0000-0x00000000013E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2060	powershell.exe
1764	powershell.exe
1744	powershell.exe
2292	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2744	DllCommonsvc.exe
1240	lsm.exe
2264	lsm.exe
276	lsm.exe
1156	lsm.exe
2424	lsm.exe
2348	lsm.exe
2732	lsm.exe
1776	lsm.exe
2164	lsm.exe
2760	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2684	cmd.exe
2684	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3008	schtasks.exe
1152	schtasks.exe
2876	schtasks.exe
308	schtasks.exe
2196	schtasks.exe
3024	schtasks.exe
3012	schtasks.exe
2276	schtasks.exe
2360	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2744	DllCommonsvc.exe
2292	powershell.exe
2060	powershell.exe
1764	powershell.exe
1744	powershell.exe
1240	lsm.exe
2264	lsm.exe
276	lsm.exe
1156	lsm.exe
2424	lsm.exe
2348	lsm.exe
2732	lsm.exe
1776	lsm.exe
2164	lsm.exe
2760	lsm.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	DllCommonsvc.exe
Token: SeDebugPrivilege	1240	lsm.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2264	lsm.exe
Token: SeDebugPrivilege	276	lsm.exe
Token: SeDebugPrivilege	1156	lsm.exe
Token: SeDebugPrivilege	2424	lsm.exe
Token: SeDebugPrivilege	2348	lsm.exe
Token: SeDebugPrivilege	2732	lsm.exe
Token: SeDebugPrivilege	1776	lsm.exe
Token: SeDebugPrivilege	2164	lsm.exe
Token: SeDebugPrivilege	2760	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2804	2228	JaffaCakes118_168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce.exe	30
PID 2228 wrote to memory of 2804	2228	JaffaCakes118_168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce.exe	30
PID 2228 wrote to memory of 2804	2228	JaffaCakes118_168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce.exe	30
PID 2228 wrote to memory of 2804	2228	JaffaCakes118_168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce.exe	30
PID 2804 wrote to memory of 2684	2804	WScript.exe	31
PID 2804 wrote to memory of 2684	2804	WScript.exe	31
PID 2804 wrote to memory of 2684	2804	WScript.exe	31
PID 2804 wrote to memory of 2684	2804	WScript.exe	31
PID 2684 wrote to memory of 2744	2684	cmd.exe	33
PID 2684 wrote to memory of 2744	2684	cmd.exe	33
PID 2684 wrote to memory of 2744	2684	cmd.exe	33
PID 2684 wrote to memory of 2744	2684	cmd.exe	33
PID 2744 wrote to memory of 2060	2744	DllCommonsvc.exe	44
PID 2744 wrote to memory of 2060	2744	DllCommonsvc.exe	44
PID 2744 wrote to memory of 2060	2744	DllCommonsvc.exe	44
PID 2744 wrote to memory of 1764	2744	DllCommonsvc.exe	45
PID 2744 wrote to memory of 1764	2744	DllCommonsvc.exe	45
PID 2744 wrote to memory of 1764	2744	DllCommonsvc.exe	45
PID 2744 wrote to memory of 1744	2744	DllCommonsvc.exe	46
PID 2744 wrote to memory of 1744	2744	DllCommonsvc.exe	46
PID 2744 wrote to memory of 1744	2744	DllCommonsvc.exe	46
PID 2744 wrote to memory of 2292	2744	DllCommonsvc.exe	47
PID 2744 wrote to memory of 2292	2744	DllCommonsvc.exe	47
PID 2744 wrote to memory of 2292	2744	DllCommonsvc.exe	47
PID 2744 wrote to memory of 1240	2744	DllCommonsvc.exe	52
PID 2744 wrote to memory of 1240	2744	DllCommonsvc.exe	52
PID 2744 wrote to memory of 1240	2744	DllCommonsvc.exe	52
PID 1240 wrote to memory of 2300	1240	lsm.exe	53
PID 1240 wrote to memory of 2300	1240	lsm.exe	53
PID 1240 wrote to memory of 2300	1240	lsm.exe	53
PID 2300 wrote to memory of 664	2300	cmd.exe	55
PID 2300 wrote to memory of 664	2300	cmd.exe	55
PID 2300 wrote to memory of 664	2300	cmd.exe	55
PID 2300 wrote to memory of 2264	2300	cmd.exe	56
PID 2300 wrote to memory of 2264	2300	cmd.exe	56
PID 2300 wrote to memory of 2264	2300	cmd.exe	56
PID 2264 wrote to memory of 2384	2264	lsm.exe	57
PID 2264 wrote to memory of 2384	2264	lsm.exe	57
PID 2264 wrote to memory of 2384	2264	lsm.exe	57
PID 2384 wrote to memory of 2560	2384	cmd.exe	59
PID 2384 wrote to memory of 2560	2384	cmd.exe	59
PID 2384 wrote to memory of 2560	2384	cmd.exe	59
PID 2384 wrote to memory of 276	2384	cmd.exe	60
PID 2384 wrote to memory of 276	2384	cmd.exe	60
PID 2384 wrote to memory of 276	2384	cmd.exe	60
PID 276 wrote to memory of 308	276	lsm.exe	61
PID 276 wrote to memory of 308	276	lsm.exe	61
PID 276 wrote to memory of 308	276	lsm.exe	61
PID 308 wrote to memory of 540	308	cmd.exe	63
PID 308 wrote to memory of 540	308	cmd.exe	63
PID 308 wrote to memory of 540	308	cmd.exe	63
PID 308 wrote to memory of 1156	308	cmd.exe	64
PID 308 wrote to memory of 1156	308	cmd.exe	64
PID 308 wrote to memory of 1156	308	cmd.exe	64
PID 1156 wrote to memory of 1756	1156	lsm.exe	65
PID 1156 wrote to memory of 1756	1156	lsm.exe	65
PID 1156 wrote to memory of 1756	1156	lsm.exe	65
PID 1756 wrote to memory of 2484	1756	cmd.exe	67
PID 1756 wrote to memory of 2484	1756	cmd.exe	67
PID 1756 wrote to memory of 2484	1756	cmd.exe	67
PID 1756 wrote to memory of 2424	1756	cmd.exe	68
PID 1756 wrote to memory of 2424	1756	cmd.exe	68
PID 1756 wrote to memory of 2424	1756	cmd.exe	68
PID 2424 wrote to memory of 2792	2424	lsm.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1240
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:664
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2560
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:540
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2484
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"
        14⤵
        
        PID:2792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2780
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"
        16⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2492
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat"
        18⤵
        
        PID:2528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:640
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"
        20⤵
        
        PID:1584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2812
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat"
        22⤵
        
        PID:888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2136
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdcddefff30f2a7afdbc05cdf2fd73d9

SHA1
24a2e1c69166937f4415c623a915e3cd26404ae6

SHA256
3e987c80b6448bf9a68ad91b8088f31831fdb4e0422efa471b5ad421f0c86e11

SHA512
827a85480c23b3f2261b2c8d45e3b11b818a26d63d3e42da8dd7cb74d3bb460a731095814ada683852217e339233c60f54f781b322ca1ef419def0d16d353647

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ecd98300b3da8e3df66791d38e66854

SHA1
487b257b561ab0ee33bd75484ebe27bbe6e750b0

SHA256
0303ac452ac420e34add8dc29703ec9f74f0b1bcdd83224cfd06d9656263587d

SHA512
66cb0228961fa60d74bf81cd3b8d6ac79bad613531b7afca2d538906f7081a6fd0100ccd95c6329a586ef125e00c38a2f80345a5dcc824b8fb37bea908bddfa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f782c68e226596b87daaf2865a0da1e

SHA1
a5d87b3b348290a645d97e11b82633c9829f40ec

SHA256
1ea609ab33d9d2f1e54a1bbb641601e543849d8395ff92c7897ae1a5cfcecaf8

SHA512
1785d891e6c6e77e02bdfb758571418d16f1e48bfe8835bc3722668397fd5517b3ce99c663408115d4d53292856df7612c5b3e3313439021a70e982e5d15f711

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76fb85977b0dc13a91423e0f23d38a3b

SHA1
eaac648366623063d4c6274624e29ada38c97a68

SHA256
c6acc9f5fd8677cfd1e582a9ed76939daafac98433e5e2a14f036274fe20ad71

SHA512
8355c69a10e71b3cbc5815976c15080027b45df613d6150b97a29558e021b9c01487ddb3088a31adf822622b099c79a29e5e93d65d51ce7e8aacd4a9804e630d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2321fafbacb4f5d3b5177cbac45b3eb

SHA1
68278000916eb418f22b63bda74cec903f12038f

SHA256
219a7b961ff0ce5c600e7a2c4c1d5f1de12beb29aabe6a92b24e3ec2cb377a2e

SHA512
6ada3fd590372585767b128857e88944a4fcb6fe522dc00433c0bf3d97b1c98a670e399102426829b4cda8d4471ab52cb9e1b1d708f9e23aa2176a4b8a1b39de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa96a395481e7adb3f66f5f805a8aa74

SHA1
700cbce391d937372f733f1ea13274ffa6f7c407

SHA256
d77462774430fa92a052723c62a4f5be4e2792693f9593563be6009a0fce3616

SHA512
83efb85b02770554f5b5536eb3c3de734a0f155ecdb8803ac7149c8572aa180caf8756c5410dd59418ee2e3cba54ed7397550d2617bfe31c9910251b1ca0b28d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2816949c898a36ac8a36e62ab072b2c5

SHA1
8a9ba09a74fa7385a2af3228042a8127d167672d

SHA256
2f5d78fc448de14dd691fd5fc8efd26e666edc39531104e95f87cfe230ed0968

SHA512
e9b73e0a46a2b6e308de3e3d44bd2d427776685da9bb98c8124961f7f9fe058ce9d2728c6c38a4664e9c989cb35c82c8237e9cd5f9b1df6ce4d817132aea1176

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d65ef59d980b5586268240d60f2e0abf

SHA1
1625c872bd7501a65ffdec2d99a9df476f29184f

SHA256
e0cfb6619a7613bb0aef55f3689d7ec56d899540466c1f332435d4cc9bdfc7d6

SHA512
2bbc4ab296a87af13450ddf5e04939d9a161dd42c9c7e65a99f7dee456acbf36f804cf4bd8c1af21b79fb8e49f8d07e8ad80200a9e31ce4f8b609ca87dd912f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1b328f47c92b735f02c141c24f6a03b

SHA1
02d7aa70ba00a864463d9652f67630ac50d2aa34

SHA256
4ab97d3e68dd45b862317e32dafe1d156ebf12814596467526a65310a93847c7

SHA512
1bdd9d1b676bae190bd542b65ee39339896c26409a205f4d43da36cfb6ec60e1426c7a52c93350b4971e9292e6ddeb3c3373d315e4572517e87cbe33a5e97a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2703.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat

Filesize
235B

MD5
6debec1edaa6572c850f220f0096db76

SHA1
cde79ec35b446b1376106fbe5e631abd24ae9508

SHA256
e5ad4dd1ba6b628491c1446bfa0bfe68a01555153876bb58ed2a6a0a8aa7f6b0

SHA512
e2ad81837c6ee4a6b19b5bced6bfa56841d100e3e0ede0173fbbeb6a6a8640865bfbb072a9a352aff5c31953d633423297e947d0d4037dda0edee7144e83464d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat

Filesize
235B

MD5
cff1ce993815caf2947583e479e726de

SHA1
0e9ff01e971642b28090ffec4d00342ba60c7b51

SHA256
14a193b5fe0506f0218e9a6b0531371003e8de3c136c32599c684100c7e41938

SHA512
90187806cd30a8f42d537a0bbcf1812a7e38610388eef73ac6b83b3b2396116e0488e1831149f90d37d5a1cfe1afdb67d3547288e8d2bd90e4a795b93a9c64f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat

Filesize
235B

MD5
6edd2d3d34e363e922d0ac630d82e120

SHA1
b4b1704b1a1f858592830f03a720f8af16e4c119

SHA256
ce339d9ac6cffb44a592eb1d51e82c78750dcdf2d74c78cdc6f05c59382d3075

SHA512
4d46912b58c63247cc8d182764ec110df9ec77cc59338c489b7c719467dfebbfa65c9d2ef461f98b40a2b1344fffd5411d8964df1c67f4a9cd91f470e967839d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2735.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat

Filesize
235B

MD5
3ee918339da937a809915b457c238d24

SHA1
f13d25375a882e18dda7031ab49c9bc295dc626c

SHA256
f2f6f87baa253e128f2aee334fd8e850ddff8da916397f368c65802d91873a9d

SHA512
c0abc4e5ba5a7464aab98e725571b5527c66aab0c0f4c8a191d552392747fa1ff7a1942c4b20e712b410c444595f5753f1a68bda7cc189eadb5f450f07c5c0d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat

Filesize
235B

MD5
ba1fd891f7eb6a20b72ce12e430c5068

SHA1
8d04df1ee327ba7262b198af663c69d961bc127d

SHA256
59eadddc3c4caf6067389419eadfe886ff879f0582980f848e1b134da9b87db7

SHA512
db68cdea4b8d740ef43f0e95539a1de16c5f2a3b3f1f3e44a50fea7e098c92a6e0250342eafc1c32367dc20b15cbb5d2de3fb024d55908a4dfbee7398bfe4475

Download Submit
C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat

Filesize
235B

MD5
68b18f353e4d370de0c9aa836b0fa894

SHA1
e668d7284008cfca29e2a817652c2ecf3de5534d

SHA256
26469cf83be97c785bb51f80f29c0bf946549cdbede8fee59ec6f1902d772e93

SHA512
98ed3693027cfbae7a8dc017be08a91fcc1879f83fff56ea0fd55fa818cf29a1e1e05db83d32edd579e6169b05159a99c648014afb67d024bfb9c28693d3afa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat

Filesize
235B

MD5
308bf30f2d09edb6d226ed322381731b

SHA1
d9c0b258ed8058dbec35357860fa866a7c6e268a

SHA256
3cfa7c136a80dcddc16fc34347bd8bf509185af26d1a203460054d8807aa0b6f

SHA512
2c6d50aaec3254ce9a53939ed5f756c3a2cb25c14d35c47e1d713ba28da557eb9a65b89f00678ad4c7ed231ea1989488c8a10ad703abbaae67db7a7d753d2138

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat

Filesize
235B

MD5
2ff5d102fb62a43dcec15e854f699176

SHA1
49372f98c46388c9298215558bde1ff82d817cc8

SHA256
9511ea8f0f918b10d92356a2caf132bec49a68cfc9e4173af799b560bc752989

SHA512
12fc766d74a23a4fc06b008d0e7249f7f178613fe8a2b17598d9b3f3b8ca02123d6cca95a8dad4182d3ddec4d2bc8c5b79320d5de1e80e284020101af2a3ed0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat

Filesize
235B

MD5
e0bf130c676eb4d5797a8d84fcb9adf1

SHA1
9705abadb18aec2b011efecb224f6ae715536396

SHA256
885690eaf3bfd2d45c76ea1e5109e719f086be8c6938696c1f57f23c5c34581e

SHA512
4feef956fcce1976c86fbbbb8dc0bd026e3af6a255253e725026bd71a12aef7bb36f24d19ec2f83a729fd17d330cceabdd70d7884e4feb2d43c5709d0c0e3936

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c93deeaa72cf131afbe9dd829cc3745d

SHA1
6a573c7a0f7acce5f57df41e3a4dd38cbb3c6af1

SHA256
2b6b629161e1971586b19e6e092579a5c20424274d1a908939479b2995bdae99

SHA512
7619bef1c246289ce23d0006830fff6d662078051812b6e19a796b8814ecbb7606c32229ce28352705e1584ec81d8a979d1cab8933c384bd1f93edcc612772c4

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/276-169-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/1156-229-0x0000000000FF0000-0x0000000001100000-memory.dmp

Filesize
1.1MB

Download
memory/1240-30-0x0000000000F60000-0x0000000001070000-memory.dmp

Filesize
1.1MB

Download
memory/1776-468-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/1776-469-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2164-530-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2164-529-0x00000000012D0000-0x00000000013E0000-memory.dmp

Filesize
1.1MB

Download
memory/2292-51-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2292-50-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2348-349-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/2424-289-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/2744-17-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/2744-14-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2744-13-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

Filesize
1.1MB

Download
memory/2744-15-0x00000000009A0000-0x00000000009AC000-memory.dmp

Filesize
48KB

Download
memory/2744-16-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download