dcrat | 85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWJ3rhzJmNpT0H.exe
Size

1.7MB
MD5

f110d8cce9bfb48c7360203fa38d21c7
SHA1

b25dc35fe3741b5c6cf8286d65067920fb89823b
SHA256

85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87
SHA512

506cd39bc1cbcc9550cc726bc237a25c463512eec8c59f3b5990f207694f17dabd84e650676377c0b456f85ea61064fc0c55029390e82e0fece594982a223ad0
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2680	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2680	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2680	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2680	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2680	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2680	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2680	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2680	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2680	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2680	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2680	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2680	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2680	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2680	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2680	schtasks.exe	28

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2276-0-0x00000000009B0000-0x0000000000B66000-memory.dmp	dcrat
behavioral1/files/0x0006000000018aed-28.dat	dcrat
behavioral1/files/0x0005000000019371-43.dat	dcrat
behavioral1/files/0x0007000000019396-69.dat	dcrat
behavioral1/files/0x0009000000015d8e-81.dat	dcrat
behavioral1/files/0x0009000000015e09-92.dat	dcrat
behavioral1/memory/1956-193-0x00000000010F0000-0x00000000012A6000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	XWJ3rhzJmNpT0H.exe

Executes dropped EXE 2 IoCs

pid	Process
1956	taskhost.exe
2712	taskhost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe	XWJ3rhzJmNpT0H.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe	XWJ3rhzJmNpT0H.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\886983d96e3d3e	XWJ3rhzJmNpT0H.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXA177.tmp	XWJ3rhzJmNpT0H.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXA1F5.tmp	XWJ3rhzJmNpT0H.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe	XWJ3rhzJmNpT0H.exe
File created	C:\Windows\SoftwareDistribution\DataStore\Logs\5940a34987c991	XWJ3rhzJmNpT0H.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\RCX9C74.tmp	XWJ3rhzJmNpT0H.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\RCX9CE2.tmp	XWJ3rhzJmNpT0H.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe	XWJ3rhzJmNpT0H.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2876	schtasks.exe
2592	schtasks.exe
784	schtasks.exe
2736	schtasks.exe
2560	schtasks.exe
2228	schtasks.exe
2300	schtasks.exe
576	schtasks.exe
2804	schtasks.exe
1736	schtasks.exe
1100	schtasks.exe
2864	schtasks.exe
3012	schtasks.exe
2976	schtasks.exe
2496	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
2276	XWJ3rhzJmNpT0H.exe
1772	powershell.exe
276	powershell.exe
2384	powershell.exe
1028	powershell.exe
700	powershell.exe
2920	powershell.exe
2656	powershell.exe
2184	powershell.exe
324	powershell.exe
2400	powershell.exe
2308	powershell.exe
2524	powershell.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe
1956	taskhost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	XWJ3rhzJmNpT0H.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	1956	taskhost.exe
Token: SeDebugPrivilege	2712	taskhost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2384	2276	XWJ3rhzJmNpT0H.exe	44
PID 2276 wrote to memory of 2384	2276	XWJ3rhzJmNpT0H.exe	44
PID 2276 wrote to memory of 2384	2276	XWJ3rhzJmNpT0H.exe	44
PID 2276 wrote to memory of 276	2276	XWJ3rhzJmNpT0H.exe	45
PID 2276 wrote to memory of 276	2276	XWJ3rhzJmNpT0H.exe	45
PID 2276 wrote to memory of 276	2276	XWJ3rhzJmNpT0H.exe	45
PID 2276 wrote to memory of 1028	2276	XWJ3rhzJmNpT0H.exe	46
PID 2276 wrote to memory of 1028	2276	XWJ3rhzJmNpT0H.exe	46
PID 2276 wrote to memory of 1028	2276	XWJ3rhzJmNpT0H.exe	46
PID 2276 wrote to memory of 1772	2276	XWJ3rhzJmNpT0H.exe	47
PID 2276 wrote to memory of 1772	2276	XWJ3rhzJmNpT0H.exe	47
PID 2276 wrote to memory of 1772	2276	XWJ3rhzJmNpT0H.exe	47
PID 2276 wrote to memory of 2656	2276	XWJ3rhzJmNpT0H.exe	48
PID 2276 wrote to memory of 2656	2276	XWJ3rhzJmNpT0H.exe	48
PID 2276 wrote to memory of 2656	2276	XWJ3rhzJmNpT0H.exe	48
PID 2276 wrote to memory of 2308	2276	XWJ3rhzJmNpT0H.exe	52
PID 2276 wrote to memory of 2308	2276	XWJ3rhzJmNpT0H.exe	52
PID 2276 wrote to memory of 2308	2276	XWJ3rhzJmNpT0H.exe	52
PID 2276 wrote to memory of 700	2276	XWJ3rhzJmNpT0H.exe	57
PID 2276 wrote to memory of 700	2276	XWJ3rhzJmNpT0H.exe	57
PID 2276 wrote to memory of 700	2276	XWJ3rhzJmNpT0H.exe	57
PID 2276 wrote to memory of 2524	2276	XWJ3rhzJmNpT0H.exe	56
PID 2276 wrote to memory of 2524	2276	XWJ3rhzJmNpT0H.exe	56
PID 2276 wrote to memory of 2524	2276	XWJ3rhzJmNpT0H.exe	56
PID 2276 wrote to memory of 2920	2276	XWJ3rhzJmNpT0H.exe	58
PID 2276 wrote to memory of 2920	2276	XWJ3rhzJmNpT0H.exe	58
PID 2276 wrote to memory of 2920	2276	XWJ3rhzJmNpT0H.exe	58
PID 2276 wrote to memory of 324	2276	XWJ3rhzJmNpT0H.exe	59
PID 2276 wrote to memory of 324	2276	XWJ3rhzJmNpT0H.exe	59
PID 2276 wrote to memory of 324	2276	XWJ3rhzJmNpT0H.exe	59
PID 2276 wrote to memory of 2184	2276	XWJ3rhzJmNpT0H.exe	60
PID 2276 wrote to memory of 2184	2276	XWJ3rhzJmNpT0H.exe	60
PID 2276 wrote to memory of 2184	2276	XWJ3rhzJmNpT0H.exe	60
PID 2276 wrote to memory of 2400	2276	XWJ3rhzJmNpT0H.exe	61
PID 2276 wrote to memory of 2400	2276	XWJ3rhzJmNpT0H.exe	61
PID 2276 wrote to memory of 2400	2276	XWJ3rhzJmNpT0H.exe	61
PID 2276 wrote to memory of 1404	2276	XWJ3rhzJmNpT0H.exe	68
PID 2276 wrote to memory of 1404	2276	XWJ3rhzJmNpT0H.exe	68
PID 2276 wrote to memory of 1404	2276	XWJ3rhzJmNpT0H.exe	68
PID 1404 wrote to memory of 2512	1404	cmd.exe	70
PID 1404 wrote to memory of 2512	1404	cmd.exe	70
PID 1404 wrote to memory of 2512	1404	cmd.exe	70
PID 1404 wrote to memory of 1956	1404	cmd.exe	71
PID 1404 wrote to memory of 1956	1404	cmd.exe	71
PID 1404 wrote to memory of 1956	1404	cmd.exe	71
PID 1956 wrote to memory of 1548	1956	taskhost.exe	74
PID 1956 wrote to memory of 1548	1956	taskhost.exe	74
PID 1956 wrote to memory of 1548	1956	taskhost.exe	74
PID 1956 wrote to memory of 1720	1956	taskhost.exe	75
PID 1956 wrote to memory of 1720	1956	taskhost.exe	75
PID 1956 wrote to memory of 1720	1956	taskhost.exe	75
PID 1548 wrote to memory of 2712	1548	WScript.exe	76
PID 1548 wrote to memory of 2712	1548	WScript.exe	76
PID 1548 wrote to memory of 2712	1548	WScript.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XWJ3rhzJmNpT0H.exe
"C:\Users\Admin\AppData\Local\Temp\XWJ3rhzJmNpT0H.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BWw2qr2Xqb.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2512
- - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\taskhost.exe
    "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e79d9c81-7db7-4d97-b3e8-3cc343edae63.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\taskhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e176d3a9-91e8-449a-b82f-fc92a22f05ec.vbs"
      4⤵
      PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\SendTo\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\taskhost.exe

Filesize
1.7MB

MD5
1db5a862201a5befaf8d780e7a8d61c8

SHA1
8a7406ddcf420229469588af5a1e67308b78ee90

SHA256
3046b7cb1861b7f35e0590c2091cff678cf44fd425be7b4753e50a6f39134045

SHA512
e9c318518ee8bd766cc4fb0adc09c0c3eab3df83119b1f61cd197da82f0b66af63486edf5b7f2b7d62394411921f6e55e58c5a0370acb23622b0567eb6fd21d0

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe

Filesize
1.7MB

MD5
f110d8cce9bfb48c7360203fa38d21c7

SHA1
b25dc35fe3741b5c6cf8286d65067920fb89823b

SHA256
85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87

SHA512
506cd39bc1cbcc9550cc726bc237a25c463512eec8c59f3b5990f207694f17dabd84e650676377c0b456f85ea61064fc0c55029390e82e0fece594982a223ad0

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe

Filesize
1.7MB

MD5
fc14979c13f1ddb2c79e51811d7f5320

SHA1
03406d3a3d406afc16ebdfc25eb311bb8c653c8b

SHA256
de16509e2a6a714124af32d887152d1856b24e39b7090b6137544206a8a33190

SHA512
ff4ab613154a936577fd03050502453b20aea64970c5d7811a5eac1659ec5e7e09f12e480e768c58b934c60c4d28ab22c758db51f7b523349385a4c32ba23682

Download Submit
C:\Users\Admin\AppData\Local\Temp\BWw2qr2Xqb.bat

Filesize
240B

MD5
525ad0c1a2411e635b9341de9bac9519

SHA1
69d5f625f2feae92c7fed02a66cc91a2f435126c

SHA256
d92befac99a1a78c1d8a22ff65d99887578bec1a4214dbed280a74d9469fa2c3

SHA512
921c054fb46d904a9546a743604c7a5a0aaf6f3d211cc217fe75dd4f689496a0dcd7edf985b4743e0451adff5f07ec8c7384ae4f08a735c5546e0301fa71f0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\e176d3a9-91e8-449a-b82f-fc92a22f05ec.vbs

Filesize
527B

MD5
3c08d05e28207bcec5fff8366d130d2f

SHA1
652f236f7a4863f268f5bd45b6cecaefc6d6fbc3

SHA256
292ecba8011c9d6fcea6c6ede0e2adcf66c459b5b6e32bdd89956b3b324403a1

SHA512
38be93d4876a571cfe2cc8943ce6ca39853a23eda565278ee76685a6938d0ab1a06d84f87a8a3e1bc2a2da3fdd14214ef2fcc38e6f091b19707393249e3bd15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e79d9c81-7db7-4d97-b3e8-3cc343edae63.vbs

Filesize
751B

MD5
9a3642d6876b5343896fec2dcc79d592

SHA1
bee1cdeaa096753d189bbbfc1515d54043a479c0

SHA256
4fe54c0b0ae0a9cb2bfa5ed852938b582a5fe4043ea6850ce5999f31f569b765

SHA512
b76a21488a5b43369971bb77e30e640e5024b75c3cb85bb25ec9eb52821a95b2da8793d7b147f3e5449892ba594873f1b5ad8c2f21e1badcc634eb72f2e70903

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c3c1f00ca72701e6aa50d7e963a3b7bc

SHA1
1d85bdee3cf2488fbde250403bd5877ab43a32b8

SHA256
2a454926adaab404d0a6a56dee9562a7878606ec12c1e42d121ceb2fb7df1b7d

SHA512
273e7f41f6ed97a1acc6dd9130e957273b3a4ec90b440197f17aecc5d108503631c80269742845d8eefa074284e38926127ccbef8bce154fa85e5f6bfedc8436

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\sppsvc.exe

Filesize
1.7MB

MD5
aea65a9850cd0cb4e084126068d62ec2

SHA1
5adf71556f1178915e91e3191d0d9ed9afcd2088

SHA256
a082f419a9d4f180389d0786782e39983e8697e46d655249ffa26b614f5adba9

SHA512
279223509b38ff0c473f57ba8cb5334c2a7b4943ad21af3fbef57313e7cc6362f13b972bf1237050e5eb32b9232c23e723d530407e8c1211ee76f7acb2347d1d

Download Submit
C:\Windows\SoftwareDistribution\DataStore\Logs\dllhost.exe

Filesize
1.7MB

MD5
005c4f747ec0d13a33d9418b09efe842

SHA1
50df426085f57a610a0b356c407ba9f7b8711028

SHA256
099cd91e953d48aff6cd5ab63681feaa859eff946b08d15441b6f27950f442d5

SHA512
956089750fdffd306f6bc82cf08c3248e327a431bdc4d05e203594fd475e555393803b00cfeb489a0283b59f4b7ab66a8b2e86fa7408a256c67fc5849858baaf

Download Submit
memory/276-166-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/276-167-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/276-162-0x000007FEED590000-0x000007FEEDF2D000-memory.dmp

Filesize
9.6MB

Download
memory/276-165-0x000007FEED590000-0x000007FEEDF2D000-memory.dmp

Filesize
9.6MB

Download
memory/276-164-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/700-183-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/700-178-0x000007FEED590000-0x000007FEEDF2D000-memory.dmp

Filesize
9.6MB

Download
memory/700-179-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/700-180-0x000007FEED590000-0x000007FEEDF2D000-memory.dmp

Filesize
9.6MB

Download
memory/700-181-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/700-194-0x000007FEED590000-0x000007FEEDF2D000-memory.dmp

Filesize
9.6MB

Download
memory/1028-182-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1028-169-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1028-172-0x000007FEED590000-0x000007FEEDF2D000-memory.dmp

Filesize
9.6MB

Download
memory/1028-173-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1028-176-0x000007FEED590000-0x000007FEEDF2D000-memory.dmp

Filesize
9.6MB

Download
memory/1028-177-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1028-199-0x000007FEED590000-0x000007FEEDF2D000-memory.dmp

Filesize
9.6MB

Download
memory/1772-161-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/1772-160-0x000007FEED590000-0x000007FEEDF2D000-memory.dmp

Filesize
9.6MB

Download
memory/1772-163-0x000000000240B000-0x0000000002472000-memory.dmp

Filesize
412KB

Download
memory/1772-149-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/1772-150-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/1956-193-0x00000000010F0000-0x00000000012A6000-memory.dmp

Filesize
1.7MB

Download
memory/2276-12-0x00000000020D0000-0x00000000020DC000-memory.dmp

Filesize
48KB

Download
memory/2276-14-0x00000000020E0000-0x00000000020EA000-memory.dmp

Filesize
40KB

Download
memory/2276-0-0x00000000009B0000-0x0000000000B66000-memory.dmp

Filesize
1.7MB

Download
memory/2276-48-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2276-30-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2276-27-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2276-18-0x00000000021A0000-0x00000000021AC000-memory.dmp

Filesize
48KB

Download
memory/2276-17-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2276-1-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-16-0x0000000002110000-0x000000000211C000-memory.dmp

Filesize
48KB

Download
memory/2276-42-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2276-2-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2276-15-0x0000000002100000-0x0000000002108000-memory.dmp

Filesize
32KB

Download
memory/2276-4-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/2276-116-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-3-0x0000000000460000-0x000000000047C000-memory.dmp

Filesize
112KB

Download
memory/2276-13-0x00000000020F0000-0x00000000020FC000-memory.dmp

Filesize
48KB

Download
memory/2276-72-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2276-10-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/2276-9-0x00000000020A0000-0x00000000020AC000-memory.dmp

Filesize
48KB

Download
memory/2276-8-0x00000000020B0000-0x00000000020C0000-memory.dmp

Filesize
64KB

Download
memory/2276-7-0x0000000002090000-0x00000000020A2000-memory.dmp

Filesize
72KB

Download
memory/2276-6-0x0000000002070000-0x0000000002086000-memory.dmp

Filesize
88KB

Download
memory/2276-5-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/2308-195-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2384-170-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2384-175-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2384-168-0x000007FEED590000-0x000007FEEDF2D000-memory.dmp

Filesize
9.6MB

Download
memory/2384-171-0x000007FEED590000-0x000007FEEDF2D000-memory.dmp

Filesize
9.6MB

Download
memory/2384-174-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2384-198-0x000007FEED590000-0x000007FEEDF2D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-189-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2656-188-0x000007FEED590000-0x000007FEEDF2D000-memory.dmp

Filesize
9.6MB

Download
memory/2920-186-0x000007FEED590000-0x000007FEEDF2D000-memory.dmp

Filesize
9.6MB

Download
memory/2920-187-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2920-197-0x00000000029CB000-0x0000000002A32000-memory.dmp

Filesize
412KB

Download
memory/2920-196-0x000007FEED590000-0x000007FEEDF2D000-memory.dmp

Filesize
9.6MB

Download
memory/2920-190-0x000007FEED590000-0x000007FEEDF2D000-memory.dmp

Filesize
9.6MB

Download
memory/2920-191-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2920-192-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download