dcrat | 0e6fc77a72dd0b4c8f8fe7607c92eac7cf5b0d607c9904e09d9fb1b2128a2e51

Analysis

max time kernel
139s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start-main/yjadyjasfdtj.exe
Size

855KB
MD5

5780dbae6ac61a88c8d89f216f324146
SHA1

cebcebedc7aaea3a4dd1fbec933cd169bf92e9dc
SHA256

4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605
SHA512

8a595384247649e31ef0c69a63243199d224334d75b66fd486a8e6ba0ac3c2b5521e1ead4b64fb9c968c21a4836581dde10e78f36217b62862c40bed2d105920
SSDEEP

12288:I/TnPz84JfpflKH6qHJJMA+7pW3Ari4VVyZC0+1cp9rcDNpTWDTQGCZ6:I/TnzfS6qpJMA+73iE0nTr66

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

yjadyjasfdtj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\""	yjadyjasfdtj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	yjadyjasfdtj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\fr-FR\\unsecapp.exe\""	yjadyjasfdtj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\fr-FR\\unsecapp.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\yjadyjasfdtj.exe\""	yjadyjasfdtj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\""	yjadyjasfdtj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	yjadyjasfdtj.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	5000	schtasks.exe

DCRat payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral31/memory/2956-1-0x0000000000D70000-0x0000000000E4C000-memory.dmp	family_dcrat_v2
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe	family_dcrat_v2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

yjadyjasfdtj.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	yjadyjasfdtj.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

yjadyjasfdtj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\""	yjadyjasfdtj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	yjadyjasfdtj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	yjadyjasfdtj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\fr-FR\\unsecapp.exe\""	yjadyjasfdtj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yjadyjasfdtj = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\yjadyjasfdtj.exe\""	yjadyjasfdtj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\""	yjadyjasfdtj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\""	yjadyjasfdtj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\""	yjadyjasfdtj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\fr-FR\\unsecapp.exe\""	yjadyjasfdtj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yjadyjasfdtj = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\yjadyjasfdtj.exe\""	yjadyjasfdtj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	yjadyjasfdtj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	yjadyjasfdtj.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ipinfo.io
8 ipinfo.io
52 ipinfo.io
53 ipinfo.io

flow	ioc
6	ipinfo.io
8	ipinfo.io
52	ipinfo.io
53	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSCD3F585FDF0284F3586DD736A599960CC.TMP	csc.exe
File created	\??\c:\Windows\System32\ovufcs.exe	csc.exe

Drops file in Program Files directory 4 IoCs

Processes:

yjadyjasfdtj.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Mail\upfc.exe	yjadyjasfdtj.exe
File created	C:\Program Files (x86)\Windows Mail\ea1d8f6d871115	yjadyjasfdtj.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe	yjadyjasfdtj.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e	yjadyjasfdtj.exe

Drops file in Windows directory 3 IoCs

Processes:

yjadyjasfdtj.exe

description	ioc	process
File created	C:\Windows\fr-FR\unsecapp.exe	yjadyjasfdtj.exe
File opened for modification	C:\Windows\fr-FR\unsecapp.exe	yjadyjasfdtj.exe
File created	C:\Windows\fr-FR\29c1c3cc0f7685	yjadyjasfdtj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

yjadyjasfdtj.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings yjadyjasfdtj.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	yjadyjasfdtj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
3552	schtasks.exe
1496	schtasks.exe
4148	schtasks.exe
4828	schtasks.exe
1844	schtasks.exe
3492	schtasks.exe
2348	schtasks.exe
1864	schtasks.exe
5056	schtasks.exe
2228	schtasks.exe
4756	schtasks.exe
4724	schtasks.exe
220	schtasks.exe
4956	schtasks.exe
5116	schtasks.exe
804	schtasks.exe
3536	schtasks.exe
4652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

yjadyjasfdtj.exe

pid	process
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe
2956	yjadyjasfdtj.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

yjadyjasfdtj.exe

description pid process

Token: SeDebugPrivilege 2956 yjadyjasfdtj.exe

description	pid	process
Token: SeDebugPrivilege	2956	yjadyjasfdtj.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

yjadyjasfdtj.execsc.execmd.exe

description	pid	process	target process
PID 2956 wrote to memory of 1388	2956	yjadyjasfdtj.exe	csc.exe
PID 2956 wrote to memory of 1388	2956	yjadyjasfdtj.exe	csc.exe
PID 1388 wrote to memory of 2736	1388	csc.exe	cvtres.exe
PID 1388 wrote to memory of 2736	1388	csc.exe	cvtres.exe
PID 2956 wrote to memory of 4784	2956	yjadyjasfdtj.exe	cmd.exe
PID 2956 wrote to memory of 4784	2956	yjadyjasfdtj.exe	cmd.exe
PID 4784 wrote to memory of 2972	4784	cmd.exe	chcp.com
PID 4784 wrote to memory of 2972	4784	cmd.exe	chcp.com
PID 4784 wrote to memory of 2188	4784	cmd.exe	w32tm.exe
PID 4784 wrote to memory of 2188	4784	cmd.exe	w32tm.exe
PID 4784 wrote to memory of 2960	4784	cmd.exe	yjadyjasfdtj.exe
PID 4784 wrote to memory of 2960	4784	cmd.exe	yjadyjasfdtj.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\start-main\yjadyjasfdtj.exe
"C:\Users\Admin\AppData\Local\Temp\start-main\yjadyjasfdtj.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y3oj4ull\y3oj4ull.cmdline"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50C.tmp" "c:\Windows\System32\CSCD3F585FDF0284F3586DD736A599960CC.TMP"
3⤵
PID:2736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OQx62mXHfy.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2972

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\start-main\yjadyjasfdtj.exe
"C:\Users\Admin\AppData\Local\Temp\start-main\yjadyjasfdtj.exe"
3⤵
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\fr-FR\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "yjadyjasfdtjy" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\start-main\yjadyjasfdtj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "yjadyjasfdtj" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\start-main\yjadyjasfdtj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "yjadyjasfdtjy" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\start-main\yjadyjasfdtj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe

Filesize
855KB

MD5
5780dbae6ac61a88c8d89f216f324146

SHA1
cebcebedc7aaea3a4dd1fbec933cd169bf92e9dc

SHA256
4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605

SHA512
8a595384247649e31ef0c69a63243199d224334d75b66fd486a8e6ba0ac3c2b5521e1ead4b64fb9c968c21a4836581dde10e78f36217b62862c40bed2d105920

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQx62mXHfy.bat

Filesize
237B

MD5
e1fbef1cbf75a391ba4efdbef10ee101

SHA1
6f39a7b5be36a589cffeae2d2b5927af86675aad

SHA256
2528522f3036893dad62bdf53c563a63bf2dfeea0ad03c5d838d2a675be41a34

SHA512
c146b88fef16b7175f4d68dee2de37d8437f33902fcf340a90a5911f99624150a9df113362746df94400efd7b974c5683bf6c7e6ba70ddfe99f90893ea096a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES50C.tmp

Filesize
1KB

MD5
a1f55f932de6f391177aabfedab6c01e

SHA1
6a28426751f4102650b76108bcf393bf1b489c76

SHA256
c13c29d50566e22e654d7d84c651ae9e17a479165474226369d9187e612ab089

SHA512
1c5deac84dc4c2a4676041307a54329902526b08a60a3fcf096916f196174f5c0f6cca3be15c9fa9855510f2bb21e742b466839c38160d59c9ea752ba2872db1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y3oj4ull\y3oj4ull.0.cs

Filesize
409B

MD5
059fdfbe03eeb2ad5f27dfcf1c12abb1

SHA1
ca8ad47e65bfd50b53057763717097d99262d4e7

SHA256
9b170c69338e1129fe6eec3cb01fe7935b9a28acf3163fb82a92b03b331e7570

SHA512
f247daf154bb06b30c28c14a2c4aaec78c4b27856c9d3c42fa967a0bf69d8b43490da66315176525aeb33a4cf15410f2b5e87aa0231c92266726b1c408bea321

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y3oj4ull\y3oj4ull.cmdline

Filesize
235B

MD5
fc439afbc15cf69a5937b3b7d753bf9f

SHA1
c21d917d19345209aeaa387c592d0b6097de0dbf

SHA256
1fd01beac4d0e0feea8f2e52e85ab67bfab1902598a7936a0ec355ce763e9343

SHA512
bd7afbd55f3d9ec822f8ecd2bbe447a9572b64df6c0bccf2e522c6c1927278ac2b45c93a1996b984e6640ae1980a629f2c7971f794c1f3b73c220c953549a939

Download Submit
\??\c:\Windows\System32\CSCD3F585FDF0284F3586DD736A599960CC.TMP

Filesize
1KB

MD5
1c519e4618f2b468d0f490d4a716da11

SHA1
1a693d0046e48fa813e4fa3bb94ccd20d43e3106

SHA256
4dbf16e3b3bb06c98eeaf27d0a25d9f34ee0ceac51e6365218ef7cd09edb3438

SHA512
99f293878a08b56db6ff2297f243f5f5b85864e6925a1d6af61a65369f7eb323ae1b75fe5f1465fac0b982ac9f49b9e0a295b5dac947da40f61991c4411233fd

Download Submit
memory/2956-18-0x000000001BA70000-0x000000001BA7C000-memory.dmp

Filesize
48KB

Download
memory/2956-32-0x00007FFCD3F80000-0x00007FFCD4A41000-memory.dmp

Filesize
10.8MB

Download
memory/2956-8-0x00007FFCD3F80000-0x00007FFCD4A41000-memory.dmp

Filesize
10.8MB

Download
memory/2956-14-0x0000000002EE0000-0x0000000002EEE000-memory.dmp

Filesize
56KB

Download
memory/2956-16-0x0000000002F10000-0x0000000002F18000-memory.dmp

Filesize
32KB

Download
memory/2956-19-0x00007FFCD3F80000-0x00007FFCD4A41000-memory.dmp

Filesize
10.8MB

Download
memory/2956-0-0x00007FFCD3F83000-0x00007FFCD3F85000-memory.dmp

Filesize
8KB

Download
memory/2956-20-0x00007FFCD3F80000-0x00007FFCD4A41000-memory.dmp

Filesize
10.8MB

Download
memory/2956-12-0x0000000002ED0000-0x0000000002EDC000-memory.dmp

Filesize
48KB

Download
memory/2956-10-0x0000000002F30000-0x0000000002F48000-memory.dmp

Filesize
96KB

Download
memory/2956-33-0x00007FFCD3F80000-0x00007FFCD4A41000-memory.dmp

Filesize
10.8MB

Download
memory/2956-34-0x00007FFCD3F80000-0x00007FFCD4A41000-memory.dmp

Filesize
10.8MB

Download
memory/2956-35-0x00007FFCD3F80000-0x00007FFCD4A41000-memory.dmp

Filesize
10.8MB

Download
memory/2956-7-0x000000001BA80000-0x000000001BAD0000-memory.dmp

Filesize
320KB

Download
memory/2956-6-0x0000000002EF0000-0x0000000002F0C000-memory.dmp

Filesize
112KB

Download
memory/2956-4-0x0000000002EC0000-0x0000000002ECE000-memory.dmp

Filesize
56KB

Download
memory/2956-2-0x00007FFCD3F80000-0x00007FFCD4A41000-memory.dmp

Filesize
10.8MB

Download
memory/2956-48-0x00007FFCD3F80000-0x00007FFCD4A41000-memory.dmp

Filesize
10.8MB

Download
memory/2956-1-0x0000000000D70000-0x0000000000E4C000-memory.dmp

Filesize
880KB

Download
memory/2956-55-0x00007FFCD3F80000-0x00007FFCD4A41000-memory.dmp

Filesize
10.8MB

Download