dcrat | 4a3e0402f692a391300bb5dd374086e2ae642725918fce5a703d686899024559

Analysis

max time kernel
148s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gamingservices.exe
Size

1.8MB
MD5

7e1cbd229ae163375fc55065690e27b4
SHA1

f1cecafde4f843b03f3defffcac7fd6950b582a6
SHA256

4a3e0402f692a391300bb5dd374086e2ae642725918fce5a703d686899024559
SHA512

545c246f2d0159f5c2f7631b891c19166505c525b0a6d66f2338460dfda94679da283aa3e8dffa7fc6fec5752cedbce753f731a7064cff8754970d8968d3c882
SSDEEP

24576:7Sgle/EPZ5XpxBeonQxcYHgC+aviVZZmQ5NnL+MIWRbtHU4aClCbs8HF7Kz9jxG:7AsZWHgReoP7nyWtHPaB37S9jx

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	4404	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	4404	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4404	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	4404	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	4404	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	4404	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	4404	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4404	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	4404	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	4404	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	4404	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	4404	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	4404	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	4404	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	4404	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	4404	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4404	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	4404	schtasks.exe	82

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	gamingservices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 5 IoCs

pid	Process
2896	csrss.exe
3320	csrss.exe
720	csrss.exe
1576	csrss.exe
4760	csrss.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe	gamingservices.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\5b884080fd4f94	gamingservices.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\csrss.exe	gamingservices.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\886983d96e3d3e	gamingservices.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\SearchApp.exe	gamingservices.exe
File opened for modification	C:\Windows\ja-JP\SearchApp.exe	gamingservices.exe
File created	C:\Windows\ja-JP\38384e6a620884	gamingservices.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3960	PING.EXE
2380	PING.EXE
3476	PING.EXE
4580	PING.EXE
1332	PING.EXE

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	gamingservices.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
3960	PING.EXE
2380	PING.EXE
3476	PING.EXE
4580	PING.EXE
1332	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5072	schtasks.exe
2544	schtasks.exe
1804	schtasks.exe
4596	schtasks.exe
3172	schtasks.exe
1048	schtasks.exe
2220	schtasks.exe
2180	schtasks.exe
1748	schtasks.exe
436	schtasks.exe
1568	schtasks.exe
3984	schtasks.exe
3816	schtasks.exe
5044	schtasks.exe
3496	schtasks.exe
4196	schtasks.exe
4968	schtasks.exe
2460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
5096	gamingservices.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	gamingservices.exe
Token: SeDebugPrivilege	2896	csrss.exe
Token: SeDebugPrivilege	3320	csrss.exe
Token: SeDebugPrivilege	720	csrss.exe
Token: SeDebugPrivilege	1576	csrss.exe
Token: SeDebugPrivilege	4760	csrss.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 5040	5096	gamingservices.exe	101
PID 5096 wrote to memory of 5040	5096	gamingservices.exe	101
PID 5040 wrote to memory of 2656	5040	cmd.exe	103
PID 5040 wrote to memory of 2656	5040	cmd.exe	103
PID 5040 wrote to memory of 3960	5040	cmd.exe	104
PID 5040 wrote to memory of 3960	5040	cmd.exe	104
PID 5040 wrote to memory of 2896	5040	cmd.exe	108
PID 5040 wrote to memory of 2896	5040	cmd.exe	108
PID 2896 wrote to memory of 4992	2896	csrss.exe	114
PID 2896 wrote to memory of 4992	2896	csrss.exe	114
PID 4992 wrote to memory of 4472	4992	cmd.exe	116
PID 4992 wrote to memory of 4472	4992	cmd.exe	116
PID 4992 wrote to memory of 2380	4992	cmd.exe	117
PID 4992 wrote to memory of 2380	4992	cmd.exe	117
PID 4992 wrote to memory of 3320	4992	cmd.exe	118
PID 4992 wrote to memory of 3320	4992	cmd.exe	118
PID 3320 wrote to memory of 2172	3320	csrss.exe	119
PID 3320 wrote to memory of 2172	3320	csrss.exe	119
PID 2172 wrote to memory of 1164	2172	cmd.exe	121
PID 2172 wrote to memory of 1164	2172	cmd.exe	121
PID 2172 wrote to memory of 3476	2172	cmd.exe	122
PID 2172 wrote to memory of 3476	2172	cmd.exe	122
PID 2172 wrote to memory of 720	2172	cmd.exe	123
PID 2172 wrote to memory of 720	2172	cmd.exe	123
PID 720 wrote to memory of 704	720	csrss.exe	124
PID 720 wrote to memory of 704	720	csrss.exe	124
PID 704 wrote to memory of 5008	704	cmd.exe	126
PID 704 wrote to memory of 5008	704	cmd.exe	126
PID 704 wrote to memory of 468	704	cmd.exe	127
PID 704 wrote to memory of 468	704	cmd.exe	127
PID 704 wrote to memory of 1576	704	cmd.exe	128
PID 704 wrote to memory of 1576	704	cmd.exe	128
PID 1576 wrote to memory of 2272	1576	csrss.exe	129
PID 1576 wrote to memory of 2272	1576	csrss.exe	129
PID 2272 wrote to memory of 4488	2272	cmd.exe	131
PID 2272 wrote to memory of 4488	2272	cmd.exe	131
PID 2272 wrote to memory of 4580	2272	cmd.exe	132
PID 2272 wrote to memory of 4580	2272	cmd.exe	132
PID 2272 wrote to memory of 4760	2272	cmd.exe	133
PID 2272 wrote to memory of 4760	2272	cmd.exe	133
PID 4760 wrote to memory of 2432	4760	csrss.exe	134
PID 4760 wrote to memory of 2432	4760	csrss.exe	134
PID 2432 wrote to memory of 2316	2432	cmd.exe	136
PID 2432 wrote to memory of 2316	2432	cmd.exe	136
PID 2432 wrote to memory of 1332	2432	cmd.exe	137
PID 2432 wrote to memory of 1332	2432	cmd.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\gamingservices.exe
"C:\Users\Admin\AppData\Local\Temp\gamingservices.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T94VysQIsf.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2656
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3960
- - C:\Program Files\Windows Photo Viewer\en-US\csrss.exe
    "C:\Program Files\Windows Photo Viewer\en-US\csrss.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b8nWhu89y1.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4472
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2380
    - - C:\Program Files\Windows Photo Viewer\en-US\csrss.exe
        
        "C:\Program Files\Windows Photo Viewer\en-US\csrss.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3320
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcOKbH0YFO.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3476
        
        C:\Program Files\Windows Photo Viewer\en-US\csrss.exe
        
        "C:\Program Files\Windows Photo Viewer\en-US\csrss.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cMdeBf80Aw.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:468
        
        C:\Program Files\Windows Photo Viewer\en-US\csrss.exe
        
        "C:\Program Files\Windows Photo Viewer\en-US\csrss.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tXGl5KOL28.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4580
        
        C:\Program Files\Windows Photo Viewer\en-US\csrss.exe
        
        "C:\Program Files\Windows Photo Viewer\en-US\csrss.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aYLtGzs08v.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\Libraries\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\ja-JP\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "gamingservicesg" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\gamingservices.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "gamingservices" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\gamingservices.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "gamingservicesg" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\gamingservices.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\csrss.exe

Filesize
1.8MB

MD5
7e1cbd229ae163375fc55065690e27b4

SHA1
f1cecafde4f843b03f3defffcac7fd6950b582a6

SHA256
4a3e0402f692a391300bb5dd374086e2ae642725918fce5a703d686899024559

SHA512
545c246f2d0159f5c2f7631b891c19166505c525b0a6d66f2338460dfda94679da283aa3e8dffa7fc6fec5752cedbce753f731a7064cff8754970d8968d3c882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
f8b2fca3a50771154571c11f1c53887b

SHA1
2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

SHA256
0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

SHA512
b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\T94VysQIsf.bat

Filesize
181B

MD5
6b0a985a34c90cb095c167227e95838d

SHA1
bd949991a668c427806302a0ca543a3e6feb8d88

SHA256
23389438ac9c806a77d53dc091f253a2c2d2133db252cb700e21c539db48221e

SHA512
d175e4b0e7d6d44ecbd03e86481090c6641b00dfa184fb890d4cc32449d98154a001bf52762d8df0be170e9990f404e6847857b25a0ccc293a33fe41586a4de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYLtGzs08v.bat

Filesize
181B

MD5
48b3132adbda4f137bb0f921660c0658

SHA1
8c534a79afd5282a679a1436ea27fe98e0ece58a

SHA256
84d8f13f19cf0674a9221a5c7380f52a69ed438c3b9afe77323f838936844db0

SHA512
18dcca832d2acae3be56f465c8a63fa1c6b48c0c792a480197d33e64f7b927d70ac50f911791a61ab1dc70aa88bdbc0a6e5bbf87b44ca1606c1e4669ddf4ac25

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8nWhu89y1.bat

Filesize
181B

MD5
84708c45999da3a63e554662ea2022be

SHA1
58b4aca0415e81ad9928db8f7ab925f836384477

SHA256
ddb6036057d4ddbd24c68657943cc9e1732fb2a32e689468491ccd79fcc368dd

SHA512
8b6d462702521231af90475cc8d197e13cd912a037e0b62e4d94e3c39c0a7b8149ae2ac8b169815e20cd9d520409fcab8b54b0d0d6c74e8c5c4699d795c471f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMdeBf80Aw.bat

Filesize
229B

MD5
d5035b33ec97319eb44e8d15e9ff5fad

SHA1
6f06b9fa9f3ac3392733fdad00c77fc091c62af9

SHA256
74e1b632bdc99e41566843bd455f74197c47152e15599703126fc70ee2760fd6

SHA512
479246c9642aa0b8fbc1328c01a2e248b985f9ae9a98d8d114a09d8ce38079e20aaf6f25109b4b18334c7adec700a55e40597189247a682e4b41ea46da51b930

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcOKbH0YFO.bat

Filesize
181B

MD5
d2ecbbf787b5bd4eb64b7b86f0155201

SHA1
f6121cffd945edb7644a0e65421fd64bafd1a56f

SHA256
30e7a1ce099e5cebe17b5d58510c9b6820f74936caed5eb52f89951c5b3e8350

SHA512
b5ebdb250de65adefab8c96d772a3aa21b5e830e60b0feec538f8405a5f72bec55ca4219dea01d3a816a33e590b6f12d23d75af6bbf07289a69907d322112e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\tXGl5KOL28.bat

Filesize
181B

MD5
25f54b96f3e97ee40509a19afe038ceb

SHA1
d8c87549d06bb5c62e1c0a103c8289ddf1c5e2a3

SHA256
a4a5bc3e817058a40f4141096fd2cd2abfacbdb5205231645049ef33e594ffaa

SHA512
41309b30dd403cc47e57a80afb2bd2b56161a8b3365eaaa7756638354c93cee0dba281b789e4768364b5aff3047139aaad02a7a1e9efa93e21b76aa326c4c297

Download Submit
memory/5096-7-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/5096-31-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/5096-13-0x000000001BF60000-0x000000001BF78000-memory.dmp

Filesize
96KB

Download
memory/5096-14-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/5096-23-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/5096-10-0x000000001BF40000-0x000000001BF5C000-memory.dmp

Filesize
112KB

Download
memory/5096-27-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/5096-11-0x000000001BFB0000-0x000000001C000000-memory.dmp

Filesize
320KB

Download
memory/5096-8-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/5096-35-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/5096-0-0x00007FFF703D3000-0x00007FFF703D5000-memory.dmp

Filesize
8KB

Download
memory/5096-6-0x0000000003070000-0x000000000307E000-memory.dmp

Filesize
56KB

Download
memory/5096-4-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/5096-3-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/5096-2-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/5096-1-0x0000000000E10000-0x0000000000FE2000-memory.dmp

Filesize
1.8MB

Download