dcrat | 510a32139a79df7c7f5fb36bc540e5d1c8ad46e3baf9df5e3e1d4f7e38255b83

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

510a32139a79df7c7f5fb36bc540e5d1c8ad46e3baf9df5e3e1d4f7e38255b83.exe
Size

1.3MB
MD5

855fb25af1fc13afe4a0fa50d9fd2cab
SHA1

49c2af43b4ae1720e2643799d37ab9210b1c7c1f
SHA256

510a32139a79df7c7f5fb36bc540e5d1c8ad46e3baf9df5e3e1d4f7e38255b83
SHA512

7d9867210c7a1a02acd0606365d7bca752b6bc81b4fc7a9be8d4dd3588c988f4cc3d74303292f700288f5b7ad9f60557d628c304c916222258db4d1d6d446dcb
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2604	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d3f-12.dat	dcrat
behavioral1/memory/2820-13-0x00000000009A0000-0x0000000000AB0000-memory.dmp	dcrat
behavioral1/memory/768-45-0x00000000011F0000-0x0000000001300000-memory.dmp	dcrat
behavioral1/memory/2948-105-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/2524-165-0x0000000000E00000-0x0000000000F10000-memory.dmp	dcrat
behavioral1/memory/2820-226-0x0000000000E90000-0x0000000000FA0000-memory.dmp	dcrat
behavioral1/memory/944-522-0x0000000000F00000-0x0000000001010000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2980	powershell.exe
2508	powershell.exe
2740	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2820	DllCommonsvc.exe
768	audiodg.exe
2948	audiodg.exe
2524	audiodg.exe
2820	audiodg.exe
1568	audiodg.exe
760	audiodg.exe
2128	audiodg.exe
1044	audiodg.exe
944	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2644	cmd.exe
2644	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	510a32139a79df7c7f5fb36bc540e5d1c8ad46e3baf9df5e3e1d4f7e38255b83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3048	schtasks.exe
1908	schtasks.exe
2280	schtasks.exe
444	schtasks.exe
336	schtasks.exe
1440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2820	DllCommonsvc.exe
2980	powershell.exe
2740	powershell.exe
2508	powershell.exe
768	audiodg.exe
2948	audiodg.exe
2524	audiodg.exe
2820	audiodg.exe
1568	audiodg.exe
760	audiodg.exe
2128	audiodg.exe
1044	audiodg.exe
944	audiodg.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	DllCommonsvc.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	768	audiodg.exe
Token: SeDebugPrivilege	2948	audiodg.exe
Token: SeDebugPrivilege	2524	audiodg.exe
Token: SeDebugPrivilege	2820	audiodg.exe
Token: SeDebugPrivilege	1568	audiodg.exe
Token: SeDebugPrivilege	760	audiodg.exe
Token: SeDebugPrivilege	2128	audiodg.exe
Token: SeDebugPrivilege	1044	audiodg.exe
Token: SeDebugPrivilege	944	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2784	2196	510a32139a79df7c7f5fb36bc540e5d1c8ad46e3baf9df5e3e1d4f7e38255b83.exe	30
PID 2196 wrote to memory of 2784	2196	510a32139a79df7c7f5fb36bc540e5d1c8ad46e3baf9df5e3e1d4f7e38255b83.exe	30
PID 2196 wrote to memory of 2784	2196	510a32139a79df7c7f5fb36bc540e5d1c8ad46e3baf9df5e3e1d4f7e38255b83.exe	30
PID 2196 wrote to memory of 2784	2196	510a32139a79df7c7f5fb36bc540e5d1c8ad46e3baf9df5e3e1d4f7e38255b83.exe	30
PID 2784 wrote to memory of 2644	2784	WScript.exe	31
PID 2784 wrote to memory of 2644	2784	WScript.exe	31
PID 2784 wrote to memory of 2644	2784	WScript.exe	31
PID 2784 wrote to memory of 2644	2784	WScript.exe	31
PID 2644 wrote to memory of 2820	2644	cmd.exe	33
PID 2644 wrote to memory of 2820	2644	cmd.exe	33
PID 2644 wrote to memory of 2820	2644	cmd.exe	33
PID 2644 wrote to memory of 2820	2644	cmd.exe	33
PID 2820 wrote to memory of 2740	2820	DllCommonsvc.exe	41
PID 2820 wrote to memory of 2740	2820	DllCommonsvc.exe	41
PID 2820 wrote to memory of 2740	2820	DllCommonsvc.exe	41
PID 2820 wrote to memory of 2508	2820	DllCommonsvc.exe	42
PID 2820 wrote to memory of 2508	2820	DllCommonsvc.exe	42
PID 2820 wrote to memory of 2508	2820	DllCommonsvc.exe	42
PID 2820 wrote to memory of 2980	2820	DllCommonsvc.exe	43
PID 2820 wrote to memory of 2980	2820	DllCommonsvc.exe	43
PID 2820 wrote to memory of 2980	2820	DllCommonsvc.exe	43
PID 2820 wrote to memory of 2896	2820	DllCommonsvc.exe	47
PID 2820 wrote to memory of 2896	2820	DllCommonsvc.exe	47
PID 2820 wrote to memory of 2896	2820	DllCommonsvc.exe	47
PID 2896 wrote to memory of 2912	2896	cmd.exe	49
PID 2896 wrote to memory of 2912	2896	cmd.exe	49
PID 2896 wrote to memory of 2912	2896	cmd.exe	49
PID 2896 wrote to memory of 768	2896	cmd.exe	50
PID 2896 wrote to memory of 768	2896	cmd.exe	50
PID 2896 wrote to memory of 768	2896	cmd.exe	50
PID 768 wrote to memory of 1040	768	audiodg.exe	51
PID 768 wrote to memory of 1040	768	audiodg.exe	51
PID 768 wrote to memory of 1040	768	audiodg.exe	51
PID 1040 wrote to memory of 1700	1040	cmd.exe	53
PID 1040 wrote to memory of 1700	1040	cmd.exe	53
PID 1040 wrote to memory of 1700	1040	cmd.exe	53
PID 1040 wrote to memory of 2948	1040	cmd.exe	54
PID 1040 wrote to memory of 2948	1040	cmd.exe	54
PID 1040 wrote to memory of 2948	1040	cmd.exe	54
PID 2948 wrote to memory of 2848	2948	audiodg.exe	55
PID 2948 wrote to memory of 2848	2948	audiodg.exe	55
PID 2948 wrote to memory of 2848	2948	audiodg.exe	55
PID 2848 wrote to memory of 2868	2848	cmd.exe	57
PID 2848 wrote to memory of 2868	2848	cmd.exe	57
PID 2848 wrote to memory of 2868	2848	cmd.exe	57
PID 2848 wrote to memory of 2524	2848	cmd.exe	58
PID 2848 wrote to memory of 2524	2848	cmd.exe	58
PID 2848 wrote to memory of 2524	2848	cmd.exe	58
PID 2524 wrote to memory of 2880	2524	audiodg.exe	59
PID 2524 wrote to memory of 2880	2524	audiodg.exe	59
PID 2524 wrote to memory of 2880	2524	audiodg.exe	59
PID 2880 wrote to memory of 2512	2880	cmd.exe	61
PID 2880 wrote to memory of 2512	2880	cmd.exe	61
PID 2880 wrote to memory of 2512	2880	cmd.exe	61
PID 2880 wrote to memory of 2820	2880	cmd.exe	62
PID 2880 wrote to memory of 2820	2880	cmd.exe	62
PID 2880 wrote to memory of 2820	2880	cmd.exe	62
PID 2820 wrote to memory of 2484	2820	audiodg.exe	63
PID 2820 wrote to memory of 2484	2820	audiodg.exe	63
PID 2820 wrote to memory of 2484	2820	audiodg.exe	63
PID 2484 wrote to memory of 1456	2484	cmd.exe	65
PID 2484 wrote to memory of 1456	2484	cmd.exe	65
PID 2484 wrote to memory of 1456	2484	cmd.exe	65
PID 2484 wrote to memory of 1568	2484	cmd.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\510a32139a79df7c7f5fb36bc540e5d1c8ad46e3baf9df5e3e1d4f7e38255b83.exe
"C:\Users\Admin\AppData\Local\Temp\510a32139a79df7c7f5fb36bc540e5d1c8ad46e3baf9df5e3e1d4f7e38255b83.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cJ0G5QAkfh.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2912
      - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1700
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2868
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2512
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1456
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"
        15⤵
        
        PID:2672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2812
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat"
        17⤵
        
        PID:2244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:588
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sT6xLp4JQ8.bat"
        19⤵
        
        PID:964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1724
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
        21⤵
        
        PID:1008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1912
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
        23⤵
        
        PID:2568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b409f7636517294d799531e263be44c5

SHA1
b9f16f0c5c05fb7af67e61e35f8781a589e740e4

SHA256
9e6c4a7aac0c5eb018699a6f4fbb998ed1217a3510868a760b5afc1af8d19068

SHA512
e0d521fd80add8eb855fffd46ab63b3daa358815f1ec6da3c63a56a77a6f6721d8c4d24b830ab228ecf96a1025fa70177e37c278ac1498437bf459f0861c08e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1720be41464a02ff34da6fee40659117

SHA1
257c2d065b965d8c432e75c25bcb9c33e0c9b3a9

SHA256
3b882ed5d0f3e5e219c57e4f4212f4f4a8edc83809089a54f8057677c6a2eef5

SHA512
99df3a958a8763822758dbee41a62dafe2befcede32baea29d867ad6ab6028afe0200e79aab39f4601bc0056a536e9d10b5e9bd3f08b0a1d2d176436ec47ae73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6af3a1894eae13507980bd5c85ad4eaf

SHA1
e1fd65ac76b4ecba5f0578fc81fec686feb210a0

SHA256
141b21c4de5d56683ae8ceb73fd815a957ea3e6cf424a665f089a0b842356ddd

SHA512
edb59904a0a4485af4f60ae2a081dccd403b7a5624ec21eb336bc702301e919fb7dc218c2532b9e6a61ade780c152eb172b8332d4eaa547dc1edd251911fbe5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bcd0b301170ef2b4c9bba5db0e24756

SHA1
16f9f16eed692a03baa24e8a994ebc4ab2437da9

SHA256
7efb2fb6854175107f8e19e64f73785f461777415bcd67645a2d7e49dec5b34b

SHA512
4b18ecb9da86495e7e93bbf700cd14da3236c8d87a59c2d15a309821e74bd3b8960fc5f8274df4818a156bbf5fdd5efd739dfc54fc347dbecbdfc2b1f412a6d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
256733afa1b6781be839d66bfddb019f

SHA1
5c025366df925ff814c7a0be950115902ac41eed

SHA256
b531692800cc70bf7e4772eef2ffe5b8ffbea8b128fd63662d74fda3159d9a4b

SHA512
edd466ff0a9c3a9c356639537c434a40789617fdb74809cd9807a54330eb5e8c19bb944d0a3eda1231ad64d97b1ae906beb65406bb6e4629e7d218f4fd75f194

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
981673d11e8c934e5310a77bcf03f818

SHA1
2bb2ad59d69a1df71be878fb99a50683cbd03bfb

SHA256
c889f809c9693d51715891484873d85c3a9e6422dc7f4533ae8d2ab2f83e2585

SHA512
3e8a7664bbda5fda24235fb0fea72804f9bec2b15a27152c57dd3eb228e24bed6dea96c1f05bd6f7a439abeac9c12edd76c540714d41398d3ba7eb26b01ec9da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
731eca4cea4199395e3ca92cb684df7d

SHA1
15f14b2c4ccdf1c6f5f1538263e0f4f00ec405b9

SHA256
a708ea70baa9b2d9f9eb627b057a68a72fc0f3456f65e4712fb6658cff917f36

SHA512
041eb605a9d1139c88d3df4960ac3a82ff752845e84a554227b3a7727124c6e0c01ac9be7ff634be8fade08ca89894d97e6b8cabe997bbdd49536818aec8d819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cd91bc4cfca412fa3a893b928b3b9c1

SHA1
592e8c7817e692f5fdddd0d9984f71b690b7eeef

SHA256
9a05ed429c8962648b7a64eb0b403b9b91b16c6a80e45915f1d5830e68ebb364

SHA512
e62bf47da64a09b4bfbd6a95bc1b86cecd72333ab9fa25c842c7d22a591a77a65887425fb0e39c107692392ad7b4a6f171990fa514e75f5f351f87c5b5069309

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat

Filesize
239B

MD5
113b0e3f606a848b947b5186902ba539

SHA1
e950c86c0b07c3463920000e1c0e59d649653f7b

SHA256
f27e0f4947cda705ef2e57d0d85ca7245eb3cc023ddf8dd79c14cac883a13afe

SHA512
935ba80423cfe19c458f8130acbc8c7a4674269e801722b706f3c03019b62b087c6e32e30e0c59adc9e45abaabf6417d3413485a59c1b89dcc298993b7d49284

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA8BF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat

Filesize
239B

MD5
8535838ee61919c756331a754d2d4655

SHA1
d10d2e86166f6725c67bf20b11a83b9ae88154d8

SHA256
fc427da58de87d4b3286375567b24bd225f631ffccbe389b492ce3f94c7ec30a

SHA512
a5afe79c95d5759ea8640f978d1b9de7dedba79d84ddf77713bf4c0531625e71e5ef67bbd2a28709a2175952dcfe22871b87d20cf732c5c51db56258d2f602e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat

Filesize
239B

MD5
1e3ead4b0e93ccea4623a1c1dff8cb7a

SHA1
3a9b2d00a847473344700a6d1b7395de245eb8eb

SHA256
ee6d0a9cdb9f4870283351b94a39a3c93af7f786f0010331d00c24c11b7ee297

SHA512
cbb742310d5a6aaee2273f0cc95e3c05e19ecc383b8ef15e355584befda23c1b7dd25bb030940f654c509c71adf6b818518f185e151fd9ef8ce473cf79fb5bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA8D2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat

Filesize
239B

MD5
5f7e2e536f3b89ce5b074e1a9316b336

SHA1
4cefa97d031e4cf2b5d2825ef40b04489a2dd45f

SHA256
4864e9111dcb5c87a1a64523e4f453b436e568eab17bcfa414a0632d80bc6889

SHA512
01908b0f4f8a713b8b779b87ef2f5b2d876ab415c286d6afd00cd2a4de5a1ef72b5c2d258ae16ec04c196917e5092600be27365bedf0e67a84ec359ce0f24e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat

Filesize
239B

MD5
c4583913a79a88eba0972725d3591744

SHA1
27a3ecc2607564d0ca7e0d744feacb06bfe92727

SHA256
4aa01a5797a1f53f155fd50087dd48c66ea9551271655f6be24cf611d6473954

SHA512
bbab57b0218630851f761c910f0f9751cc480f46702d9a87fa7c24066642b5bf991b9be78e2ce275a0d0271a6efc933f704768cb88c2b90f4e6a141d74dc9fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat

Filesize
239B

MD5
9bf577572dd3268816a233b712466b87

SHA1
8b9c7a1ac58e6e64a8388c703e7a254945cf1430

SHA256
dba87a74b5339a746a51691ec0a56a01535596262f3d0de4636123bd64652975

SHA512
ea4702d9c3a9e0801ab2b9a6c02fb2b40f6401744835f3bd5e3fb956ddbc74bfbb8f46b84ffe721db7948fbeaf2432cb9dc7b206d07da775d745fcb96d9e4490

Download Submit
C:\Users\Admin\AppData\Local\Temp\cJ0G5QAkfh.bat

Filesize
239B

MD5
6a5c03582a2a00e8b05f82d2ba4f79ea

SHA1
ccadf4ec088187edf909e97da8e90be6811c2244

SHA256
322557d334f6660ab7592e9020065f81ba15cc2a5661ea62c70015ff1b4764a1

SHA512
0bfd45699dc6c6815f7c7a85f709567020c870b927a506768c2956c8d0d0285abf92ee3f05f512c73117b54665a55a66687913fd87c8f46613cc5123e450747c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat

Filesize
239B

MD5
8df5af574c61ae7b746d969fa068fbf7

SHA1
1973e6ef69098ec393053f67dc9a27a3c38bb6ad

SHA256
3c139f18417f9e57bb76f50812829947dc6a305d50312c9fb7bdd36a8946a0ed

SHA512
60f29663e9d62d52d0c9bb4171b7308faa7a5902baa4bd79fe531460cddc95d6f6633c5d527020e89fa115de58a4b2a6f07eaaf0a1006715ef94865a44a29f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sT6xLp4JQ8.bat

Filesize
239B

MD5
59d5095be2698926f8d71c259d953b02

SHA1
ca78e54843ef6059e78d9a450d181afa1444069c

SHA256
8544107cfb18f5e67ff6b5612d7443860f324041be905103845e9c2681d44787

SHA512
60d12615fceea61831f8662c4741b0dc3d0ff1309a85739c9a46426d2cfe98a591d98d34ee3d06a04dee5f688af9df013dc8e81cb4d698659a9875e33b445d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

Filesize
239B

MD5
982eafa82ad7b2434011a41e4c0ebd40

SHA1
44eab903d6595c6a6f4a45ad0b259e92c232a9ef

SHA256
f862d1eb7acaf957d7961172c92919c05355abe3c04647f31e09f0b7b33b783a

SHA512
2d8215f43105c6c3e673af6a3b5693ed484e7439ae317186fcc55757360ce4af63265f13abb6ef7993ebb722fff6a194ed32f8e66bdd902bad87cc0196e7095c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
515a681825f5dd4663f4fe774ae7c1d6

SHA1
87a71cff47ac3cb3502afdf897f0533a2ef29ce8

SHA256
76d41cfa717fb6ba8e97d3dbc5f16b15d143ecba4d4450ae59c2d89e8a5786d7

SHA512
fb5353fc4e2a8ca8a19a5e810ff17c96705e305a5befd9842c11ae85df5be7dedefbdc45e729d37168d95f219b1cfbc4dfe302096e54f92025ebf7b889e0fc2c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/768-45-0x00000000011F0000-0x0000000001300000-memory.dmp

Filesize
1.1MB

Download
memory/768-46-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/944-522-0x0000000000F00000-0x0000000001010000-memory.dmp

Filesize
1.1MB

Download
memory/2508-42-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2524-165-0x0000000000E00000-0x0000000000F10000-memory.dmp

Filesize
1.1MB

Download
memory/2524-166-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2740-41-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2820-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2820-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2820-226-0x0000000000E90000-0x0000000000FA0000-memory.dmp

Filesize
1.1MB

Download
memory/2820-13-0x00000000009A0000-0x0000000000AB0000-memory.dmp

Filesize
1.1MB

Download
memory/2820-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2820-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2948-105-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download