dcrat | fb50b4ea2737a9a3ace731758aa2ae8837ba594d31b5114832f61d530452cf36

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_fb50b4ea2737a9a3ace731758aa2ae8837ba594d31b5114832f61d530452cf36.exe
Size

1.3MB
MD5

1c5e67b4beb31f1573518a60d9c1a637
SHA1

7505100cf84a2265f53b907b2346d339d4ad34da
SHA256

fb50b4ea2737a9a3ace731758aa2ae8837ba594d31b5114832f61d530452cf36
SHA512

409209d18bc19cd8d184e0297b929543372dad80de37b844c4c277a1e8a20809c410f0b34d886e4a2ca5313d47469563d43d7e6fac6a72ac4d274f58ae40fdaa
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	632	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016890-9.dat	dcrat
behavioral1/memory/2944-13-0x00000000009E0000-0x0000000000AF0000-memory.dmp	dcrat
behavioral1/memory/2968-45-0x0000000000F50000-0x0000000001060000-memory.dmp	dcrat
behavioral1/memory/1728-104-0x00000000010F0000-0x0000000001200000-memory.dmp	dcrat
behavioral1/memory/2780-164-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/1632-225-0x0000000000F70000-0x0000000001080000-memory.dmp	dcrat
behavioral1/memory/1696-285-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/2424-345-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/1704-405-0x0000000001140000-0x0000000001250000-memory.dmp	dcrat
behavioral1/memory/944-465-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/1716-525-0x0000000000DD0000-0x0000000000EE0000-memory.dmp	dcrat
behavioral1/memory/2980-645-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2256	powershell.exe
620	powershell.exe
1736	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2944	DllCommonsvc.exe
2968	Idle.exe
1728	Idle.exe
2780	Idle.exe
1632	Idle.exe
1696	Idle.exe
2424	Idle.exe
1704	Idle.exe
944	Idle.exe
1716	Idle.exe
2196	Idle.exe
2980	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2688	cmd.exe
2688	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com
38	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\WmiPrvSE.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fb50b4ea2737a9a3ace731758aa2ae8837ba594d31b5114832f61d530452cf36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3016	schtasks.exe
3032	schtasks.exe
848	schtasks.exe
3040	schtasks.exe
2892	schtasks.exe
2908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2944	DllCommonsvc.exe
1736	powershell.exe
2256	powershell.exe
620	powershell.exe
2968	Idle.exe
1728	Idle.exe
2780	Idle.exe
1632	Idle.exe
1696	Idle.exe
2424	Idle.exe
1704	Idle.exe
944	Idle.exe
1716	Idle.exe
2196	Idle.exe
2980	Idle.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	DllCommonsvc.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	2968	Idle.exe
Token: SeDebugPrivilege	1728	Idle.exe
Token: SeDebugPrivilege	2780	Idle.exe
Token: SeDebugPrivilege	1632	Idle.exe
Token: SeDebugPrivilege	1696	Idle.exe
Token: SeDebugPrivilege	2424	Idle.exe
Token: SeDebugPrivilege	1704	Idle.exe
Token: SeDebugPrivilege	944	Idle.exe
Token: SeDebugPrivilege	1716	Idle.exe
Token: SeDebugPrivilege	2196	Idle.exe
Token: SeDebugPrivilege	2980	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2760	2644	JaffaCakes118_fb50b4ea2737a9a3ace731758aa2ae8837ba594d31b5114832f61d530452cf36.exe	30
PID 2644 wrote to memory of 2760	2644	JaffaCakes118_fb50b4ea2737a9a3ace731758aa2ae8837ba594d31b5114832f61d530452cf36.exe	30
PID 2644 wrote to memory of 2760	2644	JaffaCakes118_fb50b4ea2737a9a3ace731758aa2ae8837ba594d31b5114832f61d530452cf36.exe	30
PID 2644 wrote to memory of 2760	2644	JaffaCakes118_fb50b4ea2737a9a3ace731758aa2ae8837ba594d31b5114832f61d530452cf36.exe	30
PID 2760 wrote to memory of 2688	2760	WScript.exe	31
PID 2760 wrote to memory of 2688	2760	WScript.exe	31
PID 2760 wrote to memory of 2688	2760	WScript.exe	31
PID 2760 wrote to memory of 2688	2760	WScript.exe	31
PID 2688 wrote to memory of 2944	2688	cmd.exe	33
PID 2688 wrote to memory of 2944	2688	cmd.exe	33
PID 2688 wrote to memory of 2944	2688	cmd.exe	33
PID 2688 wrote to memory of 2944	2688	cmd.exe	33
PID 2944 wrote to memory of 2256	2944	DllCommonsvc.exe	41
PID 2944 wrote to memory of 2256	2944	DllCommonsvc.exe	41
PID 2944 wrote to memory of 2256	2944	DllCommonsvc.exe	41
PID 2944 wrote to memory of 620	2944	DllCommonsvc.exe	42
PID 2944 wrote to memory of 620	2944	DllCommonsvc.exe	42
PID 2944 wrote to memory of 620	2944	DllCommonsvc.exe	42
PID 2944 wrote to memory of 1736	2944	DllCommonsvc.exe	43
PID 2944 wrote to memory of 1736	2944	DllCommonsvc.exe	43
PID 2944 wrote to memory of 1736	2944	DllCommonsvc.exe	43
PID 2944 wrote to memory of 1408	2944	DllCommonsvc.exe	47
PID 2944 wrote to memory of 1408	2944	DllCommonsvc.exe	47
PID 2944 wrote to memory of 1408	2944	DllCommonsvc.exe	47
PID 1408 wrote to memory of 2640	1408	cmd.exe	49
PID 1408 wrote to memory of 2640	1408	cmd.exe	49
PID 1408 wrote to memory of 2640	1408	cmd.exe	49
PID 1408 wrote to memory of 2968	1408	cmd.exe	50
PID 1408 wrote to memory of 2968	1408	cmd.exe	50
PID 1408 wrote to memory of 2968	1408	cmd.exe	50
PID 2968 wrote to memory of 1812	2968	Idle.exe	51
PID 2968 wrote to memory of 1812	2968	Idle.exe	51
PID 2968 wrote to memory of 1812	2968	Idle.exe	51
PID 1812 wrote to memory of 1576	1812	cmd.exe	53
PID 1812 wrote to memory of 1576	1812	cmd.exe	53
PID 1812 wrote to memory of 1576	1812	cmd.exe	53
PID 1812 wrote to memory of 1728	1812	cmd.exe	54
PID 1812 wrote to memory of 1728	1812	cmd.exe	54
PID 1812 wrote to memory of 1728	1812	cmd.exe	54
PID 1728 wrote to memory of 2684	1728	Idle.exe	55
PID 1728 wrote to memory of 2684	1728	Idle.exe	55
PID 1728 wrote to memory of 2684	1728	Idle.exe	55
PID 2684 wrote to memory of 2840	2684	cmd.exe	57
PID 2684 wrote to memory of 2840	2684	cmd.exe	57
PID 2684 wrote to memory of 2840	2684	cmd.exe	57
PID 2684 wrote to memory of 2780	2684	cmd.exe	58
PID 2684 wrote to memory of 2780	2684	cmd.exe	58
PID 2684 wrote to memory of 2780	2684	cmd.exe	58
PID 2780 wrote to memory of 3020	2780	Idle.exe	59
PID 2780 wrote to memory of 3020	2780	Idle.exe	59
PID 2780 wrote to memory of 3020	2780	Idle.exe	59
PID 3020 wrote to memory of 680	3020	cmd.exe	61
PID 3020 wrote to memory of 680	3020	cmd.exe	61
PID 3020 wrote to memory of 680	3020	cmd.exe	61
PID 3020 wrote to memory of 1632	3020	cmd.exe	62
PID 3020 wrote to memory of 1632	3020	cmd.exe	62
PID 3020 wrote to memory of 1632	3020	cmd.exe	62
PID 1632 wrote to memory of 1608	1632	Idle.exe	63
PID 1632 wrote to memory of 1608	1632	Idle.exe	63
PID 1632 wrote to memory of 1608	1632	Idle.exe	63
PID 1608 wrote to memory of 2508	1608	cmd.exe	65
PID 1608 wrote to memory of 2508	1608	cmd.exe	65
PID 1608 wrote to memory of 2508	1608	cmd.exe	65
PID 1608 wrote to memory of 1696	1608	cmd.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fb50b4ea2737a9a3ace731758aa2ae8837ba594d31b5114832f61d530452cf36.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fb50b4ea2737a9a3ace731758aa2ae8837ba594d31b5114832f61d530452cf36.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\as6RZAENmb.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1408
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2640
      - C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1576
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2840
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:680
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2508
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"
        15⤵
        
        PID:2288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1592
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"
        17⤵
        
        PID:1040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2672
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat"
        19⤵
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:820
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat"
        21⤵
        
        PID:2084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1692
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"
        23⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2392
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
        25⤵
        
        PID:1760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2044
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
723aec2de89e526ecd1af76882dbb7ef

SHA1
59fd8e0fe95b86b572e12f2b3bf990d401e6f120

SHA256
b33226d1e71c9ab45136ce70d836504b4288c0cc7f52536c2cb8f0763edcb3c3

SHA512
f2b807ba5a861b5ab9ac58097bae508dda3b423e63d02f9d9d412f9ccbed019efa67c1971bd36f76bf6cec6460e61bcfd81dca8fcaa01847aaaa925bfc3048c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
623a92566f3711c728fda48f9c4f4d91

SHA1
7fff59422de7f2caa842911526388b812cdc21ad

SHA256
2ae05a47553b59b3df62c8fde7326d6c3a72cbc7347d63f631a8045225e2d973

SHA512
f97960d7754f6727dd552bb6e1f7cfd2858d1a9e7f9e03dccf06036076d10667a38801194d96f968d8d986a6256678f70bcc52dc2600010c00aa5cf151eccf2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0eceb19f65b5ac22f810774639a2d349

SHA1
886869eb008fc2a45a671bb5930c3f7cdccf1e75

SHA256
1cb4efaad197c3ba55a6bfbfe4990a1b58740ca84435d4b5cd547a928130cc93

SHA512
a7e77d892fbccb73e211891a90fabba4bf2619289924ac753ed66d56a2a28d1f4b13e1e59d9c00d9c07997ab25a42b3e054309a86bfeea364e1a1ee1e66d8592

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cbffb03fc1eebd742f46da548f03a27

SHA1
769694decc6149d9c789208ab1380876049cdc96

SHA256
0ee31769034c522938efe433c5c44a84861425a95c5d2115733b580061ba532c

SHA512
280f197508061db1351553fddad4eed92040717181912bc86aa4de9b8d6158eb6bc3e2b6ebb5db9c2d45e1e157bfcdeeac863674bc927ab885f87c81dbebee54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c33fb6461bf8123b55ab8f7d937a7aa

SHA1
56000534921c7bccb3107e494979b759a7cb1d2f

SHA256
6088495c9fb83dc5846995e578a5099b2a9e09c086a8203b7cbd38d403dc63ae

SHA512
ab410a5610dd3d81ecbb085b10e04ce53a32e59d4ee9b00f7642d0213dd1c9f91afee19587b49fe3be864cc271bdf888916ce677ece44cfbff45befd3d94add7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
693cb536b489af406b6cf86debd4a8d0

SHA1
39dbdccbe76425b935bdb6e78f2389cb26b4d13e

SHA256
9dadd096db17fe9fdd56fdf2a4e77a8231020d208112cb9afd4cdca09e8e35ce

SHA512
e0d92032cbca1120443540f1db245c04338ff7abac1102550571789e77e071c90ff7ea39c18ad322877cb1801f7d4b75b82eb08d1c3e26965adca798d47617f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32caf46b71d776a27fdf719623ce6f16

SHA1
8ebab557d17ecc5be9e6e56cd2413d3b72b5df44

SHA256
01ef341751486f0c9390108d5527e4fa09912b89afc49cb8d1417322eb103dd3

SHA512
5c4b4a9bbbbf559da9f235e2956422896900e0c640f56d53015b3198c6019a9bc84df008a2d43bab6159be284fba5dbfc5d2006e172ef6fc6259c6eb3de3e0b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7801e0320549c9710b191f370fb2522b

SHA1
eaae61c83aabe4520f96573ca1edea0b3f502204

SHA256
7b291d0e1b9a48a4cbd194d66c3ac8cd479f22275f5b7c0bea5799fbf5fcedf0

SHA512
1ba1af22c425a6e5ba88bf8e1ea1474e0fad3e5ee5b869d6ba5cd2bba6b4d2edbc8249fe52a230f6c05de83d0d815a519cf361efbad01ad618780c15613b4381

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d5c2f3b25cb5e276767237121edc604

SHA1
03fbcf7276f978a10d7883976b9eaa8a1b47baf2

SHA256
4f9e724f48318f34a1e0c8a51d49abfe03d3106070fd78185478418194438e32

SHA512
33d43397ee7dd367f8f30f8b08bc763c0ff16a2e860448422bb381db77864e446a12cd1cec2a20323bd61bbd9dc1dfce85ccf7af8befb7e0058e1ae1748aac38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6dd50e0bdf9ab7ae0c0ed353bba09ad2

SHA1
c76838d65ad4b076736c1e88c553b18b9e960cda

SHA256
a5cbeffe11518f3c1c62e01e5e613b01885c2bc65311629331b3028a035bf862

SHA512
52d8c07015ea82efd2a4de0a64ea3f67b1edabdc217ead7879c9502314d4b722829be430f74e3cf3949e246f028ceee9bc2c7ab7b9e915bed5603e283d59a2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat

Filesize
191B

MD5
e5f5b0ab0d0dc5a344b53b94f3d95b5e

SHA1
6b22b973d50c1892d89ad27d92c78f7191a6833d

SHA256
468a1cbf876e06b105f8f8e1bef9eb50c99f1c421b311364e56db00786b594ea

SHA512
dbb89e448a31cc39847d1359b9d6ee6347f8375c7ee10aac2ab5a4282203eaecbd0e18213183144fb7387c4139703e4119dcd51fc15c291f2dba35001b32f739

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3D41.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat

Filesize
191B

MD5
5a45e891461db5b9dc3f05447997e5f0

SHA1
4ddd25d2eef6bc7d1b881550f92c6e66966fd666

SHA256
2633666ca50d0c655deaea21f0a44e6a69f90da2dc8c15dffe9be02831fcf006

SHA512
b8c26d1f7eb21a719f283064e311ddc0e6320db9e2044861ed7c2b8cb1f4746172eebb9b173b40d1ae2ddea9a613e0b0e512324ee9c19fe4c8b1ea95e7a3a2f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat

Filesize
191B

MD5
19c8a8cf7ef234469e6da1e433ae0861

SHA1
aa03cac230f8e17aa7b80738de6902a6208e871c

SHA256
a8334eeac1a7e09afbb5eace69806da386b951899de6efe5c4e95704020b5ce2

SHA512
2d08b98bd964dc8dd2074e5a435a9e4d815121e54096dd9da7ca158fc2a6b467ad7901c9402128f149817358c4fffbc969f34e02be38434ae0e7f8cde664b583

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat

Filesize
191B

MD5
0b6c59b7c75fb5ae565d1873c7bf743b

SHA1
f8d2e52873e7f6b5c9f61a4f5ba641bbb2b5c06d

SHA256
bcdbbde1b0f3923c65cf939d8ace32b1d34c5b367cfe12d9da5775d236d870e6

SHA512
69c3084ac44838e1ff942bb73696670176151b57803d562ab18c9438d9a26a4dc9f9804ad185ae3d1333f18f2eadd535a233cf36be820e4e337fdf4f43ddc6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat

Filesize
191B

MD5
d97fabde2e112611b827557b4a21fe67

SHA1
fbb331ba379afcabd21c5dfc2aa6dc8048516db6

SHA256
b88141981d8fea68d84db71097b540a87d9906843f34a3afbf86f87fabe30f08

SHA512
f20d772ef3460b94a272a1a8ff23fc1ef6f3e66780d73c7986495f817d7d3360bb2fca95c39b98fc96d64f3c71023a3e367f0bb8b49b5fce5bc5d7337ab55aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3D73.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\as6RZAENmb.bat

Filesize
191B

MD5
33ad6f26494060261c841e7a315d6329

SHA1
bcf5cb23a07784830c36c5acbf7d061d9259fe94

SHA256
e6afe624dd79cd9a274ddc2819af369a4ffa7a24d87c49ae6c27a3013770bf9b

SHA512
82eb8659f393fa2b0e6360dbddf5732918f24ba4a5537373797b9658c504b3f8fcdea2577d900f723c5b333788bd4cb04e30f83489de9c17e210a5b1e1549e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat

Filesize
191B

MD5
2cae10fdfeb692c2e6355e8c1c4c51e8

SHA1
d47b5be5ea418b3a00ecdccc0d3f8f120bf784c3

SHA256
37359a5942fd854821b31bff1a5835f2f9af33eaa0e1877960fe36abaeaae389

SHA512
fbf4e876d38aba139e3a85d0529bb81fef5438dd5504907a8c7fe05ceaf4ab85a8aba95f8fa7abdd983fd679a4bff72fed3ab885bebc4fad4accbded25219ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat

Filesize
191B

MD5
756b8e5945c8c87468f612b70c0a6969

SHA1
017908eb032f47b4a0589fac2884c6e25e4f2e38

SHA256
4c2e964106420fef8dece0868e083db881e42cc8a3074355179641d1042a352a

SHA512
eb221116e1aae2c6fbd88953ca97765c76b992ea7cc3064a7ce7b0a4000787c514cb3ed367002c7932a791aa034226f1675f57fa81d898e43c4cf4efe88e13b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

Filesize
191B

MD5
1fc9daa49f813849157b855113ced7a3

SHA1
c72215d8b2a7ce5a71b2a1ef80c7331a175b42b8

SHA256
2cf205295e580e4d92f8cd46b620f51b64be33eca45658af8c22e53d67022cf8

SHA512
d7b3e040e4420646dddb71559ba98db8fa76ebdd59c58d8c882112be52ab1d634779b6ac10d0dc2b68919b8d9379be99fd9507c51647bfa4ea51a4bd891c4b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat

Filesize
191B

MD5
3ef7af67a3ca90ff32cfcd11e75517e1

SHA1
e2b13bce5a59f9d6d84f3c5187a3e053e5d19234

SHA256
26eee5bd4e096c0791231971e75399af08b2fba579b93ce700473a9a65895fa9

SHA512
5d425ddaf977a95adbbad3c620564af4985e748a11729edc127827896fafa319688d4e01940df6c273a503489c2547dbea9d57b6b5e055dea9a9eeedc907b26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat

Filesize
191B

MD5
057593a2e00bd931fc43c3ae83cfd9fe

SHA1
810e396c14ddacf69ec5103045a7252f558db973

SHA256
b0f2c283587fd9b2a80307e1da6fe3cebc8cbb9585296afe0a63e8098dfe8f62

SHA512
eeccdab3b6e2b507d0a0b4c6f9e66108423939375da0f98addfb4f9b5576a44a581bf9a0c5db0d7363d9f60d7d3d5572c71a04dd5b559d95ee00135a3c3fae45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f346bf1c0065b2dcc591e498ba764141

SHA1
84ddb7bce26a1abb32b1362b605a65b3a7266a98

SHA256
a36befae55e6ff2395ecc6b2f7865b35b766e6471aa9e89a250fb694f706440d

SHA512
2e37f5a1c3e94208c406c22362be829bc4f9dff66a7e3e1be2d0b3496bc4b938bccf8de2700abb0562c3d24887915ef9136587be7982bae4df7c5e2ed0d2ac2e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/944-465-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/1632-225-0x0000000000F70000-0x0000000001080000-memory.dmp

Filesize
1.1MB

Download
memory/1696-285-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/1704-405-0x0000000001140000-0x0000000001250000-memory.dmp

Filesize
1.1MB

Download
memory/1716-526-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/1716-525-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

Filesize
1.1MB

Download
memory/1728-104-0x00000000010F0000-0x0000000001200000-memory.dmp

Filesize
1.1MB

Download
memory/1736-41-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2256-42-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2424-345-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/2780-164-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/2780-165-0x0000000001FE0000-0x0000000001FF2000-memory.dmp

Filesize
72KB

Download
memory/2944-16-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2944-13-0x00000000009E0000-0x0000000000AF0000-memory.dmp

Filesize
1.1MB

Download
memory/2944-14-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2944-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2944-17-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2968-45-0x0000000000F50000-0x0000000001060000-memory.dmp

Filesize
1.1MB

Download
memory/2980-645-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download