dcrat | 4b997ff638e5c1ec852c97ca0d8beabd5fc0ef34dd362bf8dce44e4c17bf6416

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4b997ff638e5c1ec852c97ca0d8beabd5fc0ef34dd362bf8dce44e4c17bf6416.exe
Size

1.3MB
MD5

64fd17b27a6e236a27c2cc71d3a3139d
SHA1

7056a4ea481aebf8b7a306007dea1b3dcea131c9
SHA256

4b997ff638e5c1ec852c97ca0d8beabd5fc0ef34dd362bf8dce44e4c17bf6416
SHA512

8b0e988f1cb0176ed8b7c454fd3c2b523799d880b508380eb9b06b9829690f7630ce54138d22252f2bc27878d01e926e30e844eb0bc19429073e4726d747eed6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2768	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2768	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2768	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2768	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2768	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2768	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2768	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2768	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2768	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000173aa-12.dat	dcrat
behavioral1/memory/2196-13-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/3040-52-0x0000000000090000-0x00000000001A0000-memory.dmp	dcrat
behavioral1/memory/1636-111-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/2696-171-0x0000000000C80000-0x0000000000D90000-memory.dmp	dcrat
behavioral1/memory/2916-231-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/2864-527-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/2364-587-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1424	powershell.exe
1332	powershell.exe
1296	powershell.exe
2464	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2196	DllCommonsvc.exe
3040	csrss.exe
1636	csrss.exe
2696	csrss.exe
2916	csrss.exe
1900	csrss.exe
3060	csrss.exe
572	csrss.exe
1204	csrss.exe
2864	csrss.exe
2364	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2504	cmd.exe
2504	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
38	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
31	raw.githubusercontent.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Panther\UnattendGC\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Panther\UnattendGC\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4b997ff638e5c1ec852c97ca0d8beabd5fc0ef34dd362bf8dce44e4c17bf6416.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2844	schtasks.exe
2288	schtasks.exe
2624	schtasks.exe
2852	schtasks.exe
2608	schtasks.exe
3048	schtasks.exe
576	schtasks.exe
2936	schtasks.exe
2576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2196	DllCommonsvc.exe
2464	powershell.exe
1296	powershell.exe
1332	powershell.exe
1424	powershell.exe
3040	csrss.exe
1636	csrss.exe
2696	csrss.exe
2916	csrss.exe
1900	csrss.exe
3060	csrss.exe
572	csrss.exe
1204	csrss.exe
2864	csrss.exe
2364	csrss.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	DllCommonsvc.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	3040	csrss.exe
Token: SeDebugPrivilege	1636	csrss.exe
Token: SeDebugPrivilege	2696	csrss.exe
Token: SeDebugPrivilege	2916	csrss.exe
Token: SeDebugPrivilege	1900	csrss.exe
Token: SeDebugPrivilege	3060	csrss.exe
Token: SeDebugPrivilege	572	csrss.exe
Token: SeDebugPrivilege	1204	csrss.exe
Token: SeDebugPrivilege	2864	csrss.exe
Token: SeDebugPrivilege	2364	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2940	2372	JaffaCakes118_4b997ff638e5c1ec852c97ca0d8beabd5fc0ef34dd362bf8dce44e4c17bf6416.exe	30
PID 2372 wrote to memory of 2940	2372	JaffaCakes118_4b997ff638e5c1ec852c97ca0d8beabd5fc0ef34dd362bf8dce44e4c17bf6416.exe	30
PID 2372 wrote to memory of 2940	2372	JaffaCakes118_4b997ff638e5c1ec852c97ca0d8beabd5fc0ef34dd362bf8dce44e4c17bf6416.exe	30
PID 2372 wrote to memory of 2940	2372	JaffaCakes118_4b997ff638e5c1ec852c97ca0d8beabd5fc0ef34dd362bf8dce44e4c17bf6416.exe	30
PID 2940 wrote to memory of 2504	2940	WScript.exe	32
PID 2940 wrote to memory of 2504	2940	WScript.exe	32
PID 2940 wrote to memory of 2504	2940	WScript.exe	32
PID 2940 wrote to memory of 2504	2940	WScript.exe	32
PID 2504 wrote to memory of 2196	2504	cmd.exe	34
PID 2504 wrote to memory of 2196	2504	cmd.exe	34
PID 2504 wrote to memory of 2196	2504	cmd.exe	34
PID 2504 wrote to memory of 2196	2504	cmd.exe	34
PID 2196 wrote to memory of 1424	2196	DllCommonsvc.exe	45
PID 2196 wrote to memory of 1424	2196	DllCommonsvc.exe	45
PID 2196 wrote to memory of 1424	2196	DllCommonsvc.exe	45
PID 2196 wrote to memory of 1332	2196	DllCommonsvc.exe	46
PID 2196 wrote to memory of 1332	2196	DllCommonsvc.exe	46
PID 2196 wrote to memory of 1332	2196	DllCommonsvc.exe	46
PID 2196 wrote to memory of 1296	2196	DllCommonsvc.exe	47
PID 2196 wrote to memory of 1296	2196	DllCommonsvc.exe	47
PID 2196 wrote to memory of 1296	2196	DllCommonsvc.exe	47
PID 2196 wrote to memory of 2464	2196	DllCommonsvc.exe	48
PID 2196 wrote to memory of 2464	2196	DllCommonsvc.exe	48
PID 2196 wrote to memory of 2464	2196	DllCommonsvc.exe	48
PID 2196 wrote to memory of 2012	2196	DllCommonsvc.exe	53
PID 2196 wrote to memory of 2012	2196	DllCommonsvc.exe	53
PID 2196 wrote to memory of 2012	2196	DllCommonsvc.exe	53
PID 2012 wrote to memory of 1436	2012	cmd.exe	55
PID 2012 wrote to memory of 1436	2012	cmd.exe	55
PID 2012 wrote to memory of 1436	2012	cmd.exe	55
PID 2012 wrote to memory of 3040	2012	cmd.exe	56
PID 2012 wrote to memory of 3040	2012	cmd.exe	56
PID 2012 wrote to memory of 3040	2012	cmd.exe	56
PID 3040 wrote to memory of 1028	3040	csrss.exe	57
PID 3040 wrote to memory of 1028	3040	csrss.exe	57
PID 3040 wrote to memory of 1028	3040	csrss.exe	57
PID 1028 wrote to memory of 2408	1028	cmd.exe	59
PID 1028 wrote to memory of 2408	1028	cmd.exe	59
PID 1028 wrote to memory of 2408	1028	cmd.exe	59
PID 1028 wrote to memory of 1636	1028	cmd.exe	60
PID 1028 wrote to memory of 1636	1028	cmd.exe	60
PID 1028 wrote to memory of 1636	1028	cmd.exe	60
PID 1636 wrote to memory of 2636	1636	csrss.exe	61
PID 1636 wrote to memory of 2636	1636	csrss.exe	61
PID 1636 wrote to memory of 2636	1636	csrss.exe	61
PID 2636 wrote to memory of 1500	2636	cmd.exe	63
PID 2636 wrote to memory of 1500	2636	cmd.exe	63
PID 2636 wrote to memory of 1500	2636	cmd.exe	63
PID 2636 wrote to memory of 2696	2636	cmd.exe	64
PID 2636 wrote to memory of 2696	2636	cmd.exe	64
PID 2636 wrote to memory of 2696	2636	cmd.exe	64
PID 2696 wrote to memory of 1988	2696	csrss.exe	65
PID 2696 wrote to memory of 1988	2696	csrss.exe	65
PID 2696 wrote to memory of 1988	2696	csrss.exe	65
PID 1988 wrote to memory of 3012	1988	cmd.exe	67
PID 1988 wrote to memory of 3012	1988	cmd.exe	67
PID 1988 wrote to memory of 3012	1988	cmd.exe	67
PID 1988 wrote to memory of 2916	1988	cmd.exe	68
PID 1988 wrote to memory of 2916	1988	cmd.exe	68
PID 1988 wrote to memory of 2916	1988	cmd.exe	68
PID 2916 wrote to memory of 1540	2916	csrss.exe	69
PID 2916 wrote to memory of 1540	2916	csrss.exe	69
PID 2916 wrote to memory of 1540	2916	csrss.exe	69
PID 1540 wrote to memory of 1532	1540	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4b997ff638e5c1ec852c97ca0d8beabd5fc0ef34dd362bf8dce44e4c17bf6416.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4b997ff638e5c1ec852c97ca0d8beabd5fc0ef34dd362bf8dce44e4c17bf6416.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MAmhIIylHr.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1436
      - C:\Windows\Panther\UnattendGC\csrss.exe
        
        "C:\Windows\Panther\UnattendGC\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGj9C4kLBH.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2408
        
        C:\Windows\Panther\UnattendGC\csrss.exe
        
        "C:\Windows\Panther\UnattendGC\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1500
        
        C:\Windows\Panther\UnattendGC\csrss.exe
        
        "C:\Windows\Panther\UnattendGC\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X9PDuMdk3a.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3012
        
        C:\Windows\Panther\UnattendGC\csrss.exe
        
        "C:\Windows\Panther\UnattendGC\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1532
        
        C:\Windows\Panther\UnattendGC\csrss.exe
        
        "C:\Windows\Panther\UnattendGC\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"
        15⤵
        
        PID:2780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2860
        
        C:\Windows\Panther\UnattendGC\csrss.exe
        
        "C:\Windows\Panther\UnattendGC\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat"
        17⤵
        
        PID:1236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2224
        
        C:\Windows\Panther\UnattendGC\csrss.exe
        
        "C:\Windows\Panther\UnattendGC\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat"
        19⤵
        
        PID:2440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1716
        
        C:\Windows\Panther\UnattendGC\csrss.exe
        
        "C:\Windows\Panther\UnattendGC\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
        21⤵
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1264
        
        C:\Windows\Panther\UnattendGC\csrss.exe
        
        "C:\Windows\Panther\UnattendGC\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n6bUdMbtqP.bat"
        23⤵
        
        PID:2204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2576
        
        C:\Windows\Panther\UnattendGC\csrss.exe
        
        "C:\Windows\Panther\UnattendGC\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"
        25⤵
        
        PID:1036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Videos\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Videos\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\UnattendGC\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\UnattendGC\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b13f18d728d4cd7f3204b8848f6fdb7b

SHA1
46a95810b8bf44e2f615c1e3391830aa6579585f

SHA256
acc3b8980ff149a10df05f15bc1b89e9faa2a051e8cc39443bb063005aad4db6

SHA512
1b079dbc2a8835087ca213d7b9130b6deb700899e3796034c58c6730a70e56caafb54917cfbbdfd99a754da21944b18ea421b36896d14bab43e1689f4b4e9307

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d07d2fd56a838acec87c6421b73163dc

SHA1
5d4924d90dceab029b01c1a963e936916e699a0d

SHA256
79c87e61a271a9733f4b3240eb5d6de66fe398bd5a391a334f3726d58f3e2de8

SHA512
c2cb7d8e8a21ee7141fa7921e3f7bf5c2b99f14cd23f70a3a74fd35afea9110bdf723d8acaa79b1dd50dca403d695d47f859b286ebad1fc9d77d26306f0002bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c9d2130cce7db9dd4fdd681e3125da1

SHA1
e846ddeb410ad1aa699f503ae11708f34088a3e3

SHA256
668ac7e41a8e6420373aa61985b4c77f8c807c4af8d275f28e44294b5bdb149f

SHA512
abe4b754b8eb91a9b5f7c56faebf364ebb34fd5805dbed166de377e6945f9278d8c727bb092fcac2dd6b39ae953ceebdc7c2f38f428bdf47382c500869606a93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adef8b548ac9ec20c39194a249dd3ff0

SHA1
ccb2b26cb0c0ba1f569d8e1f9e54bb4ec5a4cf5e

SHA256
dd10f890af68fb4626fde1a75a44d42696d36ec00b5e711527c7612d1c6feaa1

SHA512
9bb46f226a663b9a94dff39deb6afc413705023b41f26d44f4e4d43e14dfcbb6fb03a2bc2db65d1daa26961e29b50c2203aed5217e54017c8c8942811e3478de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
960480f906302ba97ffbc5db95398faf

SHA1
8b2379ac6ce24362b24fd662f9f6de07067bd05c

SHA256
cea70ef75a29d98477f520433da7ac0e63ca80cce2f975b4c35f012433899907

SHA512
f1f8396cac919737a39f4128cf7c6295b091d358e7809a964b24826d8bd72b4e2cc2ba81842f54140b6aaf3b2f6fa3102773a5d74b10120d87553844ede49d43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7cc85b4602562bbc9fdcb11a0b29d4f

SHA1
cad925b9841a49ba7466df54951de8c594573976

SHA256
418451412e06b2a72e7e9336d3c01d452d39281e718397a3a9521742ebe82118

SHA512
ed5318fdb2417df21cfb2ce92e51e89cfa6250873f33fd5699450f9e328201e2d689b6c6c78ea4107f66b33bdad4864da92769ef3077368b26e2c1b005f251f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74bd8f1c15e73674316f72e859eb643d

SHA1
5ec1f9c36ef0329ce9d0aca15869045ba653f50f

SHA256
ae5d2608649e5320e825976302be74012cdbcd488c95f0b3ced5c5f83b045b10

SHA512
4d38a1531ba714626975d92ddf11b15a65cbded3bb92875d9da2b0dd93a909bf1a01996aa7e50f7abbc8da4773f74b8994485658163005d3661772db700f2827

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d49033d0f4aac06c2bbedebac55cae38

SHA1
4a04bf27e63cbb65939a29b775355116e944048d

SHA256
01eaa93d0173f67f7d059fe7f49f424deea33d7289558cd0884fb1f413c07c2a

SHA512
c3f0d82906840a572b69be74f7c9c3044c8c67918dc5c8fbce9cabe1cbf9695ab0299744e3220e93b6c64f2253728fa2a34dd50b7c6c208233a739201c9e1cc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a27108b43ccf3be90db8ee34372895b

SHA1
494faf7faed64ae542debf5552c61085c5999950

SHA256
9c59dfaac27d61211d017b8e8c8557abddfc054dac727356b4421c8cf9f7e241

SHA512
00a33c98ca71f9b5d285ba4b566af11005ee70eab22e051fe9c114c5fc61a2f0e3eed297647e60b1185a636f4b3dc2adb0de0ac65c2c52d48aafd92a51090587

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat

Filesize
204B

MD5
f2b7384ca40439de51563e0671c2af97

SHA1
daec24df2d0478660ebefd64e5c73bff7bf52bbf

SHA256
bc1d411b68d3307ea504afa59d5641aaf0eb1acd2229258664fe3445dc59fbe9

SHA512
a406514a83624eabdaabb7a8389891ba423bf99441fe21731a4498d648054928462b0de29e47eaa1a26540b6fb040dc36889f9d156373118275eb24c0e9dc77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat

Filesize
204B

MD5
c67d97bd4c4a2d4e0fb5a253bf58b7f7

SHA1
42bf72daf59283abcc014b36a81a941326ca648d

SHA256
d01c54626d950eae3de5e3f8af76fb6ba8bdb8381c76265dfbc132d9e7fe0fd2

SHA512
58ea369dafd7bb2bddd119a1044df29889498b36a4bf8a06b5a65ba175248110010c9741d03483f99050b890499e0456ae9c0bab64a47fee656a099b5687f156

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat

Filesize
204B

MD5
dae9c8b0036c35fde43ec96f10e81d13

SHA1
14abaa69a651f39a1f3469927170d1cc895d3634

SHA256
987261c4540c2e7fe08a17ffb16b4e6390bf96c1d9b69ddcb610d428735c8ca6

SHA512
18c19a86c40a61bdcee6140055019af0e8146b29e219e3bff6f821f632b473534665f7f81ad717682fe49951bbe5bcdceeed6d5e53096991f61bab9f6be786a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab428.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAmhIIylHr.bat

Filesize
204B

MD5
3a1fbaf77fcb5264f130b6acdf128d95

SHA1
998dc23ddfa4d457da876324d31981a6d7b93438

SHA256
cfc087d9d2ca0b14125605c01ef7420a38a42aaee5fe615c5c79e8a5a88465d9

SHA512
f2f594020a5adfba169df6318cce435132cc75fe79e4bcb978a9448ecc2b48385f4a8375e4097aa8b50ac4dafbf4a315d9bc48c21eaf8646485cb607c0007449

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat

Filesize
204B

MD5
1edfd3bf1eeb3c4ecd79b0012c166f19

SHA1
8964daa82d54b48709988f3e7ccc9fbfd7d3bad6

SHA256
b418f4d919af2b15c572b72402e353066e5ed25d77c9ace98256ec4510c208fb

SHA512
9561c3327976406951df07c5d9c31c63a036c71468a9d3e3d600d9c98a44e6ea6958b0003735f56869847a6c9ea5f59806476678043c778120da4d3c9f5f4166

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar43A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X9PDuMdk3a.bat

Filesize
204B

MD5
51684b217a83de06715a6a7a96b4a587

SHA1
678ff4b7f2d1ba5d6c94c80f138ffa8d542dc778

SHA256
5303e0a07138e5a6278fc12a99f3501874e93f9d4bc854fd8eba3a0f4707cfaf

SHA512
9e2a400aa8ae169ed9f9d046f44bad8c655795e4f2a85f284fbf41df20398cff83dbf3776603e20615f1a257580c886b71e736de242bebf4804f341d9bdf33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGj9C4kLBH.bat

Filesize
204B

MD5
6ae2928b6017a8f6f2f447c001a17121

SHA1
af124d6a2e7ace4eeea9d3dec9a7ce70eabbb2ab

SHA256
268360f79c2e9128cac3cc6db7a0998d96e80db7c7b9330248285dde7f08fd0b

SHA512
a379c9c0bddcbe31249321a0060db2285672d85f502b657f46a5023ab0135cdad537b1477a34b1cc8d3c4ddf5ca1eb8287830eee336ee0f0531c508bd72f1e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat

Filesize
204B

MD5
456b5355e561b6b45a7cbb153fe09e78

SHA1
cee129aac57b019da230ab01fb4af63cfc9860d8

SHA256
aa33d1b8080985422d4e5f4170cf9ef74d7f890deff194562d691ceca908f558

SHA512
e923924882abda6e7c22e57f6e445c1637275830a727f004687b35699b9a7f666224dd988361e890dccb24a26238018ab0447ec942513e400e73790c701fb2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\n6bUdMbtqP.bat

Filesize
204B

MD5
8206f2c882249cd743cd3b03104f38a1

SHA1
ba144ffc3aafc4f3038d3cfc91f8f7cade27264f

SHA256
ab7b9d9f47efad3bce554674082ad20d53abb26af67bb1b300aaceb462ecb176

SHA512
ee9f1698d3639849b9a016c9007fc53ec1c84495b0f64811bfd7a27f34081ba97dd8ffc147159cb5ee91e4b94a4424e52671d3b814051e2eb9bad821af852160

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

Filesize
204B

MD5
5d5414093122a7293beda257aa8946bd

SHA1
512ec83ac90aecac8f09adcca0e0accaab7fab83

SHA256
56894115cbdcade3b1e75798dbc0b5811db4de265627ac6656564f9d32900c80

SHA512
901fb338df8aa18f76424a2a313235dc1a7dee89db7107ad9e26f30aabd767a7ba7b3099876a8f616fcb9fd4f8f31a7b05181a0cafd34c8d6a62532efe0ed154

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat

Filesize
204B

MD5
22f2dd2750b85fc1b25f34c7dc78d5b4

SHA1
d18e41629310c6732ae80d7efeea70a904c88b9c

SHA256
1e4d8eaab3a3894f0380725c919ea87bc9f27cb4fa00da78032062df72a6c45b

SHA512
52ab50b303eadc6857c3142aa6e8b52e5f7c3e83fa53fb36ae3190a2a825e14ee872dc92255336f71a1ca5fc5b80d3f0e833f5105b0277dda7e2f8179db64c72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6ba1bb2c87578505f4261078c0148730

SHA1
b425c1a0b4fb2e8b4bd2a8fb7626a8f47c651ec5

SHA256
e10549ef8bf3ae87a559bf4a0a5e675a64561497062f67e8e3397b3673e499e5

SHA512
c94fe35058b6ce6da7a18da4284afb66dd4ba82881fbce51019a086f3a5b558b0ab98514e76f5f66741c3269b281dd99a8660115e09e780bfc0bd178c1d39cf2

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1296-38-0x000000001B800000-0x000000001BAE2000-memory.dmp

Filesize
2.9MB

Download
memory/1636-111-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/2196-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2196-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2196-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2196-13-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/2196-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2364-587-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download
memory/2464-44-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2696-171-0x0000000000C80000-0x0000000000D90000-memory.dmp

Filesize
1.1MB

Download
memory/2864-527-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/2916-231-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download
memory/3040-52-0x0000000000090000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download