dcrat | 350b1208d67bd7fe4c949a0f89f640792f14535b18c2b96d43ec89343e73bb9a

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_350b1208d67bd7fe4c949a0f89f640792f14535b18c2b96d43ec89343e73bb9a.exe
Size

1.3MB
MD5

31985a48775e06a848169c3ea37a380e
SHA1

c772ed712b1959a4880a2ac860187ae3f7decf14
SHA256

350b1208d67bd7fe4c949a0f89f640792f14535b18c2b96d43ec89343e73bb9a
SHA512

7e232cf9dc6ded50b959a93dc4f34c53e4550d24571236676a445fac93bdb002fcb14de6dcdbb8910524cb6330cb1f2f4a48a0fe540e94d2fb4e1c7479c37c27
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2652	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2652	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001653a-12.dat	dcrat
behavioral1/memory/2604-13-0x00000000009E0000-0x0000000000AF0000-memory.dmp	dcrat
behavioral1/memory/2360-52-0x0000000000D00000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/memory/2660-112-0x0000000000D40000-0x0000000000E50000-memory.dmp	dcrat
behavioral1/memory/644-172-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/804-233-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/2400-294-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/2064-354-0x0000000000AD0000-0x0000000000BE0000-memory.dmp	dcrat
behavioral1/memory/2412-415-0x0000000000CD0000-0x0000000000DE0000-memory.dmp	dcrat
behavioral1/memory/536-593-0x00000000011C0000-0x00000000012D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1440	powershell.exe
1060	powershell.exe
2664	powershell.exe
1040	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2604	DllCommonsvc.exe
2360	csrss.exe
2660	csrss.exe
644	csrss.exe
804	csrss.exe
2400	csrss.exe
2064	csrss.exe
2412	csrss.exe
3032	csrss.exe
2620	csrss.exe
536	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
1764	cmd.exe
1764	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
4	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\System.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\lib\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_350b1208d67bd7fe4c949a0f89f640792f14535b18c2b96d43ec89343e73bb9a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3028	schtasks.exe
576	schtasks.exe
2196	schtasks.exe
1920	schtasks.exe
264	schtasks.exe
580	schtasks.exe
3024	schtasks.exe
1164	schtasks.exe
1832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2604	DllCommonsvc.exe
1040	powershell.exe
2664	powershell.exe
1060	powershell.exe
1440	powershell.exe
2360	csrss.exe
2660	csrss.exe
644	csrss.exe
804	csrss.exe
2400	csrss.exe
2064	csrss.exe
2412	csrss.exe
3032	csrss.exe
2620	csrss.exe
536	csrss.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	DllCommonsvc.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2360	csrss.exe
Token: SeDebugPrivilege	2660	csrss.exe
Token: SeDebugPrivilege	644	csrss.exe
Token: SeDebugPrivilege	804	csrss.exe
Token: SeDebugPrivilege	2400	csrss.exe
Token: SeDebugPrivilege	2064	csrss.exe
Token: SeDebugPrivilege	2412	csrss.exe
Token: SeDebugPrivilege	3032	csrss.exe
Token: SeDebugPrivilege	2620	csrss.exe
Token: SeDebugPrivilege	536	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2820	1508	JaffaCakes118_350b1208d67bd7fe4c949a0f89f640792f14535b18c2b96d43ec89343e73bb9a.exe	30
PID 1508 wrote to memory of 2820	1508	JaffaCakes118_350b1208d67bd7fe4c949a0f89f640792f14535b18c2b96d43ec89343e73bb9a.exe	30
PID 1508 wrote to memory of 2820	1508	JaffaCakes118_350b1208d67bd7fe4c949a0f89f640792f14535b18c2b96d43ec89343e73bb9a.exe	30
PID 1508 wrote to memory of 2820	1508	JaffaCakes118_350b1208d67bd7fe4c949a0f89f640792f14535b18c2b96d43ec89343e73bb9a.exe	30
PID 2820 wrote to memory of 1764	2820	WScript.exe	31
PID 2820 wrote to memory of 1764	2820	WScript.exe	31
PID 2820 wrote to memory of 1764	2820	WScript.exe	31
PID 2820 wrote to memory of 1764	2820	WScript.exe	31
PID 1764 wrote to memory of 2604	1764	cmd.exe	33
PID 1764 wrote to memory of 2604	1764	cmd.exe	33
PID 1764 wrote to memory of 2604	1764	cmd.exe	33
PID 1764 wrote to memory of 2604	1764	cmd.exe	33
PID 2604 wrote to memory of 1060	2604	DllCommonsvc.exe	44
PID 2604 wrote to memory of 1060	2604	DllCommonsvc.exe	44
PID 2604 wrote to memory of 1060	2604	DllCommonsvc.exe	44
PID 2604 wrote to memory of 1040	2604	DllCommonsvc.exe	45
PID 2604 wrote to memory of 1040	2604	DllCommonsvc.exe	45
PID 2604 wrote to memory of 1040	2604	DllCommonsvc.exe	45
PID 2604 wrote to memory of 2664	2604	DllCommonsvc.exe	46
PID 2604 wrote to memory of 2664	2604	DllCommonsvc.exe	46
PID 2604 wrote to memory of 2664	2604	DllCommonsvc.exe	46
PID 2604 wrote to memory of 1440	2604	DllCommonsvc.exe	48
PID 2604 wrote to memory of 1440	2604	DllCommonsvc.exe	48
PID 2604 wrote to memory of 1440	2604	DllCommonsvc.exe	48
PID 2604 wrote to memory of 2484	2604	DllCommonsvc.exe	52
PID 2604 wrote to memory of 2484	2604	DllCommonsvc.exe	52
PID 2604 wrote to memory of 2484	2604	DllCommonsvc.exe	52
PID 2484 wrote to memory of 2424	2484	cmd.exe	54
PID 2484 wrote to memory of 2424	2484	cmd.exe	54
PID 2484 wrote to memory of 2424	2484	cmd.exe	54
PID 2484 wrote to memory of 2360	2484	cmd.exe	55
PID 2484 wrote to memory of 2360	2484	cmd.exe	55
PID 2484 wrote to memory of 2360	2484	cmd.exe	55
PID 2360 wrote to memory of 904	2360	csrss.exe	56
PID 2360 wrote to memory of 904	2360	csrss.exe	56
PID 2360 wrote to memory of 904	2360	csrss.exe	56
PID 904 wrote to memory of 2020	904	cmd.exe	58
PID 904 wrote to memory of 2020	904	cmd.exe	58
PID 904 wrote to memory of 2020	904	cmd.exe	58
PID 904 wrote to memory of 2660	904	cmd.exe	59
PID 904 wrote to memory of 2660	904	cmd.exe	59
PID 904 wrote to memory of 2660	904	cmd.exe	59
PID 2660 wrote to memory of 2200	2660	csrss.exe	61
PID 2660 wrote to memory of 2200	2660	csrss.exe	61
PID 2660 wrote to memory of 2200	2660	csrss.exe	61
PID 2200 wrote to memory of 2564	2200	cmd.exe	63
PID 2200 wrote to memory of 2564	2200	cmd.exe	63
PID 2200 wrote to memory of 2564	2200	cmd.exe	63
PID 2200 wrote to memory of 644	2200	cmd.exe	64
PID 2200 wrote to memory of 644	2200	cmd.exe	64
PID 2200 wrote to memory of 644	2200	cmd.exe	64
PID 644 wrote to memory of 1652	644	csrss.exe	65
PID 644 wrote to memory of 1652	644	csrss.exe	65
PID 644 wrote to memory of 1652	644	csrss.exe	65
PID 1652 wrote to memory of 2880	1652	cmd.exe	67
PID 1652 wrote to memory of 2880	1652	cmd.exe	67
PID 1652 wrote to memory of 2880	1652	cmd.exe	67
PID 1652 wrote to memory of 804	1652	cmd.exe	68
PID 1652 wrote to memory of 804	1652	cmd.exe	68
PID 1652 wrote to memory of 804	1652	cmd.exe	68
PID 804 wrote to memory of 1384	804	csrss.exe	69
PID 804 wrote to memory of 1384	804	csrss.exe	69
PID 804 wrote to memory of 1384	804	csrss.exe	69
PID 1384 wrote to memory of 2012	1384	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_350b1208d67bd7fe4c949a0f89f640792f14535b18c2b96d43ec89343e73bb9a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_350b1208d67bd7fe4c949a0f89f640792f14535b18c2b96d43ec89343e73bb9a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\lib\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OQU2DA9XHb.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2424
      - C:\Users\Public\csrss.exe
        
        "C:\Users\Public\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2020
        
        C:\Users\Public\csrss.exe
        
        "C:\Users\Public\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2564
        
        C:\Users\Public\csrss.exe
        
        "C:\Users\Public\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2880
        
        C:\Users\Public\csrss.exe
        
        "C:\Users\Public\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2012
        
        C:\Users\Public\csrss.exe
        
        "C:\Users\Public\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat"
        15⤵
        
        PID:3020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1320
        
        C:\Users\Public\csrss.exe
        
        "C:\Users\Public\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat"
        17⤵
        
        PID:2308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1744
        
        C:\Users\Public\csrss.exe
        
        "C:\Users\Public\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat"
        19⤵
        
        PID:1308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1740
        
        C:\Users\Public\csrss.exe
        
        "C:\Users\Public\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
        21⤵
        
        PID:2788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2600
        
        C:\Users\Public\csrss.exe
        
        "C:\Users\Public\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat"
        23⤵
        
        PID:2004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2220
        
        C:\Users\Public\csrss.exe
        
        "C:\Users\Public\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\lib\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\lib\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c49583d49c11f7f8fc057566aa570e9c

SHA1
51f020aad785fb6b52383cd5b55c32cc32ce44bf

SHA256
37671e0ce2aae7e26275d6b29f3321c4de4c2490054f8a1fae9fafc214db75c5

SHA512
2a6ede01cb674cc26dbb747d76e7c5c6aefbc1ce7b4daa320ac4bc71e184a00f4337fd6579a725917198f889b1c5dc5f9d07ac105e9f5743d3d28acb3c4a69c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8fe127f42499a875331a13e1965c4f7

SHA1
994ce7cc0f563666f87ab70984df1533b98d62b7

SHA256
f09307f8b27793f6617e0b64d2e80dc45b61d4121fa72d75200db14627b260ca

SHA512
a203a4908bc11461cfdbe62e316fab8baaa9ebc4baf94f39883f4e31e76b6dc79fb326a6aa0a03a080c14a2072b9e8f688fee86613f7e6180679f939b8e3afba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f03ed15457cd51737ba1a2f59c01562e

SHA1
b50ededb3e5052360c0a23e1f43487676c757b85

SHA256
9c2c5fa9e57651d2adf992cdcd5fd4a29164feb77ba440ca1443e8cabd422cc3

SHA512
94746cf9f0f48acd74dfbf2a228074604ee4fc00ac90d259017f5a72062286818b6006fc0ba27e83413525c07c03335f2336e7d05d9b8abcb96fc27954aa2da8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89c46890e00a05818f3e6e4f257e7bdf

SHA1
81e18a7736d9a498a6e20e39f4651912d6c5a716

SHA256
3677d355b5ef125c6e63aeb503a671d3da4b47330f06dbfb909d8be4f9489cf5

SHA512
75ab3bbf2dadb33955e3ae9bdf885c93e336676235e9e70fc11816826d1b7d15001adb51fe68283e491cea2e7cabe92ea5e71bf5b8e248fe9232ae29e7f1fa55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b31e961866149228396d8ecfddfdb51c

SHA1
1be70f4f44b612cfa88617ea7d9d131b5fca911d

SHA256
a1462c45270cbf6ac4eac93893c66cbc93eedb000444431e57d0daa3d210cdf9

SHA512
0c053dd9c88624049aaa72a6ff5c82f33d6b455f63c7784c4600707b5404a76d4414fd2e97e728b2d6bbab4dfec220e04b26bc06faad3f9488a7516e323f8f10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f00cff504773c28227dedfd65886527a

SHA1
5dfe75b2317ac5a3c151f8fa6261b3525856f314

SHA256
6912ef5447ec92a6047c512cc88248a3435932069806d9ba4f4ccc0d8ac85c06

SHA512
9727e01f15f110390d1903e1d785174cb72d4c0399d0317691addfd22f196ab24aaa48f7e1dfc96ca493d789baccd357c7c3516cda8f0fc7669ab037644ba002

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
197d88326ae025de9d266c0df506e914

SHA1
e6527d342420dd8d8b623fac6083c6ae2d45eac9

SHA256
e44296526efd6c21443ffe88fa1e5c102aea2a3314670eadf7ed4a7a838501f4

SHA512
fd5d39a00a5098b8437a436cd37ad70fb34755f7f41ca11ef40d0c048b088f255529ba17be0c82f61242f9c201f091818623e78fd96c4c90e881fe1aaeea257c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18a9af13b08085bbb250ac3aad398297

SHA1
90bd993f7aaeb4201959e38ab521a9128c55c7f4

SHA256
bba461431741ddcc5605a17f0c07ce4907c7de86c319993bfcd864d08b7236ce

SHA512
f5b65a8107222f8419d1110733142833cbdd94e161f73bc90ac0f6eeed3a7176a80ed3ea3ef63060eefcaf4bf6efd40a55bc6725ce97d6e3d78404d3f4836830

Download Submit
C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat

Filesize
190B

MD5
333a866b10a703ccc2257975c174ea90

SHA1
42fb23218de307d50a92e69448f07bd7ecc55a53

SHA256
d03454f4b1d4669a4dac3db26a2932e43229a35859fd8cc044134795ffbbab22

SHA512
d35b33f60de0382989a114ac208c8d62d9b79528dd18ee976a1b69fec0d49db089bee26e2fa4c34dead86453ed2ee7508919b750cb99404d7cf8c506bdf126c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat

Filesize
190B

MD5
fe2e8405613c24bf4e31a292c72a1510

SHA1
1a3ed197a341bf7289b15149af3ec0264961f644

SHA256
3f26cb2d0f7d018650ff979f042c18b472179f7e042a5067bd5b0f6e34565d39

SHA512
b521e18a4eb14865e75bfe4dc447afa19133fdfb042b38b7802218e177fc2446bab5d904ef8ffa9595b4eebc636376e3d87a2e1b385c7d1f839a2cb9164e19e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat

Filesize
190B

MD5
7d3c17cae3e0ea2fcbcf8c8fa6f7cf9b

SHA1
1bec4296239d138f4110f33ba00d8c8113f26a70

SHA256
cd0fdd0e9d0d3a9784909c9006cf9809a17f6ec73a8168fe7fd19c1ccc7be45c

SHA512
41129f863433af2e5082d58c94f50480153b50365e1e7702452e08b3f9e0af7a122ea58e65db4fc900a3950b0ca42e8dd5c115657770dbb0649a3b4cc3551182

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBB46.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat

Filesize
190B

MD5
0668bd27077f4da9f9f5bc1220beefe3

SHA1
b779c2edb632864050793c99c41b0d8d83680fdf

SHA256
69b74805a28300155ac301b7c2f671782a1ce9a52567abcf5cf77d0f9890c046

SHA512
55049b7a6c0853839b1909de06b857105cf3ddcfa5394912369c665e578d55ebf8f1be43d9ed4c34eb9dd6f8520160a460e302be2d4aed029257d5c9ab73eb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQU2DA9XHb.bat

Filesize
190B

MD5
1579f0c8f81e35f41480dcf26a771f75

SHA1
d959aab3d2da036c1b5fe7c53656a870f9675a53

SHA256
42c15dd2b6ee578767f2d924a0eeb9d16a77ebf660778b02f9791cdb13d3a006

SHA512
57c0c6ba3681a3a7050285a2be8908903273cf1a71310b0f1d30e1a17fa4ec7f9bad0f7de8987acb8a3f4d3d6e0303de72830879426565206331c809e09dd4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBB58.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat

Filesize
190B

MD5
9415126ef947d83ae5287f9656fc78e5

SHA1
28f249da7cd5a29412cbfb4fe301d1c7f67531be

SHA256
016aab75d90e94573104bf01e2d50c52a9102682e8fe5c19e5d09fa1a7be06aa

SHA512
f196c1f28d30e6025d2eaa43f425779ea7dac65bcef13897f4fd8555b95b4fa8212b77786d5bbb62d961b751140b403aed5f5163f9dbdabc73f74f9c589e6663

Download Submit
C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat

Filesize
190B

MD5
6fc456b20444eb7a93dbd13a413cef23

SHA1
bcc9b421145ef8d79275639710b316273ce49307

SHA256
608d560df89dfdc56bcc52a3ed1ca77338930af49dbde4e05b6ea6068e129c38

SHA512
67379764c87111ed96be91a015b1fb1c0446b62a835752c08ba9ea6bb04e19dc8642532d08cb3913ad132979d870a82088332dc920f80091c8b58c06d0b9a30d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat

Filesize
190B

MD5
4bfffb3f3a3fe1a8bd707e0ae253abce

SHA1
22a55934ee429b502722a17309d70bee451a2e38

SHA256
f302f88869363e2a7b5dca005ed43666633e69bead19fe07b370de4c9d109fe6

SHA512
6105f42decc0c533b712e9cfeb706c3af6c81ec63263a5824f5bfbb433583df4f615b10f3339a66db24fd4335ed2b56e61808ddf1db0fe7a71d7bbea0456c3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat

Filesize
190B

MD5
f6a38b8d28bfe02f1e5d4b53b175541e

SHA1
2a2f9b1d7cac36128e24e28c89f4129fc120e364

SHA256
9b2d2780dd0e7ccce4fe5204c2e836ea9cf7c290b8dfe1cf9eae4bb1af89502d

SHA512
469752714c2cc0226a38f62e12aafe93b969759604b6c495463523ff2b9a1b4068f05f759cfcad5d7066fdb293933c566cf58a115f2f16a5c04c5902b0af7d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat

Filesize
190B

MD5
f2431400da687b9c1b0e0186866ee99e

SHA1
a2e8094b1c66e192b4b6908803efd856162e9755

SHA256
d6cbd948e881f7db56cf77dfc63be158a64462ba097e9f0a9f99a98af940a547

SHA512
8415186894997818cb8648e139102e23d80cd0be576303b1cd9ef002a543c6f29bf076d93c65c294a9fe9cc480ba30e6f957676725b849b87c2cf5906242bc9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
852414842fea4e253d8721717884f70f

SHA1
a719e1a8d77062b3db546577ef1907dabefed236

SHA256
7fa0b1179efe52dfbf964fbefe397a8383b3d3e940da456d7bcaafd63d250fc2

SHA512
7c1a5a0b810937e352ee8cbfe0e97981414ddc2d03c2f1b5caa145c1e3f5778c2b5573a4a1aebcee8e1972e01f0f28c6a3db78d91ca4a86e0f79869cae34bc46

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/536-593-0x00000000011C0000-0x00000000012D0000-memory.dmp

Filesize
1.1MB

Download
memory/644-172-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/644-173-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/804-233-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/804-234-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1040-48-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2064-354-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

Filesize
1.1MB

Download
memory/2064-355-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2360-53-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2360-52-0x0000000000D00000-0x0000000000E10000-memory.dmp

Filesize
1.1MB

Download
memory/2400-294-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/2412-415-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

Filesize
1.1MB

Download
memory/2604-17-0x0000000002090000-0x000000000209C000-memory.dmp

Filesize
48KB

Download
memory/2604-16-0x0000000002080000-0x000000000208C000-memory.dmp

Filesize
48KB

Download
memory/2604-15-0x00000000009D0000-0x00000000009DC000-memory.dmp

Filesize
48KB

Download
memory/2604-14-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2604-13-0x00000000009E0000-0x0000000000AF0000-memory.dmp

Filesize
1.1MB

Download
memory/2660-112-0x0000000000D40000-0x0000000000E50000-memory.dmp

Filesize
1.1MB

Download
memory/2664-47-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download