dcrat | 6a91532a498eeaea4195e9066bbdbff8f7e68c6215a0b21473c7caf07542410f

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6a91532a498eeaea4195e9066bbdbff8f7e68c6215a0b21473c7caf07542410f.exe
Size

1.3MB
MD5

7618930e26a89dfd98e2a84ab1b00aa1
SHA1

d9b0f05888841cd50d89fce3fd796288fbfc6180
SHA256

6a91532a498eeaea4195e9066bbdbff8f7e68c6215a0b21473c7caf07542410f
SHA512

56a7f264b20de75ab78733a1f3cd5e18635da8a6004afba1d73d213c3f72baa0b397a37bd9058e89e7fa7698393cd89d9d93e92de27a220cf4ba5978aee62bf5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2844	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d18-9.dat	dcrat
behavioral1/memory/2876-13-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/632-28-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/2468-162-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/2020-222-0x0000000001010000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/3052-251-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/2984-548-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2488	powershell.exe
2440	powershell.exe
2864	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2876	DllCommonsvc.exe
632	Idle.exe
1652	Idle.exe
2468	Idle.exe
2020	Idle.exe
3052	Idle.exe
296	Idle.exe
2252	Idle.exe
2968	Idle.exe
1776	Idle.exe
2984	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2300	cmd.exe
2300	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
23	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\servicing\Packages\dllhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a91532a498eeaea4195e9066bbdbff8f7e68c6215a0b21473c7caf07542410f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2724	schtasks.exe
2872	schtasks.exe
2744	schtasks.exe
2700	schtasks.exe
2740	schtasks.exe
2356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2876	DllCommonsvc.exe
2876	DllCommonsvc.exe
2876	DllCommonsvc.exe
2440	powershell.exe
632	Idle.exe
2488	powershell.exe
2864	powershell.exe
1652	Idle.exe
2468	Idle.exe
2020	Idle.exe
3052	Idle.exe
296	Idle.exe
2252	Idle.exe
2968	Idle.exe
1776	Idle.exe
2984	Idle.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	DllCommonsvc.exe
Token: SeDebugPrivilege	632	Idle.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1652	Idle.exe
Token: SeDebugPrivilege	2468	Idle.exe
Token: SeDebugPrivilege	2020	Idle.exe
Token: SeDebugPrivilege	3052	Idle.exe
Token: SeDebugPrivilege	296	Idle.exe
Token: SeDebugPrivilege	2252	Idle.exe
Token: SeDebugPrivilege	2968	Idle.exe
Token: SeDebugPrivilege	1776	Idle.exe
Token: SeDebugPrivilege	2984	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 596 wrote to memory of 2612	596	JaffaCakes118_6a91532a498eeaea4195e9066bbdbff8f7e68c6215a0b21473c7caf07542410f.exe	30
PID 596 wrote to memory of 2612	596	JaffaCakes118_6a91532a498eeaea4195e9066bbdbff8f7e68c6215a0b21473c7caf07542410f.exe	30
PID 596 wrote to memory of 2612	596	JaffaCakes118_6a91532a498eeaea4195e9066bbdbff8f7e68c6215a0b21473c7caf07542410f.exe	30
PID 596 wrote to memory of 2612	596	JaffaCakes118_6a91532a498eeaea4195e9066bbdbff8f7e68c6215a0b21473c7caf07542410f.exe	30
PID 2612 wrote to memory of 2300	2612	WScript.exe	31
PID 2612 wrote to memory of 2300	2612	WScript.exe	31
PID 2612 wrote to memory of 2300	2612	WScript.exe	31
PID 2612 wrote to memory of 2300	2612	WScript.exe	31
PID 2300 wrote to memory of 2876	2300	cmd.exe	33
PID 2300 wrote to memory of 2876	2300	cmd.exe	33
PID 2300 wrote to memory of 2876	2300	cmd.exe	33
PID 2300 wrote to memory of 2876	2300	cmd.exe	33
PID 2876 wrote to memory of 2488	2876	DllCommonsvc.exe	42
PID 2876 wrote to memory of 2488	2876	DllCommonsvc.exe	42
PID 2876 wrote to memory of 2488	2876	DllCommonsvc.exe	42
PID 2876 wrote to memory of 2440	2876	DllCommonsvc.exe	43
PID 2876 wrote to memory of 2440	2876	DllCommonsvc.exe	43
PID 2876 wrote to memory of 2440	2876	DllCommonsvc.exe	43
PID 2876 wrote to memory of 2864	2876	DllCommonsvc.exe	44
PID 2876 wrote to memory of 2864	2876	DllCommonsvc.exe	44
PID 2876 wrote to memory of 2864	2876	DllCommonsvc.exe	44
PID 2876 wrote to memory of 632	2876	DllCommonsvc.exe	47
PID 2876 wrote to memory of 632	2876	DllCommonsvc.exe	47
PID 2876 wrote to memory of 632	2876	DllCommonsvc.exe	47
PID 632 wrote to memory of 1336	632	Idle.exe	49
PID 632 wrote to memory of 1336	632	Idle.exe	49
PID 632 wrote to memory of 1336	632	Idle.exe	49
PID 1336 wrote to memory of 784	1336	cmd.exe	51
PID 1336 wrote to memory of 784	1336	cmd.exe	51
PID 1336 wrote to memory of 784	1336	cmd.exe	51
PID 1336 wrote to memory of 1652	1336	cmd.exe	52
PID 1336 wrote to memory of 1652	1336	cmd.exe	52
PID 1336 wrote to memory of 1652	1336	cmd.exe	52
PID 1652 wrote to memory of 1620	1652	Idle.exe	53
PID 1652 wrote to memory of 1620	1652	Idle.exe	53
PID 1652 wrote to memory of 1620	1652	Idle.exe	53
PID 1620 wrote to memory of 2120	1620	cmd.exe	55
PID 1620 wrote to memory of 2120	1620	cmd.exe	55
PID 1620 wrote to memory of 2120	1620	cmd.exe	55
PID 1620 wrote to memory of 2468	1620	cmd.exe	56
PID 1620 wrote to memory of 2468	1620	cmd.exe	56
PID 1620 wrote to memory of 2468	1620	cmd.exe	56
PID 2468 wrote to memory of 1688	2468	Idle.exe	57
PID 2468 wrote to memory of 1688	2468	Idle.exe	57
PID 2468 wrote to memory of 1688	2468	Idle.exe	57
PID 1688 wrote to memory of 1048	1688	cmd.exe	59
PID 1688 wrote to memory of 1048	1688	cmd.exe	59
PID 1688 wrote to memory of 1048	1688	cmd.exe	59
PID 1688 wrote to memory of 2020	1688	cmd.exe	60
PID 1688 wrote to memory of 2020	1688	cmd.exe	60
PID 1688 wrote to memory of 2020	1688	cmd.exe	60
PID 2020 wrote to memory of 2464	2020	Idle.exe	61
PID 2020 wrote to memory of 2464	2020	Idle.exe	61
PID 2020 wrote to memory of 2464	2020	Idle.exe	61
PID 2464 wrote to memory of 2272	2464	cmd.exe	63
PID 2464 wrote to memory of 2272	2464	cmd.exe	63
PID 2464 wrote to memory of 2272	2464	cmd.exe	63
PID 2464 wrote to memory of 3052	2464	cmd.exe	64
PID 2464 wrote to memory of 3052	2464	cmd.exe	64
PID 2464 wrote to memory of 3052	2464	cmd.exe	64
PID 3052 wrote to memory of 2620	3052	Idle.exe	65
PID 3052 wrote to memory of 2620	3052	Idle.exe	65
PID 3052 wrote to memory of 2620	3052	Idle.exe	65
PID 2620 wrote to memory of 2340	2620	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a91532a498eeaea4195e9066bbdbff8f7e68c6215a0b21473c7caf07542410f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a91532a498eeaea4195e9066bbdbff8f7e68c6215a0b21473c7caf07542410f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RaUzDWAd8R.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:784
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2120
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1048
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2272
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bDGJqXcsCJ.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2340
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat"
        16⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1432
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"
        18⤵
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:940
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat"
        20⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2068
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"
        22⤵
        
        PID:1000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1488
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
748e75b75482e8d2eafd10eb8cfaacfb

SHA1
cb8a8ef9c9a73bc377e0da061d26eac8a29fe5ff

SHA256
07e8834c2c7a97bde4db3939475bfc7226a351a9fadb82a820a7adf3c300218a

SHA512
0810d5ff6af645c996825f2db9e26790a9abb8be4c64d305c9622a6817779cae898666a17376838bbd160d357f196ef27e8f7ac015c9bd283250db0bcebf7fa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ed2078b51ec1b9d9969d2bc12527ec4

SHA1
bb0cb05b4dae29a47d486cbe9a5e50dffc28c951

SHA256
7f778ceac64954d9a069db8c4a4a5d5cd3a22988854643a4a1f1161ff355da6a

SHA512
ca0bda2ea3503296d492f9e21cf258ca19ae2f507f95de15c5ff59f9ff2ab1665ec164d96750f2d7a386b0e3b3eb86dc78d119bb8eb2dc5246ece73ab83f3586

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c49830198f5ead7634ce64a47cfe2813

SHA1
976a3877564753b99dad56932d1f8f004fe55302

SHA256
9feec77c3a8f15152d82c0d9c38b48451c83286b642211b9cd3f2ef70239e0bb

SHA512
85fdcaee29fe7d01943357f47b9692cddb88201af5a10c5fbfe551793d3837aac48b6587773af6597e504f5b0858354288076460c868899012ca24f65bf6e95c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
292ee4ca0826f741d4603e6088856948

SHA1
5000fb9e2fcbd3f47250e760da6919493f66d9bc

SHA256
a63fc505ca8ba17c38fa2e222c96927c81ed2caabc7634bf213c2d5dd26f2afc

SHA512
229806327be167b81103a04632527b30ec27cd5cf207ce63000cc5076c595b7e4307859711fbeb365046946989c9100aadb86de7f8a0b18c24bb0ad57dae4f34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
104e57fd7207cd56b5917a3755077118

SHA1
67a357374ad06e4cf181a2153a967aefa0f82235

SHA256
8c3b707f5d3fd3d8281acdc5a321bee042fa0eb30971c3d2be63783bba7dd18e

SHA512
e873f03563d692697f99dfa3273ee6f8ed8bdd744680c7d61e234b626ee9234f5c470abbb56e955d2fdcf44958197c750c08512428ba54e63fb6c138f0168e76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac5c353ea194440a1b6ba6b2dd8b62ad

SHA1
3d95500865dc412f17355f99cda3533b442d19c7

SHA256
22eb3e4502853160737820280beaf77c069c1ceb0207a2d073f216504a23ff7f

SHA512
9220fc501ffe8f4c9fceee478365bb7c288c0b2a4f5f6aae9062d53d6828b66110f80f6f425606927627095f4f289513667b3f117cef9f8ec7b3510e64b671e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cc8956202b16d472b02005df5076ba2

SHA1
433485af113ca0c7bacaaf52ec28289af7e2da77

SHA256
29bdd8d78d5ff87785ccfb13f214b64c7e47e0bda7740a71d8e33dc41163050b

SHA512
91a3a22334abc615a2cdb43b96cf3b76ee9be1b4431d48438398e448e96f9d21c898efb7a43e4411a0a282d49580d7b692779a2dbc0c63579096bab88719428f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD970.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat

Filesize
236B

MD5
ea1e78337aab5302109414ddcb1bf4bc

SHA1
41c47172b46b06255005aa612b65d8f34ce2b608

SHA256
3046639a2e3b685363cbfb3890df4757b958e51bba0b051f19cf2316d5dd0aee

SHA512
a0392192862ceb5732595483839f69a83003450d9339a7a609343fc9e9e7366ba7dd01f8ea55f227c18a59b4b3b66b1e64e6018a3f466c0b130820527f22a842

Download Submit
C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat

Filesize
236B

MD5
315337deb6f15281426e3f9d3b60b2fe

SHA1
70bc4f3831d111e06b03cc737fbcf5f6aba61004

SHA256
945f3d02a98b021c64cb8dd293251b945023370e61a4ffff56b0790ae67da6fb

SHA512
36b8eade9a5d5078a2b5613da27118f45d6e5cfe718b93175567ce5ee3aeaf9dc6f1e02489b7e791d14b7c214d8858c80fde313c56af2be300a9db9255bb0cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaUzDWAd8R.bat

Filesize
236B

MD5
5b1502620ada955b9766c22af40fa526

SHA1
5306f4c72478066a867e93b68ec7ac0d676b4711

SHA256
da7f04ead24c0d0842a0c5da3301a251166854a5c56571fb56892f95064e50a6

SHA512
538ac20d4ebd6becd41d97c36ffe6473e7a828da148960a26e1bbc219c7129aa3644d16f02ecd57650b9a9ed9c90817cda777eff8a2dc3a18cb6dcc01d4e846f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD992.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat

Filesize
236B

MD5
bb91ea038815e7a6d88f6c953823cd35

SHA1
d940191bd04f395f7a74fa0a248da21dd6e4a68e

SHA256
25497e70fcd8e8e83de5a238ad9a15917b3afd6fae89ea56b05a1e636b063c6d

SHA512
b7d06e86bed7ac39bcb5e632f0bd9a2580315fcb0d3fef852ae3dbb9eaaa96cc5269d239999da0d9adba91548d0c25c9ce69a8c3ed65d9d8941b183059bfcb3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bDGJqXcsCJ.bat

Filesize
236B

MD5
6dff04d35461182bc84a440580d42c70

SHA1
66ac5b30770715f19799753447b7b72a20b1b919

SHA256
88123063dc83d538b488bbe2779ac4668e6f34f23d0bedead2be69a65087242e

SHA512
c8430928082e698a84bc301f2d97f669f0e147aba80743a64d4bb293690b424131ef1fd9c3289f1a3f95de8df63aba62ee46ffa5ec21038c42308f508eebd58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat

Filesize
236B

MD5
f153bcdfd76940ca6c0b3caf52962d46

SHA1
cc627cf69e2eef86b9ac94e7903532c29261de90

SHA256
d58bbda7d8a30477d57ab5d67c1f498bdfd1efde6a244ebe4af1637d9d1ca471

SHA512
6e2b85dbe7c3b173d5a97f70c1baf1267a83b341bd6f97c7286cca208bc20a2772a04013af22f025d38e0adb33cfaaa30fa354df297504b1e477e7fc461ebb9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat

Filesize
236B

MD5
7af8ba454180d712671f439fa8e7677a

SHA1
eae7be9cd060a3ac3c348d94a194cb3f86d30e05

SHA256
9d645316793b6ca8a32134f19f73d6047321a2fd734047221e3f44045d1f9915

SHA512
12512531103700d26dff46a67b9abec72722fca82a4e170b409eede61c29251420e8397ac73786476fb9f8361bcd6e4c2a8596914d969eb36761ca6148bd236a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat

Filesize
236B

MD5
f0b284f7607b118d50fc8d8cf0fd6f5a

SHA1
1652bb281c53cc578b086b4c64be905ae2765919

SHA256
0b77cd77eebea475913ab62a43d8b29873391657257546ad4e074c10f71e78c2

SHA512
c3c61f38a8ca7ec94c71826e8f693f4ebc17c74c8983bba804accf5cf6e16fa4abbd899d07c0eb1e706a3eb87b2eef6789b0890951089725d15295da551924d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat

Filesize
236B

MD5
9edbe9f2c4d689aeed568ec8488de908

SHA1
1d1ed6bf98b05349ba29400ca25867fc3131a38c

SHA256
00b3932b862cb38166e9b031c0c5782ea599f1dcac16e47452d59dabceac9870

SHA512
d701d0d21d3726689bcda24a79817c74e779217b75f93b39a5538dc30fc54bd9398f80f942b728a69fee764e509550c8599bb2a51693992b7645a987208ab06a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a976ce42e49e29d685f5a4d6d592b624

SHA1
238d0bf155e3a0d64715edb942ebd2f01d5ec97b

SHA256
24842c6c7f9b8a6c68169973919ff642636f104c2a4a4be8d2839f526c50a9a6

SHA512
e894158076b90298609ebc94ee61d290f04332c3806310e83d8556370044be14a9761464e7e86c948369570e6e4aae686b10aaedcf16f198a486ce420026f79d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/296-310-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/632-28-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2020-222-0x0000000001010000-0x0000000001120000-memory.dmp

Filesize
1.1MB

Download
memory/2440-38-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2440-40-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2468-162-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/2876-17-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2876-13-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/2876-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2876-15-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2876-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2968-429-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2984-548-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/3052-251-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download