dcrat | 62b640db145d628671ff154eefe01df950f145fd0b393ad033b069934c355e90

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_62b640db145d628671ff154eefe01df950f145fd0b393ad033b069934c355e90.exe
Size

1.3MB
MD5

430155ea50b7cc4298e3475bc4690468
SHA1

32c1b813c8f7e7380039e31faba8807e0eeb3834
SHA256

62b640db145d628671ff154eefe01df950f145fd0b393ad033b069934c355e90
SHA512

0dfbc95679a554e3ef9cb7f19bb850116355e0135cc6bffa526e37051732f3cd9112add5033ce08d224aae7fb2cec292dc7ec37587abe8b5b0aeb5a6e7c5d782
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2880	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016c88-12.dat	dcrat
behavioral1/memory/2984-13-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/memory/380-32-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
behavioral1/memory/1584-117-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2716-177-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/1700-238-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/1972-298-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/288-358-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/1304-418-0x0000000000A30000-0x0000000000B40000-memory.dmp	dcrat
behavioral1/memory/1308-479-0x0000000001160000-0x0000000001270000-memory.dmp	dcrat
behavioral1/memory/2040-539-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/1496-599-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1304	powershell.exe
1832	powershell.exe
1928	powershell.exe
2460	powershell.exe
1936	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2984	DllCommonsvc.exe
380	csrss.exe
1584	csrss.exe
2716	csrss.exe
1700	csrss.exe
1972	csrss.exe
288	csrss.exe
1304	csrss.exe
1308	csrss.exe
2040	csrss.exe
1496	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2888	cmd.exe
2888	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
26	raw.githubusercontent.com
36	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_62b640db145d628671ff154eefe01df950f145fd0b393ad033b069934c355e90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2660	schtasks.exe
2364	schtasks.exe
2052	schtasks.exe
2996	schtasks.exe
2696	schtasks.exe
2920	schtasks.exe
2356	schtasks.exe
2712	schtasks.exe
2136	schtasks.exe
1860	schtasks.exe
2656	schtasks.exe
2828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2984	DllCommonsvc.exe
2984	DllCommonsvc.exe
2984	DllCommonsvc.exe
2460	powershell.exe
1936	powershell.exe
1304	powershell.exe
1832	powershell.exe
1928	powershell.exe
380	csrss.exe
1584	csrss.exe
2716	csrss.exe
1700	csrss.exe
1972	csrss.exe
288	csrss.exe
1304	csrss.exe
1308	csrss.exe
2040	csrss.exe
1496	csrss.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	DllCommonsvc.exe
Token: SeDebugPrivilege	380	csrss.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1584	csrss.exe
Token: SeDebugPrivilege	2716	csrss.exe
Token: SeDebugPrivilege	1700	csrss.exe
Token: SeDebugPrivilege	1972	csrss.exe
Token: SeDebugPrivilege	288	csrss.exe
Token: SeDebugPrivilege	1304	csrss.exe
Token: SeDebugPrivilege	1308	csrss.exe
Token: SeDebugPrivilege	2040	csrss.exe
Token: SeDebugPrivilege	1496	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2004	2092	JaffaCakes118_62b640db145d628671ff154eefe01df950f145fd0b393ad033b069934c355e90.exe	30
PID 2092 wrote to memory of 2004	2092	JaffaCakes118_62b640db145d628671ff154eefe01df950f145fd0b393ad033b069934c355e90.exe	30
PID 2092 wrote to memory of 2004	2092	JaffaCakes118_62b640db145d628671ff154eefe01df950f145fd0b393ad033b069934c355e90.exe	30
PID 2092 wrote to memory of 2004	2092	JaffaCakes118_62b640db145d628671ff154eefe01df950f145fd0b393ad033b069934c355e90.exe	30
PID 2004 wrote to memory of 2888	2004	WScript.exe	31
PID 2004 wrote to memory of 2888	2004	WScript.exe	31
PID 2004 wrote to memory of 2888	2004	WScript.exe	31
PID 2004 wrote to memory of 2888	2004	WScript.exe	31
PID 2888 wrote to memory of 2984	2888	cmd.exe	33
PID 2888 wrote to memory of 2984	2888	cmd.exe	33
PID 2888 wrote to memory of 2984	2888	cmd.exe	33
PID 2888 wrote to memory of 2984	2888	cmd.exe	33
PID 2984 wrote to memory of 1832	2984	DllCommonsvc.exe	47
PID 2984 wrote to memory of 1832	2984	DllCommonsvc.exe	47
PID 2984 wrote to memory of 1832	2984	DllCommonsvc.exe	47
PID 2984 wrote to memory of 1304	2984	DllCommonsvc.exe	48
PID 2984 wrote to memory of 1304	2984	DllCommonsvc.exe	48
PID 2984 wrote to memory of 1304	2984	DllCommonsvc.exe	48
PID 2984 wrote to memory of 1928	2984	DllCommonsvc.exe	49
PID 2984 wrote to memory of 1928	2984	DllCommonsvc.exe	49
PID 2984 wrote to memory of 1928	2984	DllCommonsvc.exe	49
PID 2984 wrote to memory of 1936	2984	DllCommonsvc.exe	50
PID 2984 wrote to memory of 1936	2984	DllCommonsvc.exe	50
PID 2984 wrote to memory of 1936	2984	DllCommonsvc.exe	50
PID 2984 wrote to memory of 2460	2984	DllCommonsvc.exe	52
PID 2984 wrote to memory of 2460	2984	DllCommonsvc.exe	52
PID 2984 wrote to memory of 2460	2984	DllCommonsvc.exe	52
PID 2984 wrote to memory of 380	2984	DllCommonsvc.exe	57
PID 2984 wrote to memory of 380	2984	DllCommonsvc.exe	57
PID 2984 wrote to memory of 380	2984	DllCommonsvc.exe	57
PID 380 wrote to memory of 2312	380	csrss.exe	59
PID 380 wrote to memory of 2312	380	csrss.exe	59
PID 380 wrote to memory of 2312	380	csrss.exe	59
PID 2312 wrote to memory of 2128	2312	cmd.exe	61
PID 2312 wrote to memory of 2128	2312	cmd.exe	61
PID 2312 wrote to memory of 2128	2312	cmd.exe	61
PID 2312 wrote to memory of 1584	2312	cmd.exe	62
PID 2312 wrote to memory of 1584	2312	cmd.exe	62
PID 2312 wrote to memory of 1584	2312	cmd.exe	62
PID 1584 wrote to memory of 2316	1584	csrss.exe	63
PID 1584 wrote to memory of 2316	1584	csrss.exe	63
PID 1584 wrote to memory of 2316	1584	csrss.exe	63
PID 2316 wrote to memory of 2228	2316	cmd.exe	65
PID 2316 wrote to memory of 2228	2316	cmd.exe	65
PID 2316 wrote to memory of 2228	2316	cmd.exe	65
PID 2316 wrote to memory of 2716	2316	cmd.exe	66
PID 2316 wrote to memory of 2716	2316	cmd.exe	66
PID 2316 wrote to memory of 2716	2316	cmd.exe	66
PID 2716 wrote to memory of 1636	2716	csrss.exe	67
PID 2716 wrote to memory of 1636	2716	csrss.exe	67
PID 2716 wrote to memory of 1636	2716	csrss.exe	67
PID 1636 wrote to memory of 1280	1636	cmd.exe	69
PID 1636 wrote to memory of 1280	1636	cmd.exe	69
PID 1636 wrote to memory of 1280	1636	cmd.exe	69
PID 1636 wrote to memory of 1700	1636	cmd.exe	70
PID 1636 wrote to memory of 1700	1636	cmd.exe	70
PID 1636 wrote to memory of 1700	1636	cmd.exe	70
PID 1700 wrote to memory of 624	1700	csrss.exe	71
PID 1700 wrote to memory of 624	1700	csrss.exe	71
PID 1700 wrote to memory of 624	1700	csrss.exe	71
PID 624 wrote to memory of 2216	624	cmd.exe	73
PID 624 wrote to memory of 2216	624	cmd.exe	73
PID 624 wrote to memory of 2216	624	cmd.exe	73
PID 624 wrote to memory of 1972	624	cmd.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62b640db145d628671ff154eefe01df950f145fd0b393ad033b069934c355e90.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62b640db145d628671ff154eefe01df950f145fd0b393ad033b069934c355e90.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:380
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2128
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2228
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1280
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2216
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"
        14⤵
        
        PID:2936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2720
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat"
        16⤵
        
        PID:2388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2968
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"
        18⤵
        
        PID:836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1856
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"
        20⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2648
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"
        22⤵
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2788
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"
        24⤵
        
        PID:1748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b639065a2721a70208a7dafa145c3ade

SHA1
3b0fd7b4ef34572bc55ab7275ae1085f35f25ef3

SHA256
3272b889b73d528a30d63552524746a1b09bb85d7de42fa53d8b69f5878bcd93

SHA512
0b5940efe5864fdd4d96f52a2d536b59eb6debf4db920e3a603c58ab62d199e8afd377a95270402c9cb361f788df7054f7ac539afa4e153b5ef0c7a1b9151f58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb7b3fcbb2b935dde6f4e0ec902c01ff

SHA1
e2af60d6eeff7fd62d8ee088ebd2edf2bf8be25c

SHA256
9db1100cdfb18b73e74b4858c6ed2ff79b9a83aa1203eac7e54e8280e219a555

SHA512
f44e3b561328a2ecaf4bc768a03424f132748ce3bd775fc7b60f970ec601706e177f0225a47b5a36907ff2a5b75fe10a298d8b5982e2df8977eeb285f7a5cd4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d59d8ec62cfcbe242ecd910ba67c4af

SHA1
0464938a8bb1b50914e08daff8147548e02d3806

SHA256
b06fe750f5fec2dff09a036c80ba6b236d65cb9cf8126cf5e579eed2473a298a

SHA512
a7e311c052c33f6591547deef88d737909caed35055f8aff4a3a8d0231f492c0d3996cb4ddef389a614097945daf3ac7128bb66600b5078cf124948662f18dc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b793a97daf9c56195ef502e23fd7482

SHA1
a4295fcf3a8a821ec205d3896c4acd9b67b194d2

SHA256
f2961eac87445c407adfb11d0a4826ad9fb7b33d67ea495afb34998b75974558

SHA512
f3f30ac4ad3cbabebbda88fe75ac16319024f55026860de8060dc52baa4d5447b7a35991f3bfc03a5f099ab4b34381646d07552b37b7815ac9414b8b9fefe966

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d44a05d7a0053937f3042b915373da63

SHA1
83f7d2a952a89518a929068c3a65cc18993c7311

SHA256
bae708026077a4e131d9ced909af42214565e12dfcf559ed1c0975c369a1348b

SHA512
ac0612b7b7da7a203ebd8c65980c52b8a1b41506daff877c2632a7f9d6cdaba37779a41422fd4ebbc8d4e6b248ed328246f8d80eaf4403c93bf86451593d205e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b08d4e7f55adec7c1dbe694b73203baa

SHA1
d7425d35e24bbcb7abbb90e136c1a7ca41b9a84c

SHA256
3b22b143f2e357b781b591f8ca54a9c15a3d74f2d6304c0d8005734edd11710e

SHA512
2c601c6e2b95c76e631f4ac438062055c56918861fd535cdf648add1a4624d971d0c805cceefd8b4d36441a3e9eb9aa3be87ede1988a79fd9641b9e76fedb69e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd6c54a939f13f7cebfa3182d423c42f

SHA1
8830d970f96098307507740b590c638a99a4d1c8

SHA256
33f3ea7bfa07aa3a5deb3035904c603edb844092446e97e4de718f737f41ad76

SHA512
a7b017390e0a302bd236bc2ff0b0d50f346ed8ad429589aac0b7ab42ca04c5f3b9222452d190d250c33bdf2b4282c03763790750db3e23b1b102638c58a6ee8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a558140d5c98133008753607b4b4ab25

SHA1
0680f99f464f804cbc3e07311b2ddf18e4eb192f

SHA256
fd60763eaa2f3c62bfa8342d7983c909a3251f051a92ebd4d60cc55bed905960

SHA512
28d7eb0cec916227611d4a0fbfd543e75709b80afcbfaab237465f022ec6d19b3b8985cdf99f3b97801134f4bc8de7fc7ef5b7daba5b052ea36a76bf4ccc7f34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
056854db7992a015ad6eb5e13445f1cb

SHA1
0ee7c7186ddd3f89c899776a13bc67379c79c5f2

SHA256
9e1b45e1fd5b235c9cdabc9b67fd96974943dda6703e01e4c874bedbf8b2c20c

SHA512
d342bd4e7c9871d9428cf18e94a79629ff1cddebd66d190d933f72417b7b1c41583305d235cb3770a66228bf6dcd1e807ea6167d99bfc1427eae854b8291e381

Download Submit
C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat

Filesize
221B

MD5
da29c70b44b91376deaa39352ef1417f

SHA1
5abc9f6fcadb7a30c103c80da327687f53e7f914

SHA256
270e7571aa9fbd8c63210c46d4d5c3e2dede0489da47e84b11debaed68768546

SHA512
cd317cf3c2ab700c0f61583aefb4e8925f1da3a142fb16c83c444cd257a4ea527e2ae5560e61dfc0520208161475ce022125561830ee8b3ec8c3b9887976920b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat

Filesize
221B

MD5
cc0a0a7db57e4708cce0f6854c1b403a

SHA1
90bad3295bb7e3cf4174917ffbbcd32e7ddd004a

SHA256
973600b57c9337f8fe8a6b079483523d213cd18295f8b2d52cb580d7bef8176d

SHA512
a6835ed8cbdb0612636a32d0b3decc847f2dc5e73b198e6eb5620526de50d8eab2a3ea57bfc7cd1f54b0ae6d0377c3c6f9f4cc0185a83a8e56c2af887a55dd49

Download Submit
C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat

Filesize
221B

MD5
7014962b319c8229451fa1efbbbee1bd

SHA1
774b2779a072deefef0f9708ab6e47512c45a683

SHA256
80d0f4a3deb5e673bc199e201905314ac796caf6081a9c988365ce6e3aba9e03

SHA512
fc48284737324e0d7980fc4372fc975a8b07d39536bb09946af648f00b792f4c7935b9eb651fdc197a7c24ac5a9960c9c3f3020390e72ba3d43bb8dcae084395

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEA70.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat

Filesize
221B

MD5
eebfde15cb23315185e4043379088782

SHA1
20a443bf3819d88a43cdebc50c58cb346ceef669

SHA256
6da06787387ea162334f33bad4264823c4adb077b433333ccb5014b0d2cea345

SHA512
bd345618f5083300b8aba521e76cd1498a1f316e5fd8eb6de9b9bc1c0fb75193a8980907b4bd8f14baadff7d2093a1171a60234bd0c7a49609a34239bee31f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat

Filesize
221B

MD5
c441aa31078804d3e4bed37204b75cfd

SHA1
8165fc1a89a71f72a936a8a55dc25bafddcf0348

SHA256
8107c8f0e274281ac64a5a313b43fc682ffcc77528f751a6db1746f7854ee44f

SHA512
3ab02f13c951f504527596b3bc1a3421483f7f72ffa88f7acd0c7682e8d9fa29d3883e17188bba1d459337a2b6e48652dc59e3768d2f2d656bbd531c5f46ea4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEA93.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat

Filesize
221B

MD5
bdc1ffb5f2cf009b04e14915446a677a

SHA1
c4fe0500365c2e69976b026fea9e0ac29a8c9044

SHA256
9f7a24e2b2a5f6c878f5728e1e43f6da2656a015360c28050a47961730b139c8

SHA512
5c1a459567d6d9aff208bd2ce14bbfb0c124733fc918992f63dd0577357a2314da07e9f183b290b3fd9f7eac8efa08721cdb2f7400cd2ced55cc854df7a0553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat

Filesize
221B

MD5
9343ad088631eeece5dab4d802bb6e37

SHA1
b83b86445fdc61a4e714aa4a7267d2c5eeaa52ba

SHA256
7225394f038b61408cf7b5d5ebe05e7dec83f0a29a8cb2653d2266d47bc0be72

SHA512
17fea6d4252137e201f7a265b5f70d4c7688b296f23864407438eea91831ce108abd3133615e1a9ec7419d2e1ba4b2388aeb5717fa8d4625736f73758c86c3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat

Filesize
221B

MD5
c73b0f2c665b0b31878c92a6fa290c66

SHA1
d77b46f3011c8b2e57b375e2e19d3e74d380792f

SHA256
d88f0b43df957e463f8cf5be6f79262b7dcaa6cc39555bac92558ebb4b95966b

SHA512
7c12200e7e359c0ea3251491ad1df6d9d77204db19dea4e2b89563afdbaa0a92f6c34bad44acb5a9f646dc783ffcffa800364b9f24eccd719061742835da0108

Download Submit
C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat

Filesize
221B

MD5
7e082603ab7d7be0264b2a3d4c2f2d39

SHA1
d9e68e4d7a9ea505388b1b0b3cab0b83827f474f

SHA256
b7e1f672be99456d933eca4238316f40f3284e9c2955ca78fbd65c7d71cbfeec

SHA512
13ea18d76f443bf044f119f3a670e55a6a34910793649c6a0646b5d2b257986fb5f598a752cfd157ab6c519bea7ab228ca7b820a50699dcbca267424bf2b5c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat

Filesize
221B

MD5
caf59e620ec19bfb371de433cd2e9773

SHA1
80e66dca4d271d2252d400a51aa3e8fefa03f71c

SHA256
98a28aff73cfe3006b3705c0c93e67063ab953146c63e60321b7dcf4bbd77a6c

SHA512
24f7f7a5c025c7f1cd2255945460621db6a501a0fff28d94ed87e1e8748a9884ae025d67d2f4860b2f3fecc7d59ba8063f83d4b01dce5051f3f352de46186e91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1e4d8cca6e644e5697d4c783148a2526

SHA1
e4b1ae79357fbd15195b44024da8dbaf8c6a69ee

SHA256
e237637c782a4d102ba829c80091e98255692bd0003b78397f5057e06aec090f

SHA512
569cd85f1ed91b67dee6ac9491c47a2e39df87665f3d112530ff1fd3a9310f3cc2ec5dd8ac6adb839033adb791ed9a7b000d467a85094d9d0b8210c08f23d6ab

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/288-358-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/380-32-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/1304-419-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1304-418-0x0000000000A30000-0x0000000000B40000-memory.dmp

Filesize
1.1MB

Download
memory/1308-479-0x0000000001160000-0x0000000001270000-memory.dmp

Filesize
1.1MB

Download
memory/1496-599-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/1584-117-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/1700-238-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/1928-57-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1936-58-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/1972-298-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/2040-539-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/2716-178-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2716-177-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/2984-17-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2984-16-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2984-15-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2984-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2984-13-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download