dcrat | da8298844f77256806120bcafcefa7217d4a8aa34c18daba7467febe7e98793e

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_da8298844f77256806120bcafcefa7217d4a8aa34c18daba7467febe7e98793e.exe
Size

1.3MB
MD5

46e351ea9d323577c8afd11f4c267f87
SHA1

9305dde141a0785544e8a86c0a96b672dd5aa12c
SHA256

da8298844f77256806120bcafcefa7217d4a8aa34c18daba7467febe7e98793e
SHA512

5c18c3c7000faa2223101014d61abf27ccf4a3d4f563e6c6e19f4b2fe540227ba79c43b885e457c6b0daeb1f2c90609be5613e8b833b9d2c97803a9e6304ee77
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	3052	schtasks.exe	35

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000186ed-10.dat	dcrat
behavioral1/memory/2472-13-0x0000000000C30000-0x0000000000D40000-memory.dmp	dcrat
behavioral1/memory/1056-45-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1060	powershell.exe
1828	powershell.exe
2044	powershell.exe
1924	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2472	DllCommonsvc.exe
1056	csrss.exe
1496	csrss.exe
2856	csrss.exe
1736	csrss.exe
1632	csrss.exe
2568	csrss.exe
2856	csrss.exe
2792	csrss.exe
2584	csrss.exe
2576	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2576	cmd.exe
2576	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
19	raw.githubusercontent.com
27	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\IMESC5\applets\System.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\IME\IMESC5\applets\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_da8298844f77256806120bcafcefa7217d4a8aa34c18daba7467febe7e98793e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2548	schtasks.exe
2984	schtasks.exe
3024	schtasks.exe
2692	schtasks.exe
1728	schtasks.exe
2856	schtasks.exe
2720	schtasks.exe
2340	schtasks.exe
2332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2472	DllCommonsvc.exe
1924	powershell.exe
1060	powershell.exe
1828	powershell.exe
2044	powershell.exe
1056	csrss.exe
1496	csrss.exe
2856	csrss.exe
1736	csrss.exe
1632	csrss.exe
2568	csrss.exe
2856	csrss.exe
2792	csrss.exe
2584	csrss.exe
2576	csrss.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	DllCommonsvc.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1056	csrss.exe
Token: SeDebugPrivilege	1496	csrss.exe
Token: SeDebugPrivilege	2856	csrss.exe
Token: SeDebugPrivilege	1736	csrss.exe
Token: SeDebugPrivilege	1632	csrss.exe
Token: SeDebugPrivilege	2568	csrss.exe
Token: SeDebugPrivilege	2856	csrss.exe
Token: SeDebugPrivilege	2792	csrss.exe
Token: SeDebugPrivilege	2584	csrss.exe
Token: SeDebugPrivilege	2576	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2420	2396	JaffaCakes118_da8298844f77256806120bcafcefa7217d4a8aa34c18daba7467febe7e98793e.exe	30
PID 2396 wrote to memory of 2420	2396	JaffaCakes118_da8298844f77256806120bcafcefa7217d4a8aa34c18daba7467febe7e98793e.exe	30
PID 2396 wrote to memory of 2420	2396	JaffaCakes118_da8298844f77256806120bcafcefa7217d4a8aa34c18daba7467febe7e98793e.exe	30
PID 2396 wrote to memory of 2420	2396	JaffaCakes118_da8298844f77256806120bcafcefa7217d4a8aa34c18daba7467febe7e98793e.exe	30
PID 2420 wrote to memory of 2576	2420	WScript.exe	32
PID 2420 wrote to memory of 2576	2420	WScript.exe	32
PID 2420 wrote to memory of 2576	2420	WScript.exe	32
PID 2420 wrote to memory of 2576	2420	WScript.exe	32
PID 2576 wrote to memory of 2472	2576	cmd.exe	34
PID 2576 wrote to memory of 2472	2576	cmd.exe	34
PID 2576 wrote to memory of 2472	2576	cmd.exe	34
PID 2576 wrote to memory of 2472	2576	cmd.exe	34
PID 2472 wrote to memory of 1060	2472	DllCommonsvc.exe	45
PID 2472 wrote to memory of 1060	2472	DllCommonsvc.exe	45
PID 2472 wrote to memory of 1060	2472	DllCommonsvc.exe	45
PID 2472 wrote to memory of 1924	2472	DllCommonsvc.exe	46
PID 2472 wrote to memory of 1924	2472	DllCommonsvc.exe	46
PID 2472 wrote to memory of 1924	2472	DllCommonsvc.exe	46
PID 2472 wrote to memory of 1828	2472	DllCommonsvc.exe	47
PID 2472 wrote to memory of 1828	2472	DllCommonsvc.exe	47
PID 2472 wrote to memory of 1828	2472	DllCommonsvc.exe	47
PID 2472 wrote to memory of 2044	2472	DllCommonsvc.exe	48
PID 2472 wrote to memory of 2044	2472	DllCommonsvc.exe	48
PID 2472 wrote to memory of 2044	2472	DllCommonsvc.exe	48
PID 2472 wrote to memory of 1056	2472	DllCommonsvc.exe	53
PID 2472 wrote to memory of 1056	2472	DllCommonsvc.exe	53
PID 2472 wrote to memory of 1056	2472	DllCommonsvc.exe	53
PID 1056 wrote to memory of 576	1056	csrss.exe	54
PID 1056 wrote to memory of 576	1056	csrss.exe	54
PID 1056 wrote to memory of 576	1056	csrss.exe	54
PID 576 wrote to memory of 912	576	cmd.exe	56
PID 576 wrote to memory of 912	576	cmd.exe	56
PID 576 wrote to memory of 912	576	cmd.exe	56
PID 576 wrote to memory of 1496	576	cmd.exe	57
PID 576 wrote to memory of 1496	576	cmd.exe	57
PID 576 wrote to memory of 1496	576	cmd.exe	57
PID 1496 wrote to memory of 1808	1496	csrss.exe	58
PID 1496 wrote to memory of 1808	1496	csrss.exe	58
PID 1496 wrote to memory of 1808	1496	csrss.exe	58
PID 1808 wrote to memory of 2552	1808	cmd.exe	60
PID 1808 wrote to memory of 2552	1808	cmd.exe	60
PID 1808 wrote to memory of 2552	1808	cmd.exe	60
PID 1808 wrote to memory of 2856	1808	cmd.exe	61
PID 1808 wrote to memory of 2856	1808	cmd.exe	61
PID 1808 wrote to memory of 2856	1808	cmd.exe	61
PID 2856 wrote to memory of 2028	2856	csrss.exe	62
PID 2856 wrote to memory of 2028	2856	csrss.exe	62
PID 2856 wrote to memory of 2028	2856	csrss.exe	62
PID 2028 wrote to memory of 1928	2028	cmd.exe	64
PID 2028 wrote to memory of 1928	2028	cmd.exe	64
PID 2028 wrote to memory of 1928	2028	cmd.exe	64
PID 2028 wrote to memory of 1736	2028	cmd.exe	65
PID 2028 wrote to memory of 1736	2028	cmd.exe	65
PID 2028 wrote to memory of 1736	2028	cmd.exe	65
PID 1736 wrote to memory of 716	1736	csrss.exe	66
PID 1736 wrote to memory of 716	1736	csrss.exe	66
PID 1736 wrote to memory of 716	1736	csrss.exe	66
PID 716 wrote to memory of 2136	716	cmd.exe	68
PID 716 wrote to memory of 2136	716	cmd.exe	68
PID 716 wrote to memory of 2136	716	cmd.exe	68
PID 716 wrote to memory of 1632	716	cmd.exe	69
PID 716 wrote to memory of 1632	716	cmd.exe	69
PID 716 wrote to memory of 1632	716	cmd.exe	69
PID 1632 wrote to memory of 2864	1632	csrss.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_da8298844f77256806120bcafcefa7217d4a8aa34c18daba7467febe7e98793e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_da8298844f77256806120bcafcefa7217d4a8aa34c18daba7467febe7e98793e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\IME\IMESC5\applets\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:912
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2552
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1928
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2136
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat"
        14⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:344
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
        16⤵
        
        PID:1864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2364
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t3iRsZx2b7.bat"
        18⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2924
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
        20⤵
        
        PID:2096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2616
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"
        22⤵
        
        PID:1072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2956
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat"
        24⤵
        
        PID:1368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\IME\IMESC5\applets\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SysWOW64\IME\IMESC5\applets\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\SysWOW64\IME\IMESC5\applets\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f24a79be884dfbae21b8b642f221989e

SHA1
1b336876f9da872d1c8881cee8aa3a78d7e3f185

SHA256
8581bb3c77b6779104a6018d1cfa702fe90d33b1e9d174949263f9e8c4c6eed0

SHA512
ebf3a01c52bd5f04cf80ca9bf52e73d7ca8075e2aef6353c3e8e4843c621317fd324d82b6f29c1214739d5853ea72410ebc9af05ca080200aae1f9a72cf7cd93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18355928e5e4cb6369091114036124e9

SHA1
21c99b76e04765377a142f96fdc4397854383c70

SHA256
60b1fe3b91335843317afde02cf9dab82dad2ad1539b03ed7c2c8578cc4d675a

SHA512
74ad6ca3ce4cc73c31449b46d7f956c2fa64ef23eef7386288fc805321990684ddba5d5f9454ce6187831569d14e402176d70a13850b81d60ba8a1c029ded6e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dad2eda81fa8a1f4357e11fd5bb5218d

SHA1
54134b65a54beb622636283bab3e63c9ef8626ac

SHA256
efbdd24ad702cc7c28fe6713135cc9efa13210a9a0aea87b353240b6dc830919

SHA512
6c83d5cce5c87e09a21e1f09fde84da551b0677065a44bef71a14b1a7909e381a9e639922e3fb01f32759c0d5793bef6742ba5f802aff205251aa9a6683812e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
442eead6b46091b8f670e33a9adbd55d

SHA1
ec6bb83cf9bb217516e6d5caec1fbc7dd9eda542

SHA256
1a2b3a07c28c5dec5a8802fc02eaaf0dd13e42984959d35780f2a61b85513120

SHA512
f1d197ec6fc82f4f529d2e89c620edd2ea2885bc9b5f99874f882358fc0a73136708f8f2e98ed72b652650471b6db2a186030b34cf30e1c99de7f9e51192366a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
874d61f224e8d1f62270847120faf12b

SHA1
744b9309c5936a5d2ea0bece4402fb5d17202d88

SHA256
c99cff478a71ae8fa4a8a0360e5dc4008f0b86f6ee79adbd8279b0575c26106d

SHA512
32b7a062f79ae1855707954a92060d253065e9a0e87e81143808500d5744aaf7ea06dbcab52e2fc627fed3eeba49ae6ad6c1d984d400f49615db450a76e79515

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37ac7b6eebea99411195959655166d25

SHA1
50f754004be3aff2b0f4e7dd17880ac5b68ff268

SHA256
4e553cca12c076c1ae37e4e26b0958d246290e7f733e207e265f6cffcb0d1d2f

SHA512
dec82288ba847224b1b0e6131e483ec19f1e891420b8d6e6cf7256cd84daa52c01e6f6affd23019a04a2ec1ba05eb2d1c046f6744def7b56e2e3d2393962789d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c9aa9a1aa7893e1ba2092b441d8828a

SHA1
bc50bb3ffca1115a33077fc3ede5c964c8df260f

SHA256
a3d0a7f2f14cef42722a2a75d4984bf28e747196bf9278befff701f83c09703b

SHA512
c2d67fe17f1b8231b93b97f54ce8950d3bbe33c65e4ec750d1bd90ce63be1576432e541546cd07c84bf179da36b5bd11ee905bbf38f4f2867a93f3d351d5ed40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff2f806c1ea01b125cf2182fa7a3aebe

SHA1
e79c8e2e248e03d50f7806e1e0f6bd81e8d6fc18

SHA256
323efed3c4497392a74e557796d7f03df01d690b66178d0d4aa44db6e0ac8105

SHA512
bf0b7cd0a8d3973096d6b80af27e931c65e94ed812d490e23f3d6db246d25883640f0299bd448d356828f0477683ad3876e7c2555d55b734d008dcb19a3d0e4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
029a4eb6f0bdad431d347031bc7eac05

SHA1
cdc08f2585879d36f7a674a4712713a32489aa9d

SHA256
98c337ec7733268c3268cd9b514f2ec8b009fa6518eeacba5544ec85f78cd4e8

SHA512
de85f4fb3f18a49ac0f9cf049013256002787547ada7534503bd9dc8c1b003f946b0d3ef56d3d2227f2f7977940a559df01cffd026f4505535b2a513e055d7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat

Filesize
250B

MD5
0012506f4b2c579f829d4313cd27e8f3

SHA1
ceb60c24e9b5596304630b9926f122105e14ac45

SHA256
cd02d85bc503a8a6d26bf5812eddf180e4e643910714cd74aea28cfd3aa81a2e

SHA512
c4fa91f153ca229f678345c90df91827cc4f2294551b3acf5ad1c010ae2140c9b35eacdae72e280cbb0e060a230473f43dbed299668ae2fbd007a013a3f6d984

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF1A1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat

Filesize
250B

MD5
f64cd8fc92f651c850bfb4ca91082648

SHA1
603ec867f494a832bf5c0c11de8c4c99a4180e8b

SHA256
d0d8eaaf75966d9d7c5a4003b5e795317e6541fe0f064b74808d816770d1917d

SHA512
5b433b57b73f2f0c05fe1e579b34511fb567d40094626eec6959648a6def346c63abd1512bc038a1f1824dbb6b20606893cb859bd56458af0d47dc360384f84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

Filesize
250B

MD5
b8c36744a8be56b727c653238c32fe85

SHA1
aed4ce8522456852f5c9c0600794dd107a11a195

SHA256
945b5c4196042b4a47ecdfddeb3205203912061b061808f2a5b687dffaa12871

SHA512
2b8c02adbeb3b4cd36e15d61ea12fa6e88a2167ed50d82bc46364f4fc0bd22143d0e337c3c333e2a95c123941326355124ec6a004602a6da82bde8940d5c85c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF1C3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat

Filesize
250B

MD5
44126558b4682097be7a81f69c0c938b

SHA1
8f334fd27585b6f6c39dd2a378d25ce0618607a4

SHA256
695af427a2167a3ed7339a6b8a451f856d813046193fb41b9d742c153be70459

SHA512
94539efded0c79d894045d710c39f0f1553b76d1733925c651adf94de85aa7b2db1de2611df1222cd3980eafede7c09972c6a1bfc13180ff1e4efea4e0fb3771

Download Submit
C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat

Filesize
250B

MD5
a98f12f7642898e3a73d7d589652b2f2

SHA1
26e468ed57fdffbaf226934f8ee464d64bc6e6dd

SHA256
5c90ab02f39c903ff181f2f4edada3c231ccb192b150d4f7f50a4e8145ca8e09

SHA512
92dd270039888cc7cf3bba2ff72b3b5122a05ae423f31cbef1411201452be3768f373ad0209b07735cbb5885037836cab4c8129935d29e45b1f67ff4453a56b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat

Filesize
250B

MD5
69ea527ae4bb6a16ce19c92db03bdabb

SHA1
687be8b35f55bd21735e7599239b8a921112fcaf

SHA256
0cb34f1e17f63701022f3e07ea3f943f3fbd424581fd5bed70a6cc82bd070a30

SHA512
19505ae6cb6eff07fad0e91a23c1140d587f673d1cf16705659ac9dba3f84d1bf0edd10a5b84afc927bce322cc78751f984546aa4869e12733dc0e8edde9e8cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat

Filesize
250B

MD5
70ef0d9f2ece19dc90766e53ec40d270

SHA1
1a452fc91ea0b1679fe7eb16a3bce72617f7038f

SHA256
e0ec876c1534760784e5e6ba0b0d9e5af21c7036fed133ef6518b7ab8ef8946f

SHA512
97dd0733a0938ac3fba25ea799bc05b5fd49581c6f03c1f133da0cd0bed7fcd53acb8fe81935502a61efbe261fd4844290d8aec754518964d828a89219cb6364

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat

Filesize
250B

MD5
e80f9ad7be84e010ede1363039dc39fe

SHA1
26751eca1607ecaaa80d411456728fee5b19be5a

SHA256
4ce03c613f2aa0ccdd4af0da9782776bffe44e79dea74ecfb983fa203ce2507a

SHA512
4e519662fb84a4e9158852f38c67d82bb88dcc996072540314b97c20e9904f4ed7c42d08d4e37f56fa50961ae13593324222451ea99b6a3f4eb24be62c975792

Download Submit
C:\Users\Admin\AppData\Local\Temp\t3iRsZx2b7.bat

Filesize
250B

MD5
e859e56c3bc0b89e62203ac5bba99c60

SHA1
02e15841d460e6e2e8bcb0b02da74df713bbe93f

SHA256
d8efc95c20dc611f3dad83efa65a79a705b1457edb167124552ff1723871ebf6

SHA512
c1f52ded8551e5258187d50434876848ee222d3e638d6b8dbb836d57ec1144fdf0ac0674f405da45581a4b2b91dc30b61a0a0078a92a49613d28881f675ec5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

Filesize
250B

MD5
f74151a071c3272d73c52a1f8e24fe27

SHA1
43672938c7de7cfc15ab10e5be1ce580c1d2a75a

SHA256
f2f9a0fb152ca63ae98c75ce04f4e80e28bd3a2bb37c375b5e25abffc175d4b5

SHA512
cbb90ac6d911dc49220289eaea97e670c4a1eb6835989ba61925bff80da6cc2de8cb072909fd2edfe78496d0ec50259f5dbf0ab0fb1137531b012ce2370f78a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7b57a893b1a722e2d13c1e20f751a278

SHA1
0a34fcbad9a2b295120802364542e49b4037059f

SHA256
7589af3fb0305fb68a737a568df8d42940d56d14e86e508a81e78b6747781f88

SHA512
f0ba5a1522bd26ccac4a808c597a879f9731723bfbf13c1d930c59a612a0e1fd504271c66f39a7955cbad7f0c5e998e5aa6558cb6e89c4d5f14cba7d92dc14e9

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1056-45-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/1060-47-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1060-44-0x000000001B850000-0x000000001BB32000-memory.dmp

Filesize
2.9MB

Download
memory/2472-16-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2472-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2472-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2472-14-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2472-13-0x0000000000C30000-0x0000000000D40000-memory.dmp

Filesize
1.1MB

Download
memory/2568-346-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2576-584-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2856-406-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download