dcrat | cbd0f489897aac2dbe22ff4ec215983f3c7741183eaf860a5a876faae62c1a7a

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_cbd0f489897aac2dbe22ff4ec215983f3c7741183eaf860a5a876faae62c1a7a.exe
Size

1.3MB
MD5

7f13cfd9d82c2bfd9a622220f4f0dfde
SHA1

476d6bccf9b871a3f74d5b7e39ed63b3c279df63
SHA256

cbd0f489897aac2dbe22ff4ec215983f3c7741183eaf860a5a876faae62c1a7a
SHA512

221dfa6358578757f629d3cfee5b927f6ba4679f6f8f53d238c5bd035cee561e836007b92356db06d0f98b2b9cde8f9fbe0059a8f0da2ca62fefeee567b9ba7b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2828	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d66-9.dat	dcrat
behavioral1/memory/2320-13-0x0000000000830000-0x0000000000940000-memory.dmp	dcrat
behavioral1/memory/764-32-0x0000000000F50000-0x0000000001060000-memory.dmp	dcrat
behavioral1/memory/2168-117-0x00000000011B0000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/484-415-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/632-475-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/2388-535-0x0000000000E70000-0x0000000000F80000-memory.dmp	dcrat
behavioral1/memory/2672-595-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
668	powershell.exe
380	powershell.exe
2924	powershell.exe
1156	powershell.exe
2528	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2320	DllCommonsvc.exe
764	csrss.exe
2168	csrss.exe
1664	csrss.exe
2564	csrss.exe
1304	csrss.exe
2484	csrss.exe
484	csrss.exe
632	csrss.exe
2388	csrss.exe
2672	csrss.exe
1296	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2264	cmd.exe
2264	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com
39	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\explorer.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\explorer.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_cbd0f489897aac2dbe22ff4ec215983f3c7741183eaf860a5a876faae62c1a7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2748	schtasks.exe
2800	schtasks.exe
3008	schtasks.exe
624	schtasks.exe
2872	schtasks.exe
2972	schtasks.exe
2660	schtasks.exe
2148	schtasks.exe
1796	schtasks.exe
3012	schtasks.exe
2784	schtasks.exe
2200	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2320	DllCommonsvc.exe
2528	powershell.exe
2924	powershell.exe
764	csrss.exe
668	powershell.exe
1156	powershell.exe
380	powershell.exe
2168	csrss.exe
1664	csrss.exe
2564	csrss.exe
1304	csrss.exe
2484	csrss.exe
484	csrss.exe
632	csrss.exe
2388	csrss.exe
2672	csrss.exe
1296	csrss.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	DllCommonsvc.exe
Token: SeDebugPrivilege	764	csrss.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	2168	csrss.exe
Token: SeDebugPrivilege	1664	csrss.exe
Token: SeDebugPrivilege	2564	csrss.exe
Token: SeDebugPrivilege	1304	csrss.exe
Token: SeDebugPrivilege	2484	csrss.exe
Token: SeDebugPrivilege	484	csrss.exe
Token: SeDebugPrivilege	632	csrss.exe
Token: SeDebugPrivilege	2388	csrss.exe
Token: SeDebugPrivilege	2672	csrss.exe
Token: SeDebugPrivilege	1296	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2468	2708	JaffaCakes118_cbd0f489897aac2dbe22ff4ec215983f3c7741183eaf860a5a876faae62c1a7a.exe	30
PID 2708 wrote to memory of 2468	2708	JaffaCakes118_cbd0f489897aac2dbe22ff4ec215983f3c7741183eaf860a5a876faae62c1a7a.exe	30
PID 2708 wrote to memory of 2468	2708	JaffaCakes118_cbd0f489897aac2dbe22ff4ec215983f3c7741183eaf860a5a876faae62c1a7a.exe	30
PID 2708 wrote to memory of 2468	2708	JaffaCakes118_cbd0f489897aac2dbe22ff4ec215983f3c7741183eaf860a5a876faae62c1a7a.exe	30
PID 2468 wrote to memory of 2264	2468	WScript.exe	31
PID 2468 wrote to memory of 2264	2468	WScript.exe	31
PID 2468 wrote to memory of 2264	2468	WScript.exe	31
PID 2468 wrote to memory of 2264	2468	WScript.exe	31
PID 2264 wrote to memory of 2320	2264	cmd.exe	33
PID 2264 wrote to memory of 2320	2264	cmd.exe	33
PID 2264 wrote to memory of 2320	2264	cmd.exe	33
PID 2264 wrote to memory of 2320	2264	cmd.exe	33
PID 2320 wrote to memory of 668	2320	DllCommonsvc.exe	47
PID 2320 wrote to memory of 668	2320	DllCommonsvc.exe	47
PID 2320 wrote to memory of 668	2320	DllCommonsvc.exe	47
PID 2320 wrote to memory of 380	2320	DllCommonsvc.exe	48
PID 2320 wrote to memory of 380	2320	DllCommonsvc.exe	48
PID 2320 wrote to memory of 380	2320	DllCommonsvc.exe	48
PID 2320 wrote to memory of 2924	2320	DllCommonsvc.exe	49
PID 2320 wrote to memory of 2924	2320	DllCommonsvc.exe	49
PID 2320 wrote to memory of 2924	2320	DllCommonsvc.exe	49
PID 2320 wrote to memory of 2528	2320	DllCommonsvc.exe	50
PID 2320 wrote to memory of 2528	2320	DllCommonsvc.exe	50
PID 2320 wrote to memory of 2528	2320	DllCommonsvc.exe	50
PID 2320 wrote to memory of 1156	2320	DllCommonsvc.exe	52
PID 2320 wrote to memory of 1156	2320	DllCommonsvc.exe	52
PID 2320 wrote to memory of 1156	2320	DllCommonsvc.exe	52
PID 2320 wrote to memory of 764	2320	DllCommonsvc.exe	57
PID 2320 wrote to memory of 764	2320	DllCommonsvc.exe	57
PID 2320 wrote to memory of 764	2320	DllCommonsvc.exe	57
PID 764 wrote to memory of 2128	764	csrss.exe	59
PID 764 wrote to memory of 2128	764	csrss.exe	59
PID 764 wrote to memory of 2128	764	csrss.exe	59
PID 2128 wrote to memory of 2096	2128	cmd.exe	61
PID 2128 wrote to memory of 2096	2128	cmd.exe	61
PID 2128 wrote to memory of 2096	2128	cmd.exe	61
PID 2128 wrote to memory of 2168	2128	cmd.exe	62
PID 2128 wrote to memory of 2168	2128	cmd.exe	62
PID 2128 wrote to memory of 2168	2128	cmd.exe	62
PID 2168 wrote to memory of 760	2168	csrss.exe	63
PID 2168 wrote to memory of 760	2168	csrss.exe	63
PID 2168 wrote to memory of 760	2168	csrss.exe	63
PID 760 wrote to memory of 1220	760	cmd.exe	65
PID 760 wrote to memory of 1220	760	cmd.exe	65
PID 760 wrote to memory of 1220	760	cmd.exe	65
PID 760 wrote to memory of 1664	760	cmd.exe	66
PID 760 wrote to memory of 1664	760	cmd.exe	66
PID 760 wrote to memory of 1664	760	cmd.exe	66
PID 1664 wrote to memory of 1912	1664	csrss.exe	67
PID 1664 wrote to memory of 1912	1664	csrss.exe	67
PID 1664 wrote to memory of 1912	1664	csrss.exe	67
PID 1912 wrote to memory of 2728	1912	cmd.exe	69
PID 1912 wrote to memory of 2728	1912	cmd.exe	69
PID 1912 wrote to memory of 2728	1912	cmd.exe	69
PID 1912 wrote to memory of 2564	1912	cmd.exe	70
PID 1912 wrote to memory of 2564	1912	cmd.exe	70
PID 1912 wrote to memory of 2564	1912	cmd.exe	70
PID 2564 wrote to memory of 2124	2564	csrss.exe	71
PID 2564 wrote to memory of 2124	2564	csrss.exe	71
PID 2564 wrote to memory of 2124	2564	csrss.exe	71
PID 2124 wrote to memory of 2936	2124	cmd.exe	73
PID 2124 wrote to memory of 2936	2124	cmd.exe	73
PID 2124 wrote to memory of 2936	2124	cmd.exe	73
PID 2124 wrote to memory of 1304	2124	cmd.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cbd0f489897aac2dbe22ff4ec215983f3c7741183eaf860a5a876faae62c1a7a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cbd0f489897aac2dbe22ff4ec215983f3c7741183eaf860a5a876faae62c1a7a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
    - - C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2096
        
        C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1220
        
        C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2728
        
        C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2936
        
        C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"
        14⤵
        
        PID:2684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2772
        
        C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat"
        16⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1964
        
        C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat"
        18⤵
        
        PID:1868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1724
        
        C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"
        20⤵
        
        PID:2876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2480
        
        C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"
        22⤵
        
        PID:2984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:844
        
        C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat"
        24⤵
        
        PID:1384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2280
        
        C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat"
        26⤵
        
        PID:1740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4928bbf4dccc3b7f7c1b8f4e23b8b2a

SHA1
98f463eb47dfe1feed6f32b0d7aa1de29da07a8e

SHA256
532f75f73a87b7a242f20c9dad6badd3aa6b61c785a806b3079c1788e4766c90

SHA512
6bdc320c502634bb7489a0a279968a257788dacf07cf4db8c2622bc7d0a655523463d69428664f4fb7b6ab9d36ed731bd6d09c703284712c24bc7b90ad8521ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8aa6530f4b7e23a585fc36fcbce6e3f

SHA1
00acd9bf647268732996319a61ce653edb088e35

SHA256
49277e072f1c1ce1552bbf133dc5c0bfd1b65fb0e9d260a753d0e6a211e957f9

SHA512
f027baddd4cd17c6016846b242289abd48fb040b981b5af29c9770fb60e05fd9144b7a87999b824465fc61039bb201da429e2c36922f989fdd250dd72704a8ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e33c17b34d5428a2f759a695932a0b80

SHA1
5bc8ae5cd14a74275468c15a673bbb5052e05f1b

SHA256
5d01ca7f5ee1537ba1f22dafa418834cedd055f062a27a23c19a3747ceaaa487

SHA512
17ef7b49620d02363553c7dde0777ab8fb385cbcaa587fa7b5a19c955c95f6920b612e2dc52054effac18f13cd1ca8d7117c331c3b5909564c33e9f7e2ebf350

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20b7d4bd5dc67109f832b3512052d162

SHA1
80c52d2adaf3364fe454bc726856d09920cf24aa

SHA256
9c390248e448dad02a439183d80071e52365a2a6d1a802bef49719bb15387ffd

SHA512
d437b7c39ae2bf1d3f589754e12cb73b50b1e3b22fdefbada0d0b3a0a35048540db72a1996cd11dc72da73681aace6d7ab233fbdd4db82b689e3c49b3ec0331d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3d3f199fa1228ca3e4dfdd01afd9bc5

SHA1
0be2fd7b107e7970a379dc579405e48e7cf9e9dd

SHA256
71a1291de2f75fbde2c8e4fbe6091462f8cf72d1a7564fd3b42d35cba33b8419

SHA512
56f3dc2087a5e3faaaac1c2c677f143eab118828bbef15558cedcbc7d4a0ed94c936f28c216a71231d2bf15c0c13a01781d7dc348ad659cbbf59887a90788740

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b1f9fffe6977eb546bed2267b3ae345

SHA1
690e5ee18120f8c54e3de2cfbd2aeedbaff8f9a9

SHA256
7bf72b293436769fc9bc60173c27389712edfac7b7aa802e94e2219c981a5f6b

SHA512
ffae7eca1c87a0c6d8ca25376b37768b44cde2114fa185e07cb4c5bc6701855ea7c2c077861f676d48d8939059a0734bd52e26f4a5e90bfec391c999f2d78ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94d8d4f644a6ed2b52dd2b764410997a

SHA1
cad42e0cb4b21d6f6d12a3a21fb7fae05e2783b3

SHA256
3939cdc9ec228c1084c3f7114a740229ab7e34da661151949b17b10c3865a5ff

SHA512
67f5a74f0b9cdbf4a1413c13442d6d3884f0d514cca84c4859c87a27d188a2d5c5a07340ba508c4361a1c09c8fc4776837150036aea10f8df9ea84519cb0e4d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f21dc93472e005ddbf689fbd9e966eb

SHA1
b94a8665012a7a2ac653e693843e0f673be4004f

SHA256
f97cf5c7f3d8d0ac830189722d4899f57ad93c2489c8e4c1783725dded585a9e

SHA512
96ac64888c8c5c18e28b8c75c77361573483aa8cd631df37538ac4b658ba6cd059df885d2ca4125c7a37c3b7d9c5b7ad39b1ea91b750be10b904d4c29290f48d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60b23c8471655f417b87345989e67741

SHA1
dfa23a86bff8008700b2281e7b47e9630b6dade5

SHA256
283f21d778c4ddf37235eeaaab0f4d4c0496c87a39a881208f8f701f1522cc4c

SHA512
717ee4369b5ba9570db91449c10e615c94d348d815e684749fbd134b53300528e984acc073f89dd044e642274ab6bdb13f90ef50b075db318cf078963dac3296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68063a8f755cb0259cf03df24e2e7b4e

SHA1
5266b4fd21f5fd23db0ad06957f0ad8b305b3b3a

SHA256
b28c91bab10dcbdce9e23ce2242f099ff83e74effbb8840478f5e6c5d20c2dae

SHA512
f5fa800b2df3edb034074dd41a5d0d6b929cb5709c290ddea2fc80a785d6a2e6241723d8448c38b2b56f9dcebddf172c51cf2e3664b6a2d1376f62df2a2a5934

Download Submit
C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat

Filesize
225B

MD5
d156e2fae17d7ab476163bcf0a8448e1

SHA1
e18fd7976254719192eddf4eea6f6b2596161cf2

SHA256
5a591e2d193c0f18595f9696d430393720f3dbe60bd6ad6d06325108106996d4

SHA512
af5c364ad462b4d7e9ecbe055116a91cf2bea7ecd169ea13ecc612b111b07a2fb9a6b65ef31c338aa0734d30ae8d8bdb453c09d64ad84de56035160e5cc941f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat

Filesize
225B

MD5
d1d9bd5e672b36cc6837d5ef5591e8eb

SHA1
91e01e3303e79fac7b516f887167b755e8007f9c

SHA256
7e2f51f08f4bc5d2641fcc1fe7370c10e7b6a70b00e268d56145f71fe5e0e46d

SHA512
25038241dc351081d3957342893ddfb835c4bd5ed36f0ebada387607f30da8b8af4f5ee17e838b593a8f66dc87f1d583fdfb54aaf6bc0b0229e46f0dd17fdc94

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE17B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat

Filesize
225B

MD5
aeccd92dfa6d855578995d70442a3245

SHA1
71c2c890a1c5e148998bca9c0a227b1119a3bfe8

SHA256
71615090302efe58276730043e16863d486c6d05fde6917a698f41bf8f3344fe

SHA512
3934107370ad5666975d97a6c48abf5ac3e0d4b181748f8f0d81768aa7c3d99bd5a759adb80635a888bbc6459754eb0c937b4e6147856283355859cd311a1ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat

Filesize
225B

MD5
9287db985578e3cd1e64d76dffd1f6f4

SHA1
df4f25961e3d2dd3fd21ddb3ad8e5c4d3cc47171

SHA256
4e2d98fcdcf756e34f6a6be21ddac3f9889c599c48c5282f24c2d2c046ac6c8a

SHA512
527677247527c854d3f7bc3a2902e08697152cb4f3bdbf904bea3b608c6eaa06471965d4f4229e72c57691f8901e01b0766484f3eea9feebea2d3be1f7a4f783

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat

Filesize
225B

MD5
cf699a6ec19b97b1e1305ae69e1117c8

SHA1
500838c04866aa15039eab84130bd8c621a56d27

SHA256
cc6701d4f786f6d0669838ba5082187f9ccfbb75be050d95e40b543c3678ff4c

SHA512
202d6e64f79f91dbd56d3a247619473fd13e3bcbb64d1d6577c9029c56182c2b048952537d895a46820863bc44736a2fb45be7ee5a5e3721f76b238b9b6beadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE19D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat

Filesize
225B

MD5
d4d32bc4f1ccf324f70a71590f60bb9a

SHA1
7e04ead8d4d0de13f554d1a203792d1a2701c6a8

SHA256
017597522a5441b262e900a43cfa9192dc8bbbce0c67b95b283380822b351052

SHA512
9d414ef9f2e001e25b3548187e37aece889ecaa33031ec61b0a7ae3b34cdf0b0d53472f4778566103abd9558ba2dc6b1ddc99cc68cee039a14dc2bcc139a88c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat

Filesize
225B

MD5
d5accc767de9ae42cb884ab00e44735f

SHA1
c6a0088bf8263fb2b1d60384beab6c616d061f47

SHA256
00405ecf4fd6dd424baf16cbc6b0f91ad45bda0e2f715444d3776c9c3b3f4802

SHA512
88d6e832f37d8ee10ad6a252d3b6f6277ccada26b2f74ea75bcfbba4f7ca377effda8a0a6264a3387b1876bb2d079eb7dbea6c29bbd3c3af1ecce9b1bbe25bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat

Filesize
225B

MD5
8cf112414b384fa65fd566cc6c9b10f9

SHA1
61f8b29787dcf7bb694f438db6e0f20101466069

SHA256
30d0376ef0475353a4f25c177523c1aa2bccea4824bbf7e97810d990fa772691

SHA512
8dde3e1d82ed7fe11da1c2f30e4f380bed71ad15c4f725be0fdfdfdb655cfe1d999764859b42048fde0c9656d9a11f70be250af1155e5acd47b01fb69af31069

Download Submit
C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat

Filesize
225B

MD5
909e2bcaa785a2e402570f359fd0290e

SHA1
91b3dc251ed9f9d535534c91c3161c77bf8d915e

SHA256
36dfb8d5b09a7873fbad0438e04c7a03e3f7016160d13f81461a8e188b54b81f

SHA512
6069a63fb21e77a1a97271fcf4a8f7ca8fa1561fac464b1273ee52d1fb76854d623feb4f0c612d9a896351ea23757ee12f7c32cdecd01aef7b4cfcc2ff61f599

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat

Filesize
225B

MD5
8ca22eabfe7687f3ee2ba48eaef53d49

SHA1
d1896c29f7ecbec0f2e788bcced9ab2ddf844146

SHA256
864b42132ce82fea49a701fe509b2ae9f77378d62e5a7852d01dc1361a5894fe

SHA512
107fbcac0e0832652b81997f22f81456bb059b5164968e598a6f7237d1faf5d17c6379b081b300ab582909d776591773c4ec9d93cbe939118f7c331f43cf1a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat

Filesize
225B

MD5
7e3e827ba89b2c25d1cc787f0b4bf962

SHA1
98c8cd5799114eb354298cd43f6773d12de8dc00

SHA256
cc4b7e76149eec56eb6c477178208b4d10a94d0489d8b68f686824f7dfae28a3

SHA512
50fddbe666bf578483b3ac1249db637cb9e0b041edbdf5b8982835dc97b1142f9f3ddad621800b34f37569d2c679fc472be841a7d31d40bceab871c5b9e9aa99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
72f2a9790ebf8e117435b3c919717d1a

SHA1
de9e30683dc4536041a32c47a4bb0fb7cdb12b49

SHA256
605c4341eedd54b8ffdd8d3ce335174090b2a1f7ee3bc1a52c5aa998869e1980

SHA512
1cbb4aad3ad5be055674c6927ed96d435bd0f27dd798559b3f4a6e491363058b75bcaa5884c47f7fc5fb8d666a2b12629b6edcb6ac255bfe6080afc9021f7612

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/484-415-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/632-475-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/764-32-0x0000000000F50000-0x0000000001060000-memory.dmp

Filesize
1.1MB

Download
memory/1664-177-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2168-117-0x00000000011B0000-0x00000000012C0000-memory.dmp

Filesize
1.1MB

Download
memory/2320-17-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2320-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2320-15-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2320-14-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2320-13-0x0000000000830000-0x0000000000940000-memory.dmp

Filesize
1.1MB

Download
memory/2388-535-0x0000000000E70000-0x0000000000F80000-memory.dmp

Filesize
1.1MB

Download
memory/2564-237-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2672-595-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/2672-596-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2924-52-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2924-53-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download