dcrat | 22d45452268e2a59199eef54e2ef1923c47249fa33f95242cbbea93be5f9ed27

Analysis

max time kernel
143s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_22d45452268e2a59199eef54e2ef1923c47249fa33f95242cbbea93be5f9ed27.exe
Size

1.3MB
MD5

ad051eb5d5093062b96a49a839a9bc76
SHA1

d75a8fa560ee909d2605d251e5684b16c13f5be1
SHA256

22d45452268e2a59199eef54e2ef1923c47249fa33f95242cbbea93be5f9ed27
SHA512

ef0a536023ffbace48ac9b0e2dbc69be5a8d29cb323d49f757495c1de48c0b5e38763ecb9203359d443cff238268a21aefb45282eef324ae3d7cb5db3b37fd7d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2992	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2992	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2992	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2992	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2992	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2992	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2992	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2992	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2992	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000186f8-9.dat	dcrat
behavioral1/memory/2804-13-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/1652-44-0x0000000001210000-0x0000000001320000-memory.dmp	dcrat
behavioral1/memory/2988-167-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/1264-227-0x0000000000950000-0x0000000000A60000-memory.dmp	dcrat
behavioral1/memory/676-287-0x0000000000300000-0x0000000000410000-memory.dmp	dcrat
behavioral1/memory/2732-347-0x0000000000250000-0x0000000000360000-memory.dmp	dcrat
behavioral1/memory/2124-407-0x00000000012B0000-0x00000000013C0000-memory.dmp	dcrat
behavioral1/memory/2516-586-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1756	powershell.exe
1320	powershell.exe
1492	powershell.exe
1752	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2804	DllCommonsvc.exe
1652	csrss.exe
2288	csrss.exe
2988	csrss.exe
1264	csrss.exe
676	csrss.exe
2732	csrss.exe
2124	csrss.exe
1756	csrss.exe
112	csrss.exe
2516	csrss.exe
828	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2216	cmd.exe
2216	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
31	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com
37	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\de-DE\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\de-DE\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_22d45452268e2a59199eef54e2ef1923c47249fa33f95242cbbea93be5f9ed27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2736	schtasks.exe
2236	schtasks.exe
2184	schtasks.exe
2624	schtasks.exe
2988	schtasks.exe
2892	schtasks.exe
2784	schtasks.exe
2808	schtasks.exe
2628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2804	DllCommonsvc.exe
1320	powershell.exe
1492	powershell.exe
1752	powershell.exe
1756	powershell.exe
1652	csrss.exe
2288	csrss.exe
2988	csrss.exe
1264	csrss.exe
676	csrss.exe
2732	csrss.exe
2124	csrss.exe
1756	csrss.exe
112	csrss.exe
2516	csrss.exe
828	csrss.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	DllCommonsvc.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1652	csrss.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2288	csrss.exe
Token: SeDebugPrivilege	2988	csrss.exe
Token: SeDebugPrivilege	1264	csrss.exe
Token: SeDebugPrivilege	676	csrss.exe
Token: SeDebugPrivilege	2732	csrss.exe
Token: SeDebugPrivilege	2124	csrss.exe
Token: SeDebugPrivilege	1756	csrss.exe
Token: SeDebugPrivilege	112	csrss.exe
Token: SeDebugPrivilege	2516	csrss.exe
Token: SeDebugPrivilege	828	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2244	1728	JaffaCakes118_22d45452268e2a59199eef54e2ef1923c47249fa33f95242cbbea93be5f9ed27.exe	31
PID 1728 wrote to memory of 2244	1728	JaffaCakes118_22d45452268e2a59199eef54e2ef1923c47249fa33f95242cbbea93be5f9ed27.exe	31
PID 1728 wrote to memory of 2244	1728	JaffaCakes118_22d45452268e2a59199eef54e2ef1923c47249fa33f95242cbbea93be5f9ed27.exe	31
PID 1728 wrote to memory of 2244	1728	JaffaCakes118_22d45452268e2a59199eef54e2ef1923c47249fa33f95242cbbea93be5f9ed27.exe	31
PID 2244 wrote to memory of 2216	2244	WScript.exe	32
PID 2244 wrote to memory of 2216	2244	WScript.exe	32
PID 2244 wrote to memory of 2216	2244	WScript.exe	32
PID 2244 wrote to memory of 2216	2244	WScript.exe	32
PID 2216 wrote to memory of 2804	2216	cmd.exe	34
PID 2216 wrote to memory of 2804	2216	cmd.exe	34
PID 2216 wrote to memory of 2804	2216	cmd.exe	34
PID 2216 wrote to memory of 2804	2216	cmd.exe	34
PID 2804 wrote to memory of 1492	2804	DllCommonsvc.exe	45
PID 2804 wrote to memory of 1492	2804	DllCommonsvc.exe	45
PID 2804 wrote to memory of 1492	2804	DllCommonsvc.exe	45
PID 2804 wrote to memory of 1752	2804	DllCommonsvc.exe	46
PID 2804 wrote to memory of 1752	2804	DllCommonsvc.exe	46
PID 2804 wrote to memory of 1752	2804	DllCommonsvc.exe	46
PID 2804 wrote to memory of 1320	2804	DllCommonsvc.exe	47
PID 2804 wrote to memory of 1320	2804	DllCommonsvc.exe	47
PID 2804 wrote to memory of 1320	2804	DllCommonsvc.exe	47
PID 2804 wrote to memory of 1756	2804	DllCommonsvc.exe	48
PID 2804 wrote to memory of 1756	2804	DllCommonsvc.exe	48
PID 2804 wrote to memory of 1756	2804	DllCommonsvc.exe	48
PID 2804 wrote to memory of 1652	2804	DllCommonsvc.exe	53
PID 2804 wrote to memory of 1652	2804	DllCommonsvc.exe	53
PID 2804 wrote to memory of 1652	2804	DllCommonsvc.exe	53
PID 1652 wrote to memory of 1780	1652	csrss.exe	54
PID 1652 wrote to memory of 1780	1652	csrss.exe	54
PID 1652 wrote to memory of 1780	1652	csrss.exe	54
PID 1780 wrote to memory of 1916	1780	cmd.exe	56
PID 1780 wrote to memory of 1916	1780	cmd.exe	56
PID 1780 wrote to memory of 1916	1780	cmd.exe	56
PID 1780 wrote to memory of 2288	1780	cmd.exe	57
PID 1780 wrote to memory of 2288	1780	cmd.exe	57
PID 1780 wrote to memory of 2288	1780	cmd.exe	57
PID 2288 wrote to memory of 2280	2288	csrss.exe	58
PID 2288 wrote to memory of 2280	2288	csrss.exe	58
PID 2288 wrote to memory of 2280	2288	csrss.exe	58
PID 2280 wrote to memory of 2904	2280	cmd.exe	60
PID 2280 wrote to memory of 2904	2280	cmd.exe	60
PID 2280 wrote to memory of 2904	2280	cmd.exe	60
PID 2280 wrote to memory of 2988	2280	cmd.exe	61
PID 2280 wrote to memory of 2988	2280	cmd.exe	61
PID 2280 wrote to memory of 2988	2280	cmd.exe	61
PID 2988 wrote to memory of 1088	2988	csrss.exe	62
PID 2988 wrote to memory of 1088	2988	csrss.exe	62
PID 2988 wrote to memory of 1088	2988	csrss.exe	62
PID 1088 wrote to memory of 1320	1088	cmd.exe	64
PID 1088 wrote to memory of 1320	1088	cmd.exe	64
PID 1088 wrote to memory of 1320	1088	cmd.exe	64
PID 1088 wrote to memory of 1264	1088	cmd.exe	65
PID 1088 wrote to memory of 1264	1088	cmd.exe	65
PID 1088 wrote to memory of 1264	1088	cmd.exe	65
PID 1264 wrote to memory of 1552	1264	csrss.exe	66
PID 1264 wrote to memory of 1552	1264	csrss.exe	66
PID 1264 wrote to memory of 1552	1264	csrss.exe	66
PID 1552 wrote to memory of 872	1552	cmd.exe	68
PID 1552 wrote to memory of 872	1552	cmd.exe	68
PID 1552 wrote to memory of 872	1552	cmd.exe	68
PID 1552 wrote to memory of 676	1552	cmd.exe	69
PID 1552 wrote to memory of 676	1552	cmd.exe	69
PID 1552 wrote to memory of 676	1552	cmd.exe	69
PID 676 wrote to memory of 2912	676	csrss.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22d45452268e2a59199eef54e2ef1923c47249fa33f95242cbbea93be5f9ed27.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22d45452268e2a59199eef54e2ef1923c47249fa33f95242cbbea93be5f9ed27.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\de-DE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
    - - C:\Program Files\Windows Mail\de-DE\csrss.exe
        
        "C:\Program Files\Windows Mail\de-DE\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1916
        
        C:\Program Files\Windows Mail\de-DE\csrss.exe
        
        "C:\Program Files\Windows Mail\de-DE\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2904
        
        C:\Program Files\Windows Mail\de-DE\csrss.exe
        
        "C:\Program Files\Windows Mail\de-DE\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1320
        
        C:\Program Files\Windows Mail\de-DE\csrss.exe
        
        "C:\Program Files\Windows Mail\de-DE\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcPyovVCSH.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:872
        
        C:\Program Files\Windows Mail\de-DE\csrss.exe
        
        "C:\Program Files\Windows Mail\de-DE\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8iYvsD9nO.bat"
        14⤵
        
        PID:2912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2612
        
        C:\Program Files\Windows Mail\de-DE\csrss.exe
        
        "C:\Program Files\Windows Mail\de-DE\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat"
        16⤵
        
        PID:2808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2296
        
        C:\Program Files\Windows Mail\de-DE\csrss.exe
        
        "C:\Program Files\Windows Mail\de-DE\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat"
        18⤵
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2852
        
        C:\Program Files\Windows Mail\de-DE\csrss.exe
        
        "C:\Program Files\Windows Mail\de-DE\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat"
        20⤵
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2108
        
        C:\Program Files\Windows Mail\de-DE\csrss.exe
        
        "C:\Program Files\Windows Mail\de-DE\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
        22⤵
        
        PID:2964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2396
        
        C:\Program Files\Windows Mail\de-DE\csrss.exe
        
        "C:\Program Files\Windows Mail\de-DE\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"
        24⤵
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2092
        
        C:\Program Files\Windows Mail\de-DE\csrss.exe
        
        "C:\Program Files\Windows Mail\de-DE\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e81c657bdfba9f423f754e4218f6da54

SHA1
ae0cade698b1af076f71848a5d4921006dc54671

SHA256
b7a725301d5b23a22d33d8ac79a177c2a523e06d4cdf163f23057def849c67cc

SHA512
8eacbf92b0aa3bada2d4597d0e6e3aec3517286c8c327f7eb91874dd0fe76fa829d17eaaf62d99a44b6e5202131f579cf50b0e47908f125ce114b8e75c19a9e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ffed49ae2f08be9e1419a0bb63e68de

SHA1
73f4fb9cbc66ca3cbb51b672a8dea1ae120c7ff3

SHA256
3b33a28ae06ad2f555e30695c3a989d994b668a88d33b5127d9efa35a1cb3452

SHA512
02b8e6939576af72f7bf4d22d424d715456c3a8df68badbc17e9fe485f1452313fed920ac704c33529c997f7c3ce5f00b48f992a0ca195bd4628d3e084d8f346

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa5dde8eb51f80ceda7e2cc9fd7ec882

SHA1
43598ed515217cbf389ca2b4925d5767f74a36f0

SHA256
f8c78168ccd338713f3d3701d02ffa4387024045b6823ea10b04f675fa0f9634

SHA512
6fd37cd5f03cf146c901a365752aae4a84a019eee95c6d0c8b5d4b4c07a7c4608c054b2cb58ef32cefdc31c2d76f48243b1513f363ea85a7448d216e8fdc480a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c63ad42bdedad9855ef4d1730d242b60

SHA1
cfd8fa2634f3930b959aedf2d67073211932394c

SHA256
86e99d6a95a9f987f607217ae3119333c4d912fa565559fe5430e307e73904c8

SHA512
642f14b6896e091b530f2a57d3c12ff7f125b175505cf96d90a35979861e19138c56983f641d7aaa70c5348627d3e055c3f5f0c900bf582127adef0e1f80bced

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ec9a62348a6a22511dadae41e9a881b

SHA1
57626f18b7a18184bee11ead00a4d3a00a0f17eb

SHA256
73953f86afaeaa734b7d60ce0e66fcf79dc2d3d97d75182b5bd87c9acee51e58

SHA512
5b6f76bb7727af57cd0b95f844e2a47cd0d610d2d7e6ebe0e8e5abd6897a0d8fadebcd42f4f7537afb76fba6375ddb295c1272a60ef8cde78b47018ca2b7ba58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce458410f0fbde11b70aabc01056ccad

SHA1
5fa4699194c43a978ab8059b18476e5d381d29d1

SHA256
abcabff90dbe2168c8e13416d2b0bda7ad3b7bf21dd09cf8ad78af69e1d5c234

SHA512
047f80b161386233f816c5c034c3cdc16f9b4efdb98b01c27307c6e215acc95a9a19a3d653a3c1006915da7c6200f9827117e2f86f97eaf9ea683f3fb74ea496

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87c7e50dc236c7c5b066c808af36adeb

SHA1
7e76aca200e94251c91d8b838016e8039f16d74d

SHA256
660916d0bca6ce084fc8fe85ab7ef43c39c4755c6956531476c0d8e61ce86c32

SHA512
dd3bf9d7e857400a81a4789a5ba44d27af0aae3121e1bd214c6ce475fe515283a85cf388ece4f43d607904504838ded24ccb71e08bf79d551cd689f22e389f86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b21ea63eff0d1efc5de512f807ab54d

SHA1
18f6f193e41fcdc64b17c0132b5e4d4e0d888c03

SHA256
643a5ff67b9b56fd98a15e178577b0d31f8a01af3f0714c8e559503cfd02c627

SHA512
745887540b2380598513d9b3e46a7a71719f156fa9b2b70189799a752c558e5637a49761b3d9efd43adc14b4d003ad2c7096790076df7f8c6147d82acbc8d712

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3322a0e505b7fa59365b6d2159b2a5c1

SHA1
815736b7b5452c23c214377469108445f3ded944

SHA256
f2944dd3f6bd37fca52e114559fc67e9d349a858b0d76ab7a1f25a61631264da

SHA512
169b00def8882664e0fd8652ddd9aabeb8d46c827e9e493627c33061dee4aeeb05186286a7118475a238cf4e75bd95ae044af5ae3c834a8773b7f19669d7a118

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcPyovVCSH.bat

Filesize
210B

MD5
f930d90bbb0bf73af48befe19204d7c1

SHA1
6edad78e8c482b1174d4c97d32b580408f4418ca

SHA256
55abfb6a5695bb77ea799f58d44324218bfa132540039f66d87537a49042b792

SHA512
c51c2c4264f47459f685649301a299ad555913e46a88477d905459d3accb7e21c225d2187af68061f9d9e1ef021af0678ffa8db9d83d4d853a3fce7a184d443d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1547.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat

Filesize
210B

MD5
6dafcfdc4e01ddd55a90e376c6e02bc7

SHA1
9a9dc739c6d2dc00f171146165fce51415caab06

SHA256
9e31af6491901f87e69dc70cd9c6966e23758c552044b7c2ae6d11bc2dd7a455

SHA512
d8aa4f2e20c4e2182481d2315de8fe1959c22684d9f7ce8e8e48c5a7a5fbaaa4efb57352df066cd8669691b7d9df7e1296273f5833997565907bccf57a3c904e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

Filesize
210B

MD5
19f146e64512bb679c36e6ffe1c0445d

SHA1
012e538f2b15c6b075667c1c52c4250f2254435c

SHA256
cebae85883cf7e5f4bec6cb85213f7a69df989fbd17c399efe9d0f76881a80c1

SHA512
4e56478d99fc25c3da4e4b1a25c2dd3cca8ae994816dd6432e1f8003e3828aaf83c9d13033269b841bb948d3f357c29eb74c0f945972b9b3094639a0abe69e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat

Filesize
210B

MD5
070c5a3a7460a075ae0b8790a0ae42a0

SHA1
4b29905aedf00fa990c12841485af494985ab46b

SHA256
467cbd93164c2588783153ecd5f2ef64f88e638407f9c9a93e19907a9dc83dde

SHA512
b24cc95ae78d0d77f6ba6cc58aa015045fff88995567455aa4d809884338b5a32ae8e59deba1a862def326777dd6970673d90d574f014f197bfb1b96e0e98103

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat

Filesize
210B

MD5
10eaa4d0a6302687fab8bee82f893006

SHA1
b7e124b7fa3edad61f72d55efd146654f2dc2ffb

SHA256
b879a6da464dcb9cba09bd045afda53eb1446a474da2eff5e67d7889a4ef9af0

SHA512
8e135e81791d4b710ffdc71dd01bafb4578b72c8d5df1c0cce8d01df1770b85d07120565a061cef8cb565fab6993e3bce4ddc20603fe4870b65e5c1f017ed781

Download Submit
C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat

Filesize
210B

MD5
3af8069fae2b24298a839c0dca95efe6

SHA1
8ea752a925c8d9fd17c0feecc3798816ca4e93c2

SHA256
93cfcbcc8fdbd653ae15229bc03b61037fe4083a55e605b9b0763e83c8ad235c

SHA512
292ba61c646554aceef7c1108f2d6483f6a1f1a457e7fe7e2d21fce85af281a91bfd9be35084cf40a8c922a3e6d1f3191449f7164c47e42882e8a5634407d0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8iYvsD9nO.bat

Filesize
210B

MD5
42a8bad0a6946544b596adcbb1fb2682

SHA1
8bf26a6af44a541ab2d83a73b85d04279ad9f3bf

SHA256
ea7c6d85d7a1300d942b81e8d353d229b01b07ba2d604752a28fead6c6e9881e

SHA512
0ae794d7cb9151d172d754010b1dd4c793251d6cfe819b00fbbec640f4f91b6ff2edfc4935e1b7c510dbbb5df9a17827b832be5cd05ba940c233650c9e1020e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar155A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat

Filesize
210B

MD5
1903751296ccb8f8fb76d648a0f9c91f

SHA1
5f9b3f5526f1fbddb1dc62f8b656eed137bd7f86

SHA256
d2f4cfe75abe86b4c0c580e3f4d034864e90ec42c0df66e520602d2663f6fdea

SHA512
dfd73dfaa45f199f4819b1d4e1d5a426744311a3b4202771913f43a1de7bcefea42ba504abfeaee20bf8c83cd18f7cd6622afc9cb1c46c444bebe616f9a72c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat

Filesize
210B

MD5
0394f51f65a76fdd1eeedf65033dde4e

SHA1
3814a174d019209210705aea9b87d84d5acdf8fd

SHA256
75e245b6ad1669acd7256f9fc7813832cdb192cc8db387881d44bc191ffdb6fa

SHA512
e0777d4ef5d5b40436765a3af8c3b1b6d31dec01abf23f68d9d4b106297b71daacaf4bbffe189bd8ee4f38ce032fd62bcb059cad96750b9ff6a8116cacf03a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat

Filesize
210B

MD5
120446498dbda80c08778c73ccdb83e7

SHA1
a0073d01aca5d361dbf1e0b40fa77d116bad4da4

SHA256
b9288a826f1a42039434ca9d4356a617b15b2c37ed045e37046253acdae1beaa

SHA512
f44860d19be10b35f43add1e0ea151202c734b1ccc3c77bdf9cee47fe47cdbb735a31be7602486e5a4b1e9344aaa7c8856dfdf06f207b543a51c70ea2ad90f1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
42df6f586b8592cf53f93dcd9db9a9c1

SHA1
66b239129620709a00b0d9fb2650c373eab64901

SHA256
6d6a20c755a20ef8e8b19861bea044bdbc934fd51c45b8dfdf7907dd003fc3b8

SHA512
7aa9a184fd24b6a00162d6de363127e16ac1b5bc541d9adbfdcc4ebd2bddcbafabbd6ea0992af874636b18b7a193628f4c7feeb86f0acb9f22597d69bfd7d194

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/676-287-0x0000000000300000-0x0000000000410000-memory.dmp

Filesize
1.1MB

Download
memory/1264-227-0x0000000000950000-0x0000000000A60000-memory.dmp

Filesize
1.1MB

Download
memory/1320-43-0x00000000028D0000-0x00000000028D8000-memory.dmp

Filesize
32KB

Download
memory/1320-40-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/1652-49-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/1652-44-0x0000000001210000-0x0000000001320000-memory.dmp

Filesize
1.1MB

Download
memory/2124-408-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2124-407-0x00000000012B0000-0x00000000013C0000-memory.dmp

Filesize
1.1MB

Download
memory/2516-586-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/2732-347-0x0000000000250000-0x0000000000360000-memory.dmp

Filesize
1.1MB

Download
memory/2804-17-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/2804-16-0x0000000000850000-0x000000000085C000-memory.dmp

Filesize
48KB

Download
memory/2804-15-0x0000000000840000-0x000000000084C000-memory.dmp

Filesize
48KB

Download
memory/2804-14-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/2804-13-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/2988-167-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download