dcrat | daec0768b296e86718d9c1dc80c4ebb73eb670c4df2de6e5364e95c8d32b5bf8

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daec0768b296e86718d9c1dc80c4ebb73eb670c4df2de6e5364e95c8d32b5bf8N.exe
Size

1.3MB
MD5

500f1fff0b41aafe6527c408a8487190
SHA1

22649596bb9a2b51a4af6185916ce4cb4fce2537
SHA256

daec0768b296e86718d9c1dc80c4ebb73eb670c4df2de6e5364e95c8d32b5bf8
SHA512

7029c79cd3a103c0faf408cd06be61aa6f9ca47892356a63286ebe307de959abe545fe37069b00cae581a03b4cfd86d74b2c5d86cf7f69fd854995779c784243
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2648	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016cab-10.dat	dcrat
behavioral1/memory/2904-13-0x0000000000CE0000-0x0000000000DF0000-memory.dmp	dcrat
behavioral1/memory/2424-63-0x0000000000E80000-0x0000000000F90000-memory.dmp	dcrat
behavioral1/memory/2668-124-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat
behavioral1/memory/2780-184-0x0000000001230000-0x0000000001340000-memory.dmp	dcrat
behavioral1/memory/1192-363-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/1920-424-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1932	powershell.exe
1288	powershell.exe
2364	powershell.exe
924	powershell.exe
3008	powershell.exe
1892	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
2904	DllCommonsvc.exe
2424	lsass.exe
2668	lsass.exe
2780	lsass.exe
2168	lsass.exe
2912	lsass.exe
1192	lsass.exe
1920	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2768	cmd.exe
2768	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\es-ES\System.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\es-ES\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daec0768b296e86718d9c1dc80c4ebb73eb670c4df2de6e5364e95c8d32b5bf8N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2464	schtasks.exe
3000	schtasks.exe
2980	schtasks.exe
800	schtasks.exe
2732	schtasks.exe
320	schtasks.exe
656	schtasks.exe
1872	schtasks.exe
2324	schtasks.exe
832	schtasks.exe
2916	schtasks.exe
2868	schtasks.exe
2792	schtasks.exe
2636	schtasks.exe
2840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2904	DllCommonsvc.exe
1892	powershell.exe
1932	powershell.exe
3008	powershell.exe
2364	powershell.exe
1288	powershell.exe
924	powershell.exe
2424	lsass.exe
2668	lsass.exe
2780	lsass.exe
2168	lsass.exe
2912	lsass.exe
1192	lsass.exe
1920	lsass.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	DllCommonsvc.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	2424	lsass.exe
Token: SeDebugPrivilege	2668	lsass.exe
Token: SeDebugPrivilege	2780	lsass.exe
Token: SeDebugPrivilege	2168	lsass.exe
Token: SeDebugPrivilege	2912	lsass.exe
Token: SeDebugPrivilege	1192	lsass.exe
Token: SeDebugPrivilege	1920	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1620	2188	daec0768b296e86718d9c1dc80c4ebb73eb670c4df2de6e5364e95c8d32b5bf8N.exe	31
PID 2188 wrote to memory of 1620	2188	daec0768b296e86718d9c1dc80c4ebb73eb670c4df2de6e5364e95c8d32b5bf8N.exe	31
PID 2188 wrote to memory of 1620	2188	daec0768b296e86718d9c1dc80c4ebb73eb670c4df2de6e5364e95c8d32b5bf8N.exe	31
PID 2188 wrote to memory of 1620	2188	daec0768b296e86718d9c1dc80c4ebb73eb670c4df2de6e5364e95c8d32b5bf8N.exe	31
PID 1620 wrote to memory of 2768	1620	WScript.exe	32
PID 1620 wrote to memory of 2768	1620	WScript.exe	32
PID 1620 wrote to memory of 2768	1620	WScript.exe	32
PID 1620 wrote to memory of 2768	1620	WScript.exe	32
PID 2768 wrote to memory of 2904	2768	cmd.exe	34
PID 2768 wrote to memory of 2904	2768	cmd.exe	34
PID 2768 wrote to memory of 2904	2768	cmd.exe	34
PID 2768 wrote to memory of 2904	2768	cmd.exe	34
PID 2904 wrote to memory of 1932	2904	DllCommonsvc.exe	51
PID 2904 wrote to memory of 1932	2904	DllCommonsvc.exe	51
PID 2904 wrote to memory of 1932	2904	DllCommonsvc.exe	51
PID 2904 wrote to memory of 1288	2904	DllCommonsvc.exe	52
PID 2904 wrote to memory of 1288	2904	DllCommonsvc.exe	52
PID 2904 wrote to memory of 1288	2904	DllCommonsvc.exe	52
PID 2904 wrote to memory of 2364	2904	DllCommonsvc.exe	53
PID 2904 wrote to memory of 2364	2904	DllCommonsvc.exe	53
PID 2904 wrote to memory of 2364	2904	DllCommonsvc.exe	53
PID 2904 wrote to memory of 924	2904	DllCommonsvc.exe	54
PID 2904 wrote to memory of 924	2904	DllCommonsvc.exe	54
PID 2904 wrote to memory of 924	2904	DllCommonsvc.exe	54
PID 2904 wrote to memory of 3008	2904	DllCommonsvc.exe	55
PID 2904 wrote to memory of 3008	2904	DllCommonsvc.exe	55
PID 2904 wrote to memory of 3008	2904	DllCommonsvc.exe	55
PID 2904 wrote to memory of 1892	2904	DllCommonsvc.exe	56
PID 2904 wrote to memory of 1892	2904	DllCommonsvc.exe	56
PID 2904 wrote to memory of 1892	2904	DllCommonsvc.exe	56
PID 2904 wrote to memory of 2424	2904	DllCommonsvc.exe	63
PID 2904 wrote to memory of 2424	2904	DllCommonsvc.exe	63
PID 2904 wrote to memory of 2424	2904	DllCommonsvc.exe	63
PID 2424 wrote to memory of 2200	2424	lsass.exe	64
PID 2424 wrote to memory of 2200	2424	lsass.exe	64
PID 2424 wrote to memory of 2200	2424	lsass.exe	64
PID 2200 wrote to memory of 2956	2200	cmd.exe	66
PID 2200 wrote to memory of 2956	2200	cmd.exe	66
PID 2200 wrote to memory of 2956	2200	cmd.exe	66
PID 2200 wrote to memory of 2668	2200	cmd.exe	67
PID 2200 wrote to memory of 2668	2200	cmd.exe	67
PID 2200 wrote to memory of 2668	2200	cmd.exe	67
PID 2668 wrote to memory of 276	2668	lsass.exe	68
PID 2668 wrote to memory of 276	2668	lsass.exe	68
PID 2668 wrote to memory of 276	2668	lsass.exe	68
PID 276 wrote to memory of 2764	276	cmd.exe	70
PID 276 wrote to memory of 2764	276	cmd.exe	70
PID 276 wrote to memory of 2764	276	cmd.exe	70
PID 276 wrote to memory of 2780	276	cmd.exe	71
PID 276 wrote to memory of 2780	276	cmd.exe	71
PID 276 wrote to memory of 2780	276	cmd.exe	71
PID 2780 wrote to memory of 928	2780	lsass.exe	72
PID 2780 wrote to memory of 928	2780	lsass.exe	72
PID 2780 wrote to memory of 928	2780	lsass.exe	72
PID 928 wrote to memory of 2416	928	cmd.exe	74
PID 928 wrote to memory of 2416	928	cmd.exe	74
PID 928 wrote to memory of 2416	928	cmd.exe	74
PID 928 wrote to memory of 2168	928	cmd.exe	75
PID 928 wrote to memory of 2168	928	cmd.exe	75
PID 928 wrote to memory of 2168	928	cmd.exe	75
PID 2168 wrote to memory of 2748	2168	lsass.exe	76
PID 2168 wrote to memory of 2748	2168	lsass.exe	76
PID 2168 wrote to memory of 2748	2168	lsass.exe	76
PID 2748 wrote to memory of 676	2748	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\daec0768b296e86718d9c1dc80c4ebb73eb670c4df2de6e5364e95c8d32b5bf8N.exe
"C:\Users\Admin\AppData\Local\Temp\daec0768b296e86718d9c1dc80c4ebb73eb670c4df2de6e5364e95c8d32b5bf8N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\es-ES\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
    - - C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2956
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2764
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2416
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:676
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat"
        14⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2384
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
        16⤵
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1740
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
799e1a94d6ee4602ee6146d46a8abf7c

SHA1
fca044cdda6a43187597c705ff691900745e0773

SHA256
e5df7eb40449fd0a9d45d39b86ab0843a035bcbdcbb35bec9c635ab0ef2a0e7e

SHA512
cb63c4ac88f9625146405e01478aef75e7a7951a3e5db8d5fa9cf81d58a91c62267393c885d7032f93cab31a8950705aac1638ae818d453d6ab138a94dc8ce12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e69d2e0ce1258eff2c74ea966369ea8b

SHA1
f992bbb9bb74816838a162cfc2cdc727a5e51718

SHA256
f66613359ef15969889896c47b7dafa895a0130f0e451116a7893344c157d42c

SHA512
4097b8c91919be7a52567111ee7b970fb19fa7a20220ae905d2c93eb85b7923c5f858c0d621f849da642a3296c559ce6df548d6c6adf91fe5d27756f80e36c7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
733ce82b312042ffa504d520b76aad43

SHA1
2b790d36869fa3292504663c634aeb4aef49d5c9

SHA256
3e74e55f017597402075c5d20c80577de28204a040fe275ad974b0c9dc42456a

SHA512
d48d77324255214b6fea7eba707b9d8ce2310419603f88526c9c7b25e7520bd2e61e3de20d9b89a5c7c76e478cdcd2a6245a2d07ad1287dc134ed4d8d52d6818

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c62c442594c7d5e334b602b0dc57f1c0

SHA1
7655981cf77e93ff2af128e7d0740d1d6348fc44

SHA256
bfb512aafa4ed0b41477fe963097611e75649ff282ce388b67014522a0950734

SHA512
d628795e87031267b6bae21cac9cb289cf50c6f99da8cb93db9174e018db8deb464c46a522b3cad6d79f3efae2a1408ba2de3eb144b281f548204a82985a0552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45a36b2294b9bd6743b6909d08d06b57

SHA1
873373cd6c687c54efe1144c5158c1cdc1256bd4

SHA256
64314f5f6e33d1b7b7093d1300680f0ddd04c284115d7dd0abb9b38a8156ada7

SHA512
f0ced1713b02ded8cc03d5d3d1b3e5eddaa7442f00c02e03cfe1fa4be8673e12e54cfdc2cf46251552bfd212a26920aa7fd4cfa0b5620749f17af39cdf47e1b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2856d4bc8d816f23febe3f4682ee907c

SHA1
53d76daecc8766344dc503158892bcc6ada368b3

SHA256
3c8af5c40bb5d779f4af6832af0ba4805ef1753529f290da3512fbfc59b9e789

SHA512
c404bd5f7a04d904b2d84f4bf903d321f216c83e4ffe567dcc12a43aec934269cc1e05952430e5a4579f3980232d5ee45e7b30d2aeeb11a44d5a8af4e495a804

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat

Filesize
192B

MD5
3c362fa2d0919f974ce55bce69aa3811

SHA1
1d1cfae71d17f5554e78ce1e649728d242e6b5d0

SHA256
d39ba17065bff400dfb1938d9240c341349da1e6510794c2749842295ea946f8

SHA512
d76fe5c9fe9ea5fd1895dfb38ea1674c1114ddd8b93554163eca8fdea9cf90aa53ef792052926f1543cd78150f5337e90401a84ef57cfa01d92e2fce519e2814

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab284A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat

Filesize
192B

MD5
e182bea9d38e2f9c902ea8d2f022f4c2

SHA1
1b8abe8020ecb85f3bca9531356bdccd980ca1ef

SHA256
0df8e13787978421d112eb6212aed3e81248c3860b6bdafe4372d3e55ae68f73

SHA512
9c20130dc2e0b64c755d179eb71c33802b9d23b709fe70eefcbb6cdcdc62d4ea64ec5e71073d8c5fc5c4f4e59e4059c7be21362e914ab6274b3f12421ade09e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat

Filesize
192B

MD5
36bcbb6314ba9509dfe683f2b1023443

SHA1
da85ff7e3451b54d80874e19d8ab17a415efa6fa

SHA256
1327cd4e375172dc6695526edb22ccb4a01307166f91cf4efb4f2db6769eed11

SHA512
dbed32dc0443d079b697f2569c43eb7b43193884c9265aa11e99c80fdcaa56e0e6824ac0a9c14199af12ac47eb1e37f70c7651095468dfa04cf3ee5d6e611d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat

Filesize
192B

MD5
aa9661fd8ec3e379a6c6e740a942aa16

SHA1
88305d180db11bb38609341fa70bed075807f00c

SHA256
36a91777349155929f9e11e5dd5466137ed602ce45d8711e39848e6bdda64153

SHA512
9378a446cd3e637df5a5ff2f56b1158d914e779a8cca33d220fcce998fc8bdbef311771612a2af1497978b5b2da03250df030f82ba242f6ad8ea3a9c053d38b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar288C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat

Filesize
192B

MD5
3b125000c3cafb735836cefd572876cf

SHA1
d55b010356b5d91d63ec0f150d7e8d17b16f191f

SHA256
68f6daf8488a32a1a386cc77e03e54475c0abea405c809120a8da006cec4f384

SHA512
be3a0ec3e1b607c8734b5595e9842364dde1fb24f976c7f70dec0b658b7dcc83195dd303a4af0b8a001fe5bb346b6d8f53a21c60bcc8891534af45f5d63ddbae

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat

Filesize
192B

MD5
f57bba4eb6d99a3ecb83746e8e7a6fb2

SHA1
84216ca363df95b42819cd6bed1885c60b762073

SHA256
3453caef17e242aa2bf6ccb3c88febe31139971e3051c51d1609e5fe82d13f9f

SHA512
a3cee623d9c6bf72f1605282cc927c31e51b26e54362e45acfbf6c07e3609f3391484c3e95059bf7d37a8380590ae8c00e3923efdf684da578f3e81919fb4aea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dfe9e32e5b775f8246f986719c865a64

SHA1
80b54a06aa2271b2460ea7c7a0f89d9aa6330756

SHA256
ddf4b53093b8cde53b824ab5cb55750300d29216dd2946565bee1b6906a1009d

SHA512
c37f4faacf7b9c044339fdc3f152f81c9eab024635106c9cc6c87ccf967a2fff8e2cdd5d501057b3a7a3039830026de0d77de3983f2ecbb1555704e4906b0f6a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1192-363-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/1192-364-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1892-64-0x000000001B470000-0x000000001B752000-memory.dmp

Filesize
2.9MB

Download
memory/1892-65-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/1920-424-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/2424-63-0x0000000000E80000-0x0000000000F90000-memory.dmp

Filesize
1.1MB

Download
memory/2668-124-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/2780-184-0x0000000001230000-0x0000000001340000-memory.dmp

Filesize
1.1MB

Download
memory/2904-17-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2904-15-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2904-13-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

Filesize
1.1MB

Download
memory/2904-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2904-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2912-303-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download