Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2022 09:08
Behavioral task
behavioral1
Sample
2df82be0158d2029ee855de4b3ac90796d2ee83628b263146322b065ed6d77dd.exe
Resource
win10v2004-20220812-en
General
-
Target
2df82be0158d2029ee855de4b3ac90796d2ee83628b263146322b065ed6d77dd.exe
-
Size
1.3MB
-
MD5
abdb3803b2d0ace674f0cff7313cbe9e
-
SHA1
02d57970a248b380113ef530fe74a877ba4a3d3a
-
SHA256
2df82be0158d2029ee855de4b3ac90796d2ee83628b263146322b065ed6d77dd
-
SHA512
694e8ac258fb35e9b8de4ffeabca5b898c5c585eb727144f5ecd2044aca8169cc7e95d63eefde852ce10ff945dbc4e8743a4556fdd74e7f8b370222237e60fba
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 2404 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 460 2404 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4156 2404 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4028 2404 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4356 2404 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 2404 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 2404 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2404 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 2404 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2404 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3424 2404 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 2404 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2404 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2404 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 2404 schtasks.exe 23 -
resource yara_rule behavioral1/files/0x0003000000000723-137.dat dcrat behavioral1/files/0x0003000000000723-138.dat dcrat behavioral1/memory/712-139-0x0000000000B60000-0x0000000000C70000-memory.dmp dcrat behavioral1/files/0x0003000000000727-171.dat dcrat behavioral1/files/0x0003000000000727-172.dat dcrat behavioral1/files/0x0003000000000727-179.dat dcrat behavioral1/files/0x0003000000000727-187.dat dcrat behavioral1/files/0x0003000000000727-194.dat dcrat behavioral1/files/0x0003000000000727-201.dat dcrat behavioral1/files/0x0003000000000727-208.dat dcrat behavioral1/files/0x0003000000000727-215.dat dcrat behavioral1/files/0x0003000000000727-222.dat dcrat behavioral1/files/0x0003000000000727-229.dat dcrat behavioral1/files/0x0003000000000727-236.dat dcrat behavioral1/files/0x0003000000000727-243.dat dcrat -
Executes dropped EXE 12 IoCs
pid Process 712 DllCommonsvc.exe 964 csrss.exe 632 csrss.exe 4984 csrss.exe 1520 csrss.exe 3960 csrss.exe 2992 csrss.exe 1584 csrss.exe 2528 csrss.exe 4152 csrss.exe 4592 csrss.exe 1784 csrss.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 2df82be0158d2029ee855de4b3ac90796d2ee83628b263146322b065ed6d77dd.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.8.0_66\cmd.exe DllCommonsvc.exe File created C:\Program Files\Java\jdk1.8.0_66\ebf1f9fa8afd6d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1640 schtasks.exe 3424 schtasks.exe 1124 schtasks.exe 2912 schtasks.exe 4156 schtasks.exe 4356 schtasks.exe 5028 schtasks.exe 1276 schtasks.exe 1372 schtasks.exe 4364 schtasks.exe 460 schtasks.exe 2332 schtasks.exe 4028 schtasks.exe 4984 schtasks.exe 2172 schtasks.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 2df82be0158d2029ee855de4b3ac90796d2ee83628b263146322b065ed6d77dd.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings csrss.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 712 DllCommonsvc.exe 712 DllCommonsvc.exe 712 DllCommonsvc.exe 712 DllCommonsvc.exe 712 DllCommonsvc.exe 712 DllCommonsvc.exe 712 DllCommonsvc.exe 712 DllCommonsvc.exe 712 DllCommonsvc.exe 712 DllCommonsvc.exe 712 DllCommonsvc.exe 712 DllCommonsvc.exe 208 powershell.exe 1472 powershell.exe 3792 powershell.exe 1268 powershell.exe 1580 powershell.exe 1500 powershell.exe 1472 powershell.exe 208 powershell.exe 1268 powershell.exe 3792 powershell.exe 1580 powershell.exe 1500 powershell.exe 964 csrss.exe 632 csrss.exe 4984 csrss.exe 1520 csrss.exe 3960 csrss.exe 2992 csrss.exe 1584 csrss.exe 2528 csrss.exe 4152 csrss.exe 4592 csrss.exe 1784 csrss.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 712 DllCommonsvc.exe Token: SeDebugPrivilege 208 powershell.exe Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 3792 powershell.exe Token: SeDebugPrivilege 1268 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 964 csrss.exe Token: SeDebugPrivilege 632 csrss.exe Token: SeDebugPrivilege 4984 csrss.exe Token: SeDebugPrivilege 1520 csrss.exe Token: SeDebugPrivilege 3960 csrss.exe Token: SeDebugPrivilege 2992 csrss.exe Token: SeDebugPrivilege 1584 csrss.exe Token: SeDebugPrivilege 2528 csrss.exe Token: SeDebugPrivilege 4152 csrss.exe Token: SeDebugPrivilege 4592 csrss.exe Token: SeDebugPrivilege 1784 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 764 wrote to memory of 1356 764 2df82be0158d2029ee855de4b3ac90796d2ee83628b263146322b065ed6d77dd.exe 56 PID 764 wrote to memory of 1356 764 2df82be0158d2029ee855de4b3ac90796d2ee83628b263146322b065ed6d77dd.exe 56 PID 764 wrote to memory of 1356 764 2df82be0158d2029ee855de4b3ac90796d2ee83628b263146322b065ed6d77dd.exe 56 PID 1356 wrote to memory of 4844 1356 WScript.exe 82 PID 1356 wrote to memory of 4844 1356 WScript.exe 82 PID 1356 wrote to memory of 4844 1356 WScript.exe 82 PID 4844 wrote to memory of 712 4844 cmd.exe 84 PID 4844 wrote to memory of 712 4844 cmd.exe 84 PID 712 wrote to memory of 1500 712 DllCommonsvc.exe 100 PID 712 wrote to memory of 1500 712 DllCommonsvc.exe 100 PID 712 wrote to memory of 1580 712 DllCommonsvc.exe 101 PID 712 wrote to memory of 1580 712 DllCommonsvc.exe 101 PID 712 wrote to memory of 1268 712 DllCommonsvc.exe 102 PID 712 wrote to memory of 1268 712 DllCommonsvc.exe 102 PID 712 wrote to memory of 3792 712 DllCommonsvc.exe 109 PID 712 wrote to memory of 3792 712 DllCommonsvc.exe 109 PID 712 wrote to memory of 208 712 DllCommonsvc.exe 105 PID 712 wrote to memory of 208 712 DllCommonsvc.exe 105 PID 712 wrote to memory of 1472 712 DllCommonsvc.exe 106 PID 712 wrote to memory of 1472 712 DllCommonsvc.exe 106 PID 712 wrote to memory of 2224 712 DllCommonsvc.exe 112 PID 712 wrote to memory of 2224 712 DllCommonsvc.exe 112 PID 2224 wrote to memory of 396 2224 cmd.exe 114 PID 2224 wrote to memory of 396 2224 cmd.exe 114 PID 2224 wrote to memory of 964 2224 cmd.exe 115 PID 2224 wrote to memory of 964 2224 cmd.exe 115 PID 964 wrote to memory of 4716 964 csrss.exe 120 PID 964 wrote to memory of 4716 964 csrss.exe 120 PID 4716 wrote to memory of 4048 4716 cmd.exe 121 PID 4716 wrote to memory of 4048 4716 cmd.exe 121 PID 4716 wrote to memory of 632 4716 cmd.exe 126 PID 4716 wrote to memory of 632 4716 cmd.exe 126 PID 632 wrote to memory of 5068 632 csrss.exe 127 PID 632 wrote to memory of 5068 632 csrss.exe 127 PID 5068 wrote to memory of 4360 5068 cmd.exe 129 PID 5068 wrote to memory of 4360 5068 cmd.exe 129 PID 5068 wrote to memory of 4984 5068 cmd.exe 130 PID 5068 wrote to memory of 4984 5068 cmd.exe 130 PID 4984 wrote to memory of 1368 4984 csrss.exe 131 PID 4984 wrote to memory of 1368 4984 csrss.exe 131 PID 1368 wrote to memory of 2532 1368 cmd.exe 133 PID 1368 wrote to memory of 2532 1368 cmd.exe 133 PID 1368 wrote to memory of 1520 1368 cmd.exe 134 PID 1368 wrote to memory of 1520 1368 cmd.exe 134 PID 1520 wrote to memory of 2100 1520 csrss.exe 135 PID 1520 wrote to memory of 2100 1520 csrss.exe 135 PID 2100 wrote to memory of 4892 2100 cmd.exe 137 PID 2100 wrote to memory of 4892 2100 cmd.exe 137 PID 2100 wrote to memory of 3960 2100 cmd.exe 138 PID 2100 wrote to memory of 3960 2100 cmd.exe 138 PID 3960 wrote to memory of 3604 3960 csrss.exe 139 PID 3960 wrote to memory of 3604 3960 csrss.exe 139 PID 3604 wrote to memory of 3400 3604 cmd.exe 141 PID 3604 wrote to memory of 3400 3604 cmd.exe 141 PID 3604 wrote to memory of 2992 3604 cmd.exe 142 PID 3604 wrote to memory of 2992 3604 cmd.exe 142 PID 2992 wrote to memory of 240 2992 csrss.exe 143 PID 2992 wrote to memory of 240 2992 csrss.exe 143 PID 240 wrote to memory of 3676 240 cmd.exe 145 PID 240 wrote to memory of 3676 240 cmd.exe 145 PID 240 wrote to memory of 1584 240 cmd.exe 146 PID 240 wrote to memory of 1584 240 cmd.exe 146 PID 1584 wrote to memory of 3964 1584 csrss.exe 148 PID 1584 wrote to memory of 3964 1584 csrss.exe 148
Processes
-
C:\Users\Admin\AppData\Local\Temp\2df82be0158d2029ee855de4b3ac90796d2ee83628b263146322b065ed6d77dd.exe"C:\Users\Admin\AppData\Local\Temp\2df82be0158d2029ee855de4b3ac90796d2ee83628b263146322b065ed6d77dd.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.8.0_66\cmd.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\WmiPrvSE.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3792
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qLRRUCAxeT.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:396
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:4048
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:4360
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"10⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2532
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"12⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:4892
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"14⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:3400
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"16⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat"17⤵
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:3676
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"18⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CE969IshF.bat"19⤵PID:3964
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1296
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"20⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"21⤵PID:1908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:852
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"22⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat"23⤵PID:4192
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:4332
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"24⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"25⤵PID:4620
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2288
-
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"26⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat"27⤵PID:1316
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:4612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\providercommon\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\odt\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.8.0_66\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.8.0_66\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
196B
MD5d428fc2b4b50ec816092ce46bbe3f084
SHA1d20f46d7a6c3587e5d59ff14b0169abaf53eb7dd
SHA256e5f32a6812903684dbf19147411dc9e5a1ed18ec86dc9b62281c50386ab81694
SHA512e6df34cc93e3e8ba4b59fe6b0572b8f3ed84c6a42124fadd18a4fc54028c825bfc3c472b7e0d9015179753f81d4a9ad9c5ddfdf5af848c5f33dba7f75ff11431
-
Filesize
196B
MD5abc6a1f352c45f3b83d989114aad02ec
SHA1bf5d35fe5ba136ebdf3fc1ce93e2997b20e60373
SHA2566fe8208e81b44d5b232ace21cb5db3cff030883be3104690dad6b4135f8ca7dc
SHA512e7dea2f632a593ab16ba04952585585b13983b34e351508bf2d9ca371c8747c2197ae6af733e10d2d50170bc7ddab71b0c964a98d0ec97f6c02aaf3bc9ff9387
-
Filesize
196B
MD5cd7c151e969a4b79e32b8b1e4c95e5c3
SHA1daa372ca5874416127195d774455f34a68ce632a
SHA25625f6279563c8a34698209fa277ec5517e1ed9142b5a4e3b48dcf3249c958711f
SHA5124ab4370bbd0de005ea1a227a8fd7a28ee19906d9aa6223b06d7af7aa76f570a79eeea8bb4646b4e0b97c6c640b685b89b755f2239832584c8bdad4115cac365f
-
Filesize
196B
MD57593a0e70a5f4a1524249bce21d868e8
SHA11e3bd10ef99838c6d262ba1a162764d940196f77
SHA256f85fbb825bb8e8eb48f87f8945748e1336613bb4c317693b5820b52ba7532659
SHA5124c3463f288d97731c56a1210f4423bac4c50f33512e41c38e545a23d095d90627c044c8f8290d067b6edb897c6e6837f8f4854da67db8143d3dab72f3a4f6486
-
Filesize
196B
MD546ac7c13e35263ecf77dbf67c1640e7e
SHA123c781dd59b9db8d0be6df51bbc4a96d437a1891
SHA2569ab4fd59bfeb4488a8b3a19b0998f83341921d9f7b9a9109d14dcb007f9aa113
SHA512067b9973cac33c3684e57ee0d668ee92b2c9044b588ab99d612f3915116215e28c7d32abfd223afd32c260f59d85c158802b299b83385bb4685057c32e6b0a9c
-
Filesize
196B
MD540396b387f338860a2e4166bf58f24a1
SHA1b52018b6e96cb3eebae4310454f463808da421d7
SHA2560021ac608cc8e46acf450ac49a8a283ff66e56824fac01c53d692f4a090ce79b
SHA512714892d1c417b53eda7d468890feb4f0d3604fc390702106f8b538bb9920f6b1149bcdc40b8f524a83e38a44711a439bbce822f05fa0cba4bbbab0927972a276
-
Filesize
196B
MD509ac458da8106f64fe51fea082367586
SHA18fdad7ea7d91d4adee0f346078e1886a04084f82
SHA25647dc73bbe1a6d14d9fef3efb85d41e87c04c8361b9ee5cd081c9ee88fefe80e4
SHA5127323127473a324d84c4716a21c4759c4c04aaca6e5ab8aa34f98cfc35df8adab962491a733738817393ada408c86a88568b511a8c68e3a3cd1cec639715580f8
-
Filesize
196B
MD56fd4ffd459a3d42c413171c32a5c73a1
SHA171bfef81e0e0a65977ceda9583720dab5178574e
SHA2566b0f61872bdf8d2e83f8f75bc883e22fe8c425a5d5e7b4965dd7365678ab12da
SHA512d4a95211b484cbb1e052ecf1f8b15d45114ef8eee4010b48667b305abdf41b662ffa512c538c06c2756984b81b9ed8bd3eb86de5764639e2fc8bbffc526fb3a5
-
Filesize
196B
MD5137b06abb33f4841193d0ae5d9038c35
SHA13eb292cc8107caaac8e6b7566b867fd18145a7b5
SHA256c795457b2f0a729050edf6a3c659d48ae0f4a869d37273bc407f7861ae6b14af
SHA512f1b1a1a20e940543914b40b6186fb309919b628dc375cb6ed94965a81940dba12b1a65f91694b7963e336a9f3b2a803e4b644c168f3f7f8908f2a83e2721556f
-
Filesize
196B
MD5137b06abb33f4841193d0ae5d9038c35
SHA13eb292cc8107caaac8e6b7566b867fd18145a7b5
SHA256c795457b2f0a729050edf6a3c659d48ae0f4a869d37273bc407f7861ae6b14af
SHA512f1b1a1a20e940543914b40b6186fb309919b628dc375cb6ed94965a81940dba12b1a65f91694b7963e336a9f3b2a803e4b644c168f3f7f8908f2a83e2721556f
-
Filesize
196B
MD5ae2a94b1df85be2d61d2d933411bba9d
SHA1a69852e49f3242c1d3dfe2c9c16d09dcff292114
SHA256dc238d5905043351061f10ddefa294ce316690670307f4c9cc0745f4fe779f93
SHA5128ad2ea8105ba237d5f2b98dbe780a04aba3cf236698fbe937b144628fb0104ec98d260348eaac9a9373b4ba0f2c54a3f6f71dffe05ad7ad93017c50ddb6aaaca
-
Filesize
196B
MD57af5ee183600bed35b37af7c07b07d04
SHA1a4d855cab4648489620fa2b382989d2b1d401c90
SHA256845ac7f5be617c5189b23b41c5c0fcd5189b444d190148b976998e1ce9e9b295
SHA5121632fd5db0b561e5b7b40aa215a944ab68c5db6b5c05789dd724bd33778c4d96fd88d8d3d9e6bc07e59cf5be492548469791856b15e994f19897e3b6f0cdf717
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478