dcrat | f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f.exe
Size

1.3MB
MD5

0784bb738f01540d4bcacca9ecd1aef7
SHA1

27fb9af96df65561be5de42b4deb06f64e28cdff
SHA256

f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f
SHA512

bde152bed7eef1f671b654d329e9e3d94023fa6cede45cbdda8196998e77c3873746a1407a992727873a0d9163911835536e88b0e9179d4bb6f8afd6a88d2a6e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2224	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000192f0-9.dat	dcrat
behavioral1/memory/2900-13-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/2620-52-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/2444-111-0x0000000000F20000-0x0000000001030000-memory.dmp	dcrat
behavioral1/memory/1800-289-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/2816-350-0x0000000000B60000-0x0000000000C70000-memory.dmp	dcrat
behavioral1/memory/1356-410-0x00000000010F0000-0x0000000001200000-memory.dmp	dcrat
behavioral1/memory/2360-470-0x0000000000100000-0x0000000000210000-memory.dmp	dcrat
behavioral1/memory/2828-530-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/2764-590-0x00000000012E0000-0x00000000013F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2952	powershell.exe
2960	powershell.exe
1092	powershell.exe
1240	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2900	DllCommonsvc.exe
2620	csrss.exe
2444	csrss.exe
2824	csrss.exe
2848	csrss.exe
1800	csrss.exe
2816	csrss.exe
1356	csrss.exe
2360	csrss.exe
2828	csrss.exe
2764	csrss.exe
1972	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2792	cmd.exe
2792	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\ja-JP\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\ja-JP\7a0fd90576e088	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\de-DE\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\de-DE\lsass.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\DigitalLocker\de-DE\lsass.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe
1164	schtasks.exe
2872	schtasks.exe
2668	schtasks.exe
2720	schtasks.exe
1048	schtasks.exe
1536	schtasks.exe
2816	schtasks.exe
2812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2900	DllCommonsvc.exe
1240	powershell.exe
1092	powershell.exe
2960	powershell.exe
2952	powershell.exe
2620	csrss.exe
2444	csrss.exe
2824	csrss.exe
2848	csrss.exe
1800	csrss.exe
2816	csrss.exe
1356	csrss.exe
2360	csrss.exe
2828	csrss.exe
2764	csrss.exe
1972	csrss.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	DllCommonsvc.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2620	csrss.exe
Token: SeDebugPrivilege	2444	csrss.exe
Token: SeDebugPrivilege	2824	csrss.exe
Token: SeDebugPrivilege	2848	csrss.exe
Token: SeDebugPrivilege	1800	csrss.exe
Token: SeDebugPrivilege	2816	csrss.exe
Token: SeDebugPrivilege	1356	csrss.exe
Token: SeDebugPrivilege	2360	csrss.exe
Token: SeDebugPrivilege	2828	csrss.exe
Token: SeDebugPrivilege	2764	csrss.exe
Token: SeDebugPrivilege	1972	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 3024	2612	f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f.exe	30
PID 2612 wrote to memory of 3024	2612	f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f.exe	30
PID 2612 wrote to memory of 3024	2612	f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f.exe	30
PID 2612 wrote to memory of 3024	2612	f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f.exe	30
PID 3024 wrote to memory of 2792	3024	WScript.exe	31
PID 3024 wrote to memory of 2792	3024	WScript.exe	31
PID 3024 wrote to memory of 2792	3024	WScript.exe	31
PID 3024 wrote to memory of 2792	3024	WScript.exe	31
PID 2792 wrote to memory of 2900	2792	cmd.exe	33
PID 2792 wrote to memory of 2900	2792	cmd.exe	33
PID 2792 wrote to memory of 2900	2792	cmd.exe	33
PID 2792 wrote to memory of 2900	2792	cmd.exe	33
PID 2900 wrote to memory of 1092	2900	DllCommonsvc.exe	44
PID 2900 wrote to memory of 1092	2900	DllCommonsvc.exe	44
PID 2900 wrote to memory of 1092	2900	DllCommonsvc.exe	44
PID 2900 wrote to memory of 1240	2900	DllCommonsvc.exe	45
PID 2900 wrote to memory of 1240	2900	DllCommonsvc.exe	45
PID 2900 wrote to memory of 1240	2900	DllCommonsvc.exe	45
PID 2900 wrote to memory of 2952	2900	DllCommonsvc.exe	46
PID 2900 wrote to memory of 2952	2900	DllCommonsvc.exe	46
PID 2900 wrote to memory of 2952	2900	DllCommonsvc.exe	46
PID 2900 wrote to memory of 2960	2900	DllCommonsvc.exe	47
PID 2900 wrote to memory of 2960	2900	DllCommonsvc.exe	47
PID 2900 wrote to memory of 2960	2900	DllCommonsvc.exe	47
PID 2900 wrote to memory of 484	2900	DllCommonsvc.exe	52
PID 2900 wrote to memory of 484	2900	DllCommonsvc.exe	52
PID 2900 wrote to memory of 484	2900	DllCommonsvc.exe	52
PID 484 wrote to memory of 2360	484	cmd.exe	54
PID 484 wrote to memory of 2360	484	cmd.exe	54
PID 484 wrote to memory of 2360	484	cmd.exe	54
PID 484 wrote to memory of 2620	484	cmd.exe	56
PID 484 wrote to memory of 2620	484	cmd.exe	56
PID 484 wrote to memory of 2620	484	cmd.exe	56
PID 2620 wrote to memory of 2696	2620	csrss.exe	57
PID 2620 wrote to memory of 2696	2620	csrss.exe	57
PID 2620 wrote to memory of 2696	2620	csrss.exe	57
PID 2696 wrote to memory of 2008	2696	cmd.exe	59
PID 2696 wrote to memory of 2008	2696	cmd.exe	59
PID 2696 wrote to memory of 2008	2696	cmd.exe	59
PID 2696 wrote to memory of 2444	2696	cmd.exe	60
PID 2696 wrote to memory of 2444	2696	cmd.exe	60
PID 2696 wrote to memory of 2444	2696	cmd.exe	60
PID 2444 wrote to memory of 1728	2444	csrss.exe	61
PID 2444 wrote to memory of 1728	2444	csrss.exe	61
PID 2444 wrote to memory of 1728	2444	csrss.exe	61
PID 1728 wrote to memory of 1148	1728	cmd.exe	63
PID 1728 wrote to memory of 1148	1728	cmd.exe	63
PID 1728 wrote to memory of 1148	1728	cmd.exe	63
PID 1728 wrote to memory of 2824	1728	cmd.exe	64
PID 1728 wrote to memory of 2824	1728	cmd.exe	64
PID 1728 wrote to memory of 2824	1728	cmd.exe	64
PID 2824 wrote to memory of 980	2824	csrss.exe	65
PID 2824 wrote to memory of 980	2824	csrss.exe	65
PID 2824 wrote to memory of 980	2824	csrss.exe	65
PID 980 wrote to memory of 1644	980	cmd.exe	67
PID 980 wrote to memory of 1644	980	cmd.exe	67
PID 980 wrote to memory of 1644	980	cmd.exe	67
PID 980 wrote to memory of 2848	980	cmd.exe	68
PID 980 wrote to memory of 2848	980	cmd.exe	68
PID 980 wrote to memory of 2848	980	cmd.exe	68
PID 2848 wrote to memory of 2220	2848	csrss.exe	69
PID 2848 wrote to memory of 2220	2848	csrss.exe	69
PID 2848 wrote to memory of 2220	2848	csrss.exe	69
PID 2220 wrote to memory of 2064	2220	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f.exe
"C:\Users\Admin\AppData\Local\Temp\f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\de-DE\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FE1ty2beYi.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:484
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2360
      - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rhkc0SdEF2.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2008
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1148
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOJxze5tr1.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1644
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2064
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat"
        15⤵
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2376
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"
        17⤵
        
        PID:1664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1880
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat"
        19⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2524
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"
        21⤵
        
        PID:2660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1816
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GptcLQn9Ec.bat"
        23⤵
        
        PID:2876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2756
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"
        25⤵
        
        PID:1092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2420
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\de-DE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
666ea2b9d60c84622e4608a533298ac0

SHA1
4c0a4c7bf581e4b9a55a1dd8118680894c885ac2

SHA256
16f21f35b943f2790aad4afa7fa79066d9d1ea73876e089d29f6149c98f37c4c

SHA512
fec36bc96f080e179fb3bfcd3734fd3040a5798252871371eeb3e9a24da1be37a81d5961f9efdf6d9f1173dcd0ca3f92dbc934113d8183d77b6b47bc4220cd0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d486cc9e53df69de14f577507e492dd

SHA1
a4df10a03a47cc708b9da21243cfc29435e1f27f

SHA256
b71bd1f988a81324be36f2ed607cf8dcf6e6a89f8d623cd41f99ffdbfc587840

SHA512
31fc87f3824c2e0aaa0b43c871336c3c496af28290503c31a92879ff76811fdcc999953045ae2dcc2c5931c4c9f17fae559c833588b020720eb6aedb4e74b192

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fec9a80ed3991fabc6c67e4fa7c31c6

SHA1
7da479e8e5f0ec68dd70da66b4263f25cc0b94ac

SHA256
14285f6809d3b1f630f57e01a890a58ae82036bed40348e54576fd32749ee231

SHA512
d08dccb6e944b69658ad7fb1f3b352858a8bf168f6c9d55a62de8ff6ee9e712d4811d97b5ee112569dc177d141df96faacac033b6787a78141bf4d0a29c37670

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91f90f863078ce5788b19abfb085b1e6

SHA1
dbe815221524450d731dd2fbd87c1b739a244e23

SHA256
16f7811601f81d60a949d3a9d82d59186d1acc3676d0f86e935abc4643e2b78c

SHA512
e9c656b58f23dfd5a9e69798b148e1b679a6c1d699c7b6ef3398533bb7db4509bf24f7910bda434218e223950b749d2d625eb377cf75fe8f7329822c5c3c5c82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
149d40c735992b6ec660561b57cd9599

SHA1
bbaf3678dc65be0ce5a5d4ed1eb377fbd7a9f5a6

SHA256
611f5347a40b7473d8134321f2693b930d9b5e37e39fecb8501ad091caabfd45

SHA512
4520299831e9c2eba96b745f8b78b5df96299f3fb71eca39bcd4e7ebfb1876d7cef9ebfab2a3ce99c6eaf479c970dd4a1ad7d07f9a3ea62b1600ded1a5332c4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3418da34758a7421f877db6542bb7b9

SHA1
e5527b1bfb68311186f74b2825e3d0d312ac314a

SHA256
0a2e76c0a129f30e284f883d84f86cccdd133b339953c7d7fe63d6b699458092

SHA512
6c9eda5a194f5fe454478eac5df58980aae2b44ab47473598814bf15827c2f12f0c3b9c4f292c3f5465ad184aeec980bbd9a999dafb4247ca208e19455dcc86e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70ecabf4fb4be18eddc84c0c18fc3ff7

SHA1
68e87e175207ed7b62a2112d42406ce16f8634a2

SHA256
342c9d002cc157ff4b62198f2a775cff1b79a58aa34c8e8b5abf17193da465d3

SHA512
507d97b6cad11ec7c87cfb96ba59e74cfd944b24225a4effe3e7dd4685bfe7258b3715ae79ad232a332a1cf2f0ac52ea25239ebe74030c70453039328504c731

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2683e63413cd879f7816338c12d34f18

SHA1
b8090f5cc97284bdd01f25103d27fbe498bdf190

SHA256
95f11089787111c5975a77c0c230e2579130107aca5e23948d43b6e8dc596d82

SHA512
8c9541b20af3e8ba6ec08d8597e75322441be0ed17d5c8d9fab642216cddcffc8133797b7c6028cf0790f2c975a48611a09574b802c4f2a2e15fb78a35827d8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
405fa55f31d8a40e0233d8463f543ea9

SHA1
561e04ab1fc77febc3d666e57c2cc60c3532ead9

SHA256
ce923765f7fca173b4f7e5b6cb67f11e4d6342141d62735976c2f506ec6882e1

SHA512
2a23f3bebf61efa64887af58a5b6163152d875114912844cd035382c4cf38ed22936a44df64521aced67ab7864a51df53486e6605c37d7afe7fbfa12dc77e8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat

Filesize
223B

MD5
b96d53c52d8c78579741f78d086f0552

SHA1
314f2ed010c2d45b25351100b2315b0cf599e134

SHA256
c938d2c7931f972105db445e98e5c456ba7acdafce754351c036036520d0c01d

SHA512
fba37c5e5a94dcf6259de6ed5862d1be4c5b4519a6c4db1b0c4b7e41ca754bd4edf52f81cd27f3e62e9f30e76ef6d31d58e54cead2ef09c177b8dd3c99db8391

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFE4E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat

Filesize
223B

MD5
c78254553f72c31e42c8d5f715172e06

SHA1
7c5ddbe42b849bbb5ccda3966699ed8c3004b98c

SHA256
2ce6f8eca0abdf664b578c22cc3a23095916bbd9d85c70148176c8a7243c0450

SHA512
396941f96ce5026cce3c4e5b1e64b0d8e9b395bac449cfac0e1f54eb5c92c0b74d52022049732fcb17453ee51180db79169afbf12e99c5ce8e02461b12e834ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat

Filesize
223B

MD5
ca8a181ce9d65efca2004f85cc5b6827

SHA1
42cdd15d086ad5f058c0ecce1386585efcf0b880

SHA256
b79e27bea162b247552df057788f964cadb0bd8595bcf854c579b6a4007545f8

SHA512
ded4dff712fc3d5bc54b50e4e900f3bbc6a6ce47cd1ba37f31e0160283e82ffb1773cb249f698894f381b41c72d1800bf2b474bd269fbf0967c67c66792317b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOJxze5tr1.bat

Filesize
223B

MD5
a77e8a8a8c5421928ace462aa1c8f3bb

SHA1
c4931ed2242f6da613e8af0b91d14413fea64859

SHA256
17c0ab8c10d071db4c00280a6ccf9496235113fac6f7d2f138a65b98b9f32123

SHA512
9e18b430d71025e90de1e36128cfa72f4aea670949aac3474ec7e0dd997b14306458849b777d68830d08a615de1ca9194c5700153363e7cfcc2ed084df497501

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE1ty2beYi.bat

Filesize
223B

MD5
b07780f9d6bbaafebf72474709b0b6d0

SHA1
09743c65983581f60f1aeb2fb647f3b447fabd0f

SHA256
0ff5e99c82bcd306019f0d16a8e91c19993440e343959c60a290fdb2624aa662

SHA512
8efe8a4442dd6b4394184ad6542ee1277ecf6f8e1a73217e06cf0463df6a6d772e6c350c3ae7587d2f1157cc48d7a1bf851f930cc02b7cfaf3b3d8c7bea05c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GptcLQn9Ec.bat

Filesize
223B

MD5
cd2916421016d5dc55a3af8c90c9622b

SHA1
59b2dead3a33cba9cf3fbcf47954b32ba7b2071e

SHA256
b18c2bfbd79f59b3f8e627ae25a4cd839b443a3ef6edc197612cab324b6b6dfd

SHA512
f6395229fe36876eb0eadee4ccd9d04c9ae4eb7716e29efdce283d83d6aeabaa035ac6a37d5ea48716a8facd53fa1f22568ec958634105859d6c22c84016d25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rhkc0SdEF2.bat

Filesize
223B

MD5
8c35336b43d538d53fee5b167a9f2800

SHA1
93ed12ccf1e9bc7fb4b303d8521f4fdf79e0b03b

SHA256
6879c555e67493b8b81f7db1d93c06283993396c81e76e71d709764faa64d062

SHA512
0391be7fee7204be15eabfa2ee5afe4e08a2712de1dfb223a233b13c088871181f2fdd7a1cd7c86f3826352e3300084cc935082ebcf25b41c2376ac5482c9ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFE70.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat

Filesize
223B

MD5
46f4032263d137322939421b37ac6935

SHA1
d62d24961e247283dfd832cd76f57b247b71f856

SHA256
36f22c3f6d15d331b30343170788b4e8dac511ad1b13c9b6e6c0551d2953e7cf

SHA512
9a54dface6b9d37d94f8eb0cf536cb09db01bc460d218a9b1b353125a6e7c834af9a3f985446018084277bb38a5efec40c7c5ba4a0ad1836a0ddb765e8e3bb8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat

Filesize
223B

MD5
d5ec4032274ed83fdd70a17318c9d49e

SHA1
732c7c796ef963500c0fb3dfcadfe4be90b5611a

SHA256
fc3562a19e229a2e305f8f0ce143832bb1c3a56fd8c533e1fcbe787a59712a88

SHA512
8588178d87f3daf5905775801b1d0237b317f3697a97c41a18f658ac79ada33cddccd367ecec1bbd7971ddc493e2d3caa73140de6f59cf3a6bbac60dcc9207c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat

Filesize
223B

MD5
1a0cf81df8ea34c4409ad038ceda8d3d

SHA1
da27f5344840154f19f9ad083a0cdae98038f5ad

SHA256
41ada24fc765583bee0b4aea68ac45e3002583bf8f01e61187ebe9e313272093

SHA512
3843887c87ce9db809c4a50e8394a17aaae6e02d76d3916db3c64baac09fb79c85387cef7dc6bd5057af701c56aef7e06dea42f09b9ab52dd68144568442479a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat

Filesize
223B

MD5
488cdee46be53a0f55d2f06b7b9d4528

SHA1
a1127f6dc73b3a86c2e79c00237f750a65662154

SHA256
e4834dd05287a21869624851db882bb19948c3dc9e786dd0e7db011b8528055a

SHA512
828fd8be58bf78324431a734e9f063a63e5150b54d7a0706ae1decd6bfce1fa0eb12c528f569b9ae3b45de1ad6ebdb23c081e7b84b1546b57ffb4d496f4fca1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
98c2470eb687ed5846a6c1530f900d4a

SHA1
a11a9c04f3da3e8f5002b406a8f4c6573a670f5d

SHA256
8ace9bd85fcc08707914872c1d801fadc41ed4a187a21f07da95505d64977599

SHA512
3131d8ceb350f9a0241c5274cdae4d2b518435fd33b8330593c07d6dace23710b078648d3dc96b5da5e4711ba396d159a233bede9c2d4637c6444c95fa32c14a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1356-410-0x00000000010F0000-0x0000000001200000-memory.dmp

Filesize
1.1MB

Download
memory/1800-289-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/1800-290-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2360-470-0x0000000000100000-0x0000000000210000-memory.dmp

Filesize
1.1MB

Download
memory/2444-111-0x0000000000F20000-0x0000000001030000-memory.dmp

Filesize
1.1MB

Download
memory/2620-52-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/2764-590-0x00000000012E0000-0x00000000013F0000-memory.dmp

Filesize
1.1MB

Download
memory/2816-350-0x0000000000B60000-0x0000000000C70000-memory.dmp

Filesize
1.1MB

Download
memory/2828-530-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2900-13-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/2900-14-0x00000000009C0000-0x00000000009D2000-memory.dmp

Filesize
72KB

Download
memory/2900-15-0x0000000000A60000-0x0000000000A6C000-memory.dmp

Filesize
48KB

Download
memory/2900-16-0x00000000009D0000-0x00000000009DC000-memory.dmp

Filesize
48KB

Download
memory/2900-17-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/2960-43-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2960-47-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download