dcrat | 8cd761b70594e7b18d547ebf4d7b713952fe90b3c42a828b23d28d59636270c6

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cd761b70594e7b18d547ebf4d7b713952fe90b3c42a828b23d28d59636270c6.exe
Size

1.3MB
MD5

51de70d1c8e260762721825b299d7086
SHA1

c92442c444302da9c800ea5cc9331ccf22632e1b
SHA256

8cd761b70594e7b18d547ebf4d7b713952fe90b3c42a828b23d28d59636270c6
SHA512

99da60ff8ed745f8f1a5908f94a6c54b9d9352423287f0588cf564dc474c2c9c0f96cc6e3b40b7dbcd1f1bb94c100d9271fbb97c99a15e0a1e7c0e5ee1e2ef59
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	4412	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	4412	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	4412	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	4412	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	4412	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	4412	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b90-10.dat	dcrat
behavioral2/memory/2096-13-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4716	powershell.exe
4900	powershell.exe
2364	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	8cd761b70594e7b18d547ebf4d7b713952fe90b3c42a828b23d28d59636270c6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 14 IoCs

pid	Process
2096	DllCommonsvc.exe
2188	smss.exe
4916	smss.exe
3324	smss.exe
3260	smss.exe
2288	smss.exe
3960	smss.exe
3168	smss.exe
3100	smss.exe
2732	smss.exe
3288	smss.exe
3232	smss.exe
3776	smss.exe
4916	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
40	raw.githubusercontent.com
50	raw.githubusercontent.com
52	raw.githubusercontent.com
53	raw.githubusercontent.com
16	raw.githubusercontent.com
24	raw.githubusercontent.com
38	raw.githubusercontent.com
39	raw.githubusercontent.com
54	raw.githubusercontent.com
17	raw.githubusercontent.com
44	raw.githubusercontent.com
45	raw.githubusercontent.com
51	raw.githubusercontent.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\smss.exe	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8cd761b70594e7b18d547ebf4d7b713952fe90b3c42a828b23d28d59636270c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	8cd761b70594e7b18d547ebf4d7b713952fe90b3c42a828b23d28d59636270c6.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4032	schtasks.exe
4640	schtasks.exe
1864	schtasks.exe
1900	schtasks.exe
3256	schtasks.exe
3096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2096	DllCommonsvc.exe
2364	powershell.exe
4900	powershell.exe
4716	powershell.exe
2364	powershell.exe
2188	smss.exe
4900	powershell.exe
4716	powershell.exe
4916	smss.exe
3324	smss.exe
3260	smss.exe
2288	smss.exe
3960	smss.exe
3168	smss.exe
3100	smss.exe
2732	smss.exe
3288	smss.exe
3232	smss.exe
3776	smss.exe
4916	smss.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	DllCommonsvc.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	2188	smss.exe
Token: SeDebugPrivilege	4916	smss.exe
Token: SeDebugPrivilege	3324	smss.exe
Token: SeDebugPrivilege	3260	smss.exe
Token: SeDebugPrivilege	2288	smss.exe
Token: SeDebugPrivilege	3960	smss.exe
Token: SeDebugPrivilege	3168	smss.exe
Token: SeDebugPrivilege	3100	smss.exe
Token: SeDebugPrivilege	2732	smss.exe
Token: SeDebugPrivilege	3288	smss.exe
Token: SeDebugPrivilege	3232	smss.exe
Token: SeDebugPrivilege	3776	smss.exe
Token: SeDebugPrivilege	4916	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 4980	4428	8cd761b70594e7b18d547ebf4d7b713952fe90b3c42a828b23d28d59636270c6.exe	83
PID 4428 wrote to memory of 4980	4428	8cd761b70594e7b18d547ebf4d7b713952fe90b3c42a828b23d28d59636270c6.exe	83
PID 4428 wrote to memory of 4980	4428	8cd761b70594e7b18d547ebf4d7b713952fe90b3c42a828b23d28d59636270c6.exe	83
PID 4980 wrote to memory of 1612	4980	WScript.exe	85
PID 4980 wrote to memory of 1612	4980	WScript.exe	85
PID 4980 wrote to memory of 1612	4980	WScript.exe	85
PID 1612 wrote to memory of 2096	1612	cmd.exe	87
PID 1612 wrote to memory of 2096	1612	cmd.exe	87
PID 2096 wrote to memory of 4716	2096	DllCommonsvc.exe	96
PID 2096 wrote to memory of 4716	2096	DllCommonsvc.exe	96
PID 2096 wrote to memory of 2364	2096	DllCommonsvc.exe	97
PID 2096 wrote to memory of 2364	2096	DllCommonsvc.exe	97
PID 2096 wrote to memory of 4900	2096	DllCommonsvc.exe	98
PID 2096 wrote to memory of 4900	2096	DllCommonsvc.exe	98
PID 2096 wrote to memory of 2188	2096	DllCommonsvc.exe	102
PID 2096 wrote to memory of 2188	2096	DllCommonsvc.exe	102
PID 2188 wrote to memory of 1008	2188	smss.exe	111
PID 2188 wrote to memory of 1008	2188	smss.exe	111
PID 1008 wrote to memory of 768	1008	cmd.exe	113
PID 1008 wrote to memory of 768	1008	cmd.exe	113
PID 1008 wrote to memory of 4916	1008	cmd.exe	119
PID 1008 wrote to memory of 4916	1008	cmd.exe	119
PID 4916 wrote to memory of 1568	4916	smss.exe	121
PID 4916 wrote to memory of 1568	4916	smss.exe	121
PID 1568 wrote to memory of 2688	1568	cmd.exe	123
PID 1568 wrote to memory of 2688	1568	cmd.exe	123
PID 1568 wrote to memory of 3324	1568	cmd.exe	128
PID 1568 wrote to memory of 3324	1568	cmd.exe	128
PID 3324 wrote to memory of 3632	3324	smss.exe	130
PID 3324 wrote to memory of 3632	3324	smss.exe	130
PID 3632 wrote to memory of 3736	3632	cmd.exe	132
PID 3632 wrote to memory of 3736	3632	cmd.exe	132
PID 3632 wrote to memory of 3260	3632	cmd.exe	134
PID 3632 wrote to memory of 3260	3632	cmd.exe	134
PID 3260 wrote to memory of 4800	3260	smss.exe	136
PID 3260 wrote to memory of 4800	3260	smss.exe	136
PID 4800 wrote to memory of 4344	4800	cmd.exe	138
PID 4800 wrote to memory of 4344	4800	cmd.exe	138
PID 4800 wrote to memory of 2288	4800	cmd.exe	140
PID 4800 wrote to memory of 2288	4800	cmd.exe	140
PID 2288 wrote to memory of 3860	2288	smss.exe	142
PID 2288 wrote to memory of 3860	2288	smss.exe	142
PID 3860 wrote to memory of 3232	3860	cmd.exe	144
PID 3860 wrote to memory of 3232	3860	cmd.exe	144
PID 3860 wrote to memory of 3960	3860	cmd.exe	146
PID 3860 wrote to memory of 3960	3860	cmd.exe	146
PID 3960 wrote to memory of 4708	3960	smss.exe	148
PID 3960 wrote to memory of 4708	3960	smss.exe	148
PID 4708 wrote to memory of 3256	4708	cmd.exe	150
PID 4708 wrote to memory of 3256	4708	cmd.exe	150
PID 4708 wrote to memory of 3168	4708	cmd.exe	152
PID 4708 wrote to memory of 3168	4708	cmd.exe	152
PID 3168 wrote to memory of 652	3168	smss.exe	154
PID 3168 wrote to memory of 652	3168	smss.exe	154
PID 652 wrote to memory of 468	652	cmd.exe	156
PID 652 wrote to memory of 468	652	cmd.exe	156
PID 652 wrote to memory of 3100	652	cmd.exe	158
PID 652 wrote to memory of 3100	652	cmd.exe	158
PID 3100 wrote to memory of 2260	3100	smss.exe	160
PID 3100 wrote to memory of 2260	3100	smss.exe	160
PID 2260 wrote to memory of 3612	2260	cmd.exe	162
PID 2260 wrote to memory of 3612	2260	cmd.exe	162
PID 2260 wrote to memory of 2732	2260	cmd.exe	164
PID 2260 wrote to memory of 2732	2260	cmd.exe	164

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8cd761b70594e7b18d547ebf4d7b713952fe90b3c42a828b23d28d59636270c6.exe
"C:\Users\Admin\AppData\Local\Temp\8cd761b70594e7b18d547ebf4d7b713952fe90b3c42a828b23d28d59636270c6.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
    - - C:\Windows\L2Schemas\smss.exe
        
        "C:\Windows\L2Schemas\smss.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:768
        
        C:\Windows\L2Schemas\smss.exe
        
        "C:\Windows\L2Schemas\smss.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2688
        
        C:\Windows\L2Schemas\smss.exe
        
        "C:\Windows\L2Schemas\smss.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3736
        
        C:\Windows\L2Schemas\smss.exe
        
        "C:\Windows\L2Schemas\smss.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4344
        
        C:\Windows\L2Schemas\smss.exe
        
        "C:\Windows\L2Schemas\smss.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3232
        
        C:\Windows\L2Schemas\smss.exe
        
        "C:\Windows\L2Schemas\smss.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3256
        
        C:\Windows\L2Schemas\smss.exe
        
        "C:\Windows\L2Schemas\smss.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:468
        
        C:\Windows\L2Schemas\smss.exe
        
        "C:\Windows\L2Schemas\smss.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3612
        
        C:\Windows\L2Schemas\smss.exe
        
        "C:\Windows\L2Schemas\smss.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"
        22⤵
        
        PID:4220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4892
        
        C:\Windows\L2Schemas\smss.exe
        
        "C:\Windows\L2Schemas\smss.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"
        24⤵
        
        PID:1348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4400
        
        C:\Windows\L2Schemas\smss.exe
        
        "C:\Windows\L2Schemas\smss.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"
        26⤵
        
        PID:2444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3924
        
        C:\Windows\L2Schemas\smss.exe
        
        "C:\Windows\L2Schemas\smss.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat"
        28⤵
        
        PID:4020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4444
        
        C:\Windows\L2Schemas\smss.exe
        
        "C:\Windows\L2Schemas\smss.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat

Filesize
194B

MD5
b8f0dfc343ab3deec4566bba9256a445

SHA1
3f2a05c9fa2de3344b6e97dea112ae3f9b2c488f

SHA256
4177fc1173572788a5f2777852b7b48756cac4d85a948d9c219c6f8834b10a7e

SHA512
017c8c8fee240b4e425528cdc481b3e54d31afa0f8df788bff44aaadb9f0a42c53a2dc67784ae466235610d3fff8360b30eba4ed5eadf1d693d9a67533c98c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat

Filesize
194B

MD5
6c2234bebb306a1eedcf2267533c6b5a

SHA1
cc054beb936962659e2d13e689f7388dc8a792f7

SHA256
0897d2f682973888055e1f34416b02b86dd615dc7c241f83a8161cc98708ca23

SHA512
bf2aad789f022ef325cc4ef8bf252f935fbb84ba1f2f744a94ac823dd01dd4cf2ee65024be3a8563ceed478025133964277be6e8dd61c14f078cfc86088b402a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat

Filesize
194B

MD5
a549eeeb1ce436d03bffceb11284bd80

SHA1
4482d151bbcda427249f5f9fc72b1d1d23e6b77a

SHA256
7b247c4729b12cd5c40bbe1d92d9051aeea684f0aa3854c895491be75130366e

SHA512
490142cc39695af8984e33abf66a3246881d5d085ffc7fbd9681fd79bbf38d4b35507d2b5bd651f1bfae35d4c90694cfc83bccf6e5e25c6366c270016fd4cc04

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat

Filesize
194B

MD5
164a34de94a9096be95d1cc8cf72acb9

SHA1
ef396163f92581108e7dd24bc6cfb04f49681a0f

SHA256
5c729524264628e595612908b878a576a274825f9aabe84365efda99fa83e95a

SHA512
15bc005cb3248ab2cfb97784edb41c4fe66735e4b791ebdb292e77b7b7ca928f993328fbd266e7e3ff01308679d6081f73798faad26bb1cd0fa98e871c9ca476

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat

Filesize
194B

MD5
f48df2dfd1881d08ab77469d4ed38f1d

SHA1
9c1fbb6ec053f1e40e09b60117c57bf470ffb6fc

SHA256
69b05a21f8c14e91a4c2797a1f5e198c1aae7026bcf2cba51c49cb84fa77f475

SHA512
d2f2141720a271e27bfc5604f64e9159788ed540d5113dc1d86a6b865d74251114410ef47193895440e4832700ed5553c9f89ca0ec244be7880578ef89091aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat

Filesize
194B

MD5
0048fd9adc9f82b92c8168d5ddddea22

SHA1
7698ae5669a979874e72063294591160df3f2927

SHA256
457e8957844924986808f2f0977c178fb2ac875cfd4c6ed43adbfdbb7477180f

SHA512
7bf7d5f9210baf560523f151949a7a023de4b820bbcc8a7279d2b6ea21277ff4894aa8f281c117dd7488465a77aa7edf6d8e7c074c70a70323b70eed64887775

Download Submit
C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat

Filesize
194B

MD5
900c9767330217f314f092f3606df2c0

SHA1
6793defd917e765dd6dc6e5e1e7a53e51e0333ff

SHA256
9c4317c4a6f4348c92588a9baf9459a207c109629f957464d9302817c112c6e4

SHA512
4ff5042d333bf0131a36a53c051c23d31c756990bfbef7658895c10f132f1aaeef77fc1a4be1c468923f5f3afcc2d7b6456a9770cb86eaad089d45f42929562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nrvf4h35.y5j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat

Filesize
194B

MD5
aabe0ce46bb527fc587c749ab7147a53

SHA1
712b82457f3a457cf19e396851a08eeab3169245

SHA256
5eddd556c7442b8b96e6c5614b5d8bc3b6c1c8ce404403b20ba822b5e47d69c4

SHA512
f320463b413c1fc06a3161233c82124f115a785de7d7ac6744522288b02e96177a55d2871b2b57247b32b5f19a1e421bf1cc8c66dc56a018502dfe8035c4b083

Download Submit
C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat

Filesize
194B

MD5
ac30a1da3f3b5fd61eeb6b7a8e237d0c

SHA1
d2fde3ee72772c98155a09425ad635654e8313af

SHA256
501c2f9ee9256f263b2b3447363acf3c5ad8c461378894ada10168cb149ce080

SHA512
8fe6efba33b7dbab5ba4ad94dd0221c90ea3fda178e68872e73ea276252ce4b834be572955dbfefd94235d864c5f455ee42715bb752d8c3d1b51f5f6d9563c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat

Filesize
194B

MD5
543c54dd0a37b34ee88a30c0f4d82768

SHA1
9dd2c6c2074e4a0a149bfc4d2d6521aef015de5f

SHA256
ce34c542a3d96e20f62e1dc59df9c6f5a2a819303ba8d4c86b13b68b6b085e1f

SHA512
6d6a3a6cf1919b8c09c0190640ed1f931470bb7714cb842196ee234de189ab26113fce29e58a57a3f7aba2ee52e597e8076f0afff6a44832d2a7096c2fad1766

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat

Filesize
194B

MD5
a0e734ab0b977b09effbc28bb81dd4a4

SHA1
8e0abaacf1f2e7d0573060681d04ab1cc1e43403

SHA256
bbdc50ec88e19afaf50cfb30d6ee7296bca28b6434607fc33fac161a132823e6

SHA512
0adabb7fe5959423a074992bbf550ec7d141d3101edf1e5490a0b78f315131c21b9103ab0fc9321c64c5fa9d472ba59eb89ff1f132a216072bb5d1f3cbcfd133

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2096-17-0x0000000002620000-0x000000000262C000-memory.dmp

Filesize
48KB

Download
memory/2096-16-0x0000000002600000-0x000000000260C000-memory.dmp

Filesize
48KB

Download
memory/2096-15-0x0000000002610000-0x000000000261C000-memory.dmp

Filesize
48KB

Download
memory/2096-14-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/2096-13-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/2096-12-0x00007FFCD3AB3000-0x00007FFCD3AB5000-memory.dmp

Filesize
8KB

Download
memory/2188-61-0x000000001C3F0000-0x000000001C402000-memory.dmp

Filesize
72KB

Download
memory/2288-96-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download
memory/2364-38-0x000001D9FDD70000-0x000001D9FDD92000-memory.dmp

Filesize
136KB

Download
memory/4916-77-0x000000001BED0000-0x000000001BEE2000-memory.dmp

Filesize
72KB

Download