dcrat | 214e6984a2b0caa29d8744255eb62a0bdd0580bd9d1a629ac0b3fe0ba00d1749

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

214e6984a2b0caa29d8744255eb62a0bdd0580bd9d1a629ac0b3fe0ba00d1749.exe
Size

1.3MB
MD5

d36054d33a4825de79de224be61f697f
SHA1

c3213e524eab58ca147308787fd88936254b3b80
SHA256

214e6984a2b0caa29d8744255eb62a0bdd0580bd9d1a629ac0b3fe0ba00d1749
SHA512

a69d06472771f0f1546e51939637b8f025c5414aef7855937d63c0e4a42c597479ddf2c3ed4b41f841d5bd9ecf3dada56b57f85e202becae407b2cad90f04e16
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2796	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2796	schtasks.exe	33

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001958e-9.dat	dcrat
behavioral1/memory/3060-13-0x0000000000DB0000-0x0000000000EC0000-memory.dmp	dcrat
behavioral1/memory/1584-80-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/2376-139-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/2472-199-0x0000000000890000-0x00000000009A0000-memory.dmp	dcrat
behavioral1/memory/2484-259-0x0000000000DE0000-0x0000000000EF0000-memory.dmp	dcrat
behavioral1/memory/2404-378-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/2812-439-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1748	powershell.exe
1108	powershell.exe
1104	powershell.exe
980	powershell.exe
1124	powershell.exe
1732	powershell.exe
2436	powershell.exe
2484	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
3060	DllCommonsvc.exe
1584	lsm.exe
2376	lsm.exe
2472	lsm.exe
2484	lsm.exe
2556	lsm.exe
2404	lsm.exe
2812	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2960	cmd.exe
2960	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\fr-FR\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Services\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Services\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\services.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\fr-FR\cmd.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	214e6984a2b0caa29d8744255eb62a0bdd0580bd9d1a629ac0b3fe0ba00d1749.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2100	schtasks.exe
1976	schtasks.exe
2736	schtasks.exe
1688	schtasks.exe
900	schtasks.exe
840	schtasks.exe
2640	schtasks.exe
2728	schtasks.exe
2672	schtasks.exe
2352	schtasks.exe
1776	schtasks.exe
2912	schtasks.exe
2996	schtasks.exe
2472	schtasks.exe
1324	schtasks.exe
1640	schtasks.exe
2316	schtasks.exe
1288	schtasks.exe
2508	schtasks.exe
2024	schtasks.exe
1408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3060	DllCommonsvc.exe
1748	powershell.exe
1104	powershell.exe
980	powershell.exe
2484	powershell.exe
1108	powershell.exe
2436	powershell.exe
1124	powershell.exe
1732	powershell.exe
1584	lsm.exe
2376	lsm.exe
2472	lsm.exe
2484	lsm.exe
2556	lsm.exe
2404	lsm.exe
2812	lsm.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	DllCommonsvc.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1584	lsm.exe
Token: SeDebugPrivilege	2376	lsm.exe
Token: SeDebugPrivilege	2472	lsm.exe
Token: SeDebugPrivilege	2484	lsm.exe
Token: SeDebugPrivilege	2556	lsm.exe
Token: SeDebugPrivilege	2404	lsm.exe
Token: SeDebugPrivilege	2812	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2596	2116	214e6984a2b0caa29d8744255eb62a0bdd0580bd9d1a629ac0b3fe0ba00d1749.exe	29
PID 2116 wrote to memory of 2596	2116	214e6984a2b0caa29d8744255eb62a0bdd0580bd9d1a629ac0b3fe0ba00d1749.exe	29
PID 2116 wrote to memory of 2596	2116	214e6984a2b0caa29d8744255eb62a0bdd0580bd9d1a629ac0b3fe0ba00d1749.exe	29
PID 2116 wrote to memory of 2596	2116	214e6984a2b0caa29d8744255eb62a0bdd0580bd9d1a629ac0b3fe0ba00d1749.exe	29
PID 2596 wrote to memory of 2960	2596	WScript.exe	30
PID 2596 wrote to memory of 2960	2596	WScript.exe	30
PID 2596 wrote to memory of 2960	2596	WScript.exe	30
PID 2596 wrote to memory of 2960	2596	WScript.exe	30
PID 2960 wrote to memory of 3060	2960	cmd.exe	32
PID 2960 wrote to memory of 3060	2960	cmd.exe	32
PID 2960 wrote to memory of 3060	2960	cmd.exe	32
PID 2960 wrote to memory of 3060	2960	cmd.exe	32
PID 3060 wrote to memory of 1104	3060	DllCommonsvc.exe	55
PID 3060 wrote to memory of 1104	3060	DllCommonsvc.exe	55
PID 3060 wrote to memory of 1104	3060	DllCommonsvc.exe	55
PID 3060 wrote to memory of 980	3060	DllCommonsvc.exe	56
PID 3060 wrote to memory of 980	3060	DllCommonsvc.exe	56
PID 3060 wrote to memory of 980	3060	DllCommonsvc.exe	56
PID 3060 wrote to memory of 1108	3060	DllCommonsvc.exe	57
PID 3060 wrote to memory of 1108	3060	DllCommonsvc.exe	57
PID 3060 wrote to memory of 1108	3060	DllCommonsvc.exe	57
PID 3060 wrote to memory of 1124	3060	DllCommonsvc.exe	59
PID 3060 wrote to memory of 1124	3060	DllCommonsvc.exe	59
PID 3060 wrote to memory of 1124	3060	DllCommonsvc.exe	59
PID 3060 wrote to memory of 1732	3060	DllCommonsvc.exe	60
PID 3060 wrote to memory of 1732	3060	DllCommonsvc.exe	60
PID 3060 wrote to memory of 1732	3060	DllCommonsvc.exe	60
PID 3060 wrote to memory of 1748	3060	DllCommonsvc.exe	61
PID 3060 wrote to memory of 1748	3060	DllCommonsvc.exe	61
PID 3060 wrote to memory of 1748	3060	DllCommonsvc.exe	61
PID 3060 wrote to memory of 2484	3060	DllCommonsvc.exe	63
PID 3060 wrote to memory of 2484	3060	DllCommonsvc.exe	63
PID 3060 wrote to memory of 2484	3060	DllCommonsvc.exe	63
PID 3060 wrote to memory of 2436	3060	DllCommonsvc.exe	64
PID 3060 wrote to memory of 2436	3060	DllCommonsvc.exe	64
PID 3060 wrote to memory of 2436	3060	DllCommonsvc.exe	64
PID 3060 wrote to memory of 2272	3060	DllCommonsvc.exe	71
PID 3060 wrote to memory of 2272	3060	DllCommonsvc.exe	71
PID 3060 wrote to memory of 2272	3060	DllCommonsvc.exe	71
PID 2272 wrote to memory of 2988	2272	cmd.exe	73
PID 2272 wrote to memory of 2988	2272	cmd.exe	73
PID 2272 wrote to memory of 2988	2272	cmd.exe	73
PID 2272 wrote to memory of 1584	2272	cmd.exe	74
PID 2272 wrote to memory of 1584	2272	cmd.exe	74
PID 2272 wrote to memory of 1584	2272	cmd.exe	74
PID 1584 wrote to memory of 2748	1584	lsm.exe	75
PID 1584 wrote to memory of 2748	1584	lsm.exe	75
PID 1584 wrote to memory of 2748	1584	lsm.exe	75
PID 2748 wrote to memory of 2364	2748	cmd.exe	77
PID 2748 wrote to memory of 2364	2748	cmd.exe	77
PID 2748 wrote to memory of 2364	2748	cmd.exe	77
PID 2748 wrote to memory of 2376	2748	cmd.exe	78
PID 2748 wrote to memory of 2376	2748	cmd.exe	78
PID 2748 wrote to memory of 2376	2748	cmd.exe	78
PID 2376 wrote to memory of 2612	2376	lsm.exe	79
PID 2376 wrote to memory of 2612	2376	lsm.exe	79
PID 2376 wrote to memory of 2612	2376	lsm.exe	79
PID 2612 wrote to memory of 2984	2612	cmd.exe	81
PID 2612 wrote to memory of 2984	2612	cmd.exe	81
PID 2612 wrote to memory of 2984	2612	cmd.exe	81
PID 2612 wrote to memory of 2472	2612	cmd.exe	82
PID 2612 wrote to memory of 2472	2612	cmd.exe	82
PID 2612 wrote to memory of 2472	2612	cmd.exe	82
PID 2472 wrote to memory of 1736	2472	lsm.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\214e6984a2b0caa29d8744255eb62a0bdd0580bd9d1a629ac0b3fe0ba00d1749.exe
"C:\Users\Admin\AppData\Local\Temp\214e6984a2b0caa29d8744255eb62a0bdd0580bd9d1a629ac0b3fe0ba00d1749.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\fr-FR\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\attachments\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\48Ya0SOAhg.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2988
      - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2364
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2984
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"
        11⤵
        
        PID:1736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2540
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"
        13⤵
        
        PID:1192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2900
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat"
        15⤵
        
        PID:1968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2256
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat"
        17⤵
        
        PID:852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2272
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kKaF7FiTK0.bat"
        19⤵
        
        PID:2296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\fr-FR\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\fr-FR\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Services\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\Crashpad\attachments\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\attachments\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\attachments\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd20916a8e112acab3590eddbe788f77

SHA1
37b621316045941c956edcfb451232c425ddef9c

SHA256
85a4d8bc3e696a704000cfc691971b983bfe7c3622124642ee389b80453dfc43

SHA512
c96b8aa425c34ef5dc3809a1f2b752511e7717e552831225b34b409ece0cebb8ffbaec620b3c011c725470d4a94bc331ea5b80cfbc96f32c78c25639a3061125

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08c42d853183b9280a989dcb1517487e

SHA1
b7f1ccb63ea5737406782ced21ba2f88fc111c6c

SHA256
333c26a00d3422fa7d1535c55ad8504a4f5d38c23041d77eab6334050faecf6c

SHA512
a915c6ebda84de57b93e04203a31de963939ade53392fe4590acbf8361783bca82188b8e259110cf226da40396c6fcc52aafee1307ff54d439ad52d9518ecb74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9cc4415bdb427bfa585dc6d4b6cbea0

SHA1
66b33852bde39a6cf1ae3ae78ba90e7a548e093d

SHA256
cbc9f199301c9f43cb842052fdb7251982b0340a6ed2831babb6c597a0936bfb

SHA512
2a5d3334730c00c450e9265570a225e4933198a7cb6807d6c73b914ce77e96479c51f2fb20a51d3bfd539fee96b9d7166585f503cdb5cfa2481553f9d4700024

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
993e3c932d82d9efb920f833bb28ae3e

SHA1
3281c881868161a0045ace893919e9a91e1fd6d0

SHA256
29ad0b11b55a1d778f353ac7ff6612ddf14621ea2b8c81bc2503236560554ef4

SHA512
3685f3b161a7683e140a804c0edcaa00948135b0402a07d89e00442f61bbd87fd1efb21bedfb2d29d648654f4860f0e09b2ffb4c55941f564f0ce0a17d6d0c02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0046968c67847e5e16d7c1d5ab83180

SHA1
40a4fad3a7d9085aee360551c7f1308dcb2f852d

SHA256
a7982ccd33a4b0901cd6fdb62106ec9498f89b512e326130abe9e161a5a93771

SHA512
33b72030675d5df3e3f802b5749de3da0f469af1850219c5bea6a59973647a48815d6477f48d47ade16d92c828602b108182bbe1afa4743a43a8dcc9768c5494

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5e3dd1fcd7f334927a860809149c782

SHA1
facba516f74a230efc315db4ed06686b98032561

SHA256
d47779fe2e6727f58c69efe349a0cb6fccea18e7dc09b33fb292c868b3ad01f0

SHA512
77222f63f2224025bbdebc5b02cb938d6ae0d15adeb9bbb7a2facd4829a866bcc222a6af674cac290896926e2ebc2f8dac5da845d2cf72fa7e5b5cf0ebded1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat

Filesize
235B

MD5
1ce4a0c6398bf5a061b7b36f1737d0e3

SHA1
a119488f50a6335868351b205351100497d5cf99

SHA256
ee170c1a1765d64ced2f3eb828d54dcf0b9f069cb63f45fa31682006590a30dc

SHA512
ead2161c4c465ed7b9ca93766b145b9edd22273a8ce021004edc16ce18830abe39197695304bbc1b967572607f55e576a641334ebf73126ecd7807b726642fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\48Ya0SOAhg.bat

Filesize
235B

MD5
9c52701ff6629e89bcaebf37953122dd

SHA1
553b9fb9c82c5a90412618439ec855b8d55e8de3

SHA256
85005d6e1e9b0806e3f91f949ba5c9e59acf9b3aed9dd793e8efdbb3251a54d9

SHA512
8513f09d356e052f9c140a27900421563fa2889503877987bad360e6d7f5a69d3900889798b0580272e37bb578f95c6df58a55763299e09bba95adc4c27685d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4BF1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat

Filesize
235B

MD5
5e538aee916f3d59220357bb07b2b831

SHA1
245b4ae8536d1c4cbcef9b1fa30f34dd009fc92a

SHA256
5d84de769f3c3e95701b996dde204ac94e0fffcdef6d1c52e97f07ef03c4797f

SHA512
9b928aa613fce9d042249b3d9a0f9eb4f1891ad44d163ef7f21301813dd290c3406af31a7ce6ba6d52754eb80eb234ef84303705fae3e00815ec0f8159777ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat

Filesize
235B

MD5
0d4d888c1c3ba546a3bcad6936417b31

SHA1
5cedfdb32b848044dd80c42252d930d2483ad5e6

SHA256
0ca48697358ab906ac5344d463ff993f4304c7f2ed5b1eaa80e255401846d9d5

SHA512
91531fbe0021c15a35c367295d91c96442a9f6a8b347c52a4f093c2719acb2cac978afc1b70938fae3d8e75cf3b762b4f88df8179fb9b8eee1563d750b69487f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

Filesize
235B

MD5
df669176094f76293a289de5b2723fc3

SHA1
58bc69b0d96e2e06e04c59703ca646355821b79e

SHA256
10e0b869f2b413c98035148ad53848f750a5297f04716c453ad089af2ed48ae3

SHA512
708e2d9b77c90d8ccb6490fd86f907278207c4e94e47bb0f27102cb7eef4ce0b04d020f6c2f062dc86a9a58e80a886eb55e32e17237f3cd1ba7261e29323be7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4C13.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat

Filesize
235B

MD5
a5d0b045fcd26fd4ef248ccc9798ec1a

SHA1
fd3fa696b3fb1f51fb04eb36512adc957bbd9fa0

SHA256
b51bb0e60f6fecc2562a6c8176956bbcffd24b8177d6d1d57c27114746f5b964

SHA512
dc97897a0f6eda61855f3e481f13c00bee089559fc186edb06ece3f96a163bd7af6f0a98abb88db3d44163601bb2b9c619df8c1f140811d8fe99c46131a40d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\kKaF7FiTK0.bat

Filesize
235B

MD5
52ab851291416955060d0ed0d568a64f

SHA1
c38bbc4639865ca1c78add42a8de9455b05b2f44

SHA256
beaa43bb48cf8bd530a03fa7bbcdd6fe409b762cd900fa511441d94e6a67e328

SHA512
343554713150e6151def861c8c7d2f95607f17c057e3cc11ff808f4062ea3453acc6910a10439809e52486085b955c830f1256c75ec4a17eebd82a34c362a525

Download Submit
C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat

Filesize
235B

MD5
a2ecae16ce311d5f8cd98bad75805307

SHA1
2ff5376d55444e7ba6fd94721c3d09424d91f9ef

SHA256
9f96d1ee9412772ec9422011218f7a23bfbe3683d4afd6ff50496f87b17842b2

SHA512
31fdd1208bcf5ae6429b020d69dfd9c1805ccf08ebfdccb195cc6d1a383e2459beba4c451f4f1859c3683cd6ab0b6e1c65761c3b86f8af484414008c5859107a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9488f2e28651f68ff60190681aaae8cb

SHA1
c71997ec5454085815f913cbf98aca1e1de9cc28

SHA256
c92cceb24b4442351b56787a47b072cdaa02621c875bca5710495c6d1671cbbd

SHA512
e5dfacb32b3a22d62e62e41c3b4429e013031ea5f6eead627677f44de6360151087a3fde17e2878906874226d5608545bdaa3d0f8d77576cca6f00f6b4c62724

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1584-80-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/1748-72-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1748-50-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2376-139-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2404-378-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/2404-379-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2472-199-0x0000000000890000-0x00000000009A0000-memory.dmp

Filesize
1.1MB

Download
memory/2484-259-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

Filesize
1.1MB

Download
memory/2812-439-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/3060-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/3060-13-0x0000000000DB0000-0x0000000000EC0000-memory.dmp

Filesize
1.1MB

Download
memory/3060-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/3060-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/3060-17-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download