dcrat | e8b54fc781582dcb16662284177afa31be736474e2ec6f0d072f0a3b4c702d83

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e8b54fc781582dcb16662284177afa31be736474e2ec6f0d072f0a3b4c702d83.exe
Size

1.3MB
MD5

acc69955fefef0e4d343ce375d3e413d
SHA1

b2980fd90b00c7d7202cf270048058ee35e4fbf2
SHA256

e8b54fc781582dcb16662284177afa31be736474e2ec6f0d072f0a3b4c702d83
SHA512

59ba0ce1851506628186a7a43ef8856e82974a00c85be89a964115b1be335a02e214ea5c41dcd0990019bfae3b8c429b804e4c37caa2a264ff0c469d89f92b2e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2728	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000160d5-10.dat	dcrat
behavioral1/memory/2720-13-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/960-59-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/1912-237-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/1860-534-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/2284-594-0x0000000000A80000-0x0000000000B90000-memory.dmp	dcrat
behavioral1/memory/880-654-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1236	powershell.exe
1980	powershell.exe
1736	powershell.exe
2144	powershell.exe
1728	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2720	DllCommonsvc.exe
960	csrss.exe
1712	csrss.exe
2308	csrss.exe
1912	csrss.exe
1640	csrss.exe
2928	csrss.exe
2812	csrss.exe
2164	csrss.exe
1860	csrss.exe
2284	csrss.exe
880	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2284	cmd.exe
2284	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
19	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
38	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
35	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\WmiPrvSE.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Media Player\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\24dbde2999530e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e8b54fc781582dcb16662284177afa31be736474e2ec6f0d072f0a3b4c702d83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2632	schtasks.exe
2780	schtasks.exe
2620	schtasks.exe
2080	schtasks.exe
812	schtasks.exe
2596	schtasks.exe
1564	schtasks.exe
2060	schtasks.exe
3044	schtasks.exe
1252	schtasks.exe
1580	schtasks.exe
1028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2720	DllCommonsvc.exe
2720	DllCommonsvc.exe
2720	DllCommonsvc.exe
1736	powershell.exe
1728	powershell.exe
1980	powershell.exe
2144	powershell.exe
1236	powershell.exe
960	csrss.exe
1712	csrss.exe
2308	csrss.exe
1912	csrss.exe
1640	csrss.exe
2928	csrss.exe
2812	csrss.exe
2164	csrss.exe
1860	csrss.exe
2284	csrss.exe
880	csrss.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	DllCommonsvc.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	960	csrss.exe
Token: SeDebugPrivilege	1712	csrss.exe
Token: SeDebugPrivilege	2308	csrss.exe
Token: SeDebugPrivilege	1912	csrss.exe
Token: SeDebugPrivilege	1640	csrss.exe
Token: SeDebugPrivilege	2928	csrss.exe
Token: SeDebugPrivilege	2812	csrss.exe
Token: SeDebugPrivilege	2164	csrss.exe
Token: SeDebugPrivilege	1860	csrss.exe
Token: SeDebugPrivilege	2284	csrss.exe
Token: SeDebugPrivilege	880	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1100	2400	JaffaCakes118_e8b54fc781582dcb16662284177afa31be736474e2ec6f0d072f0a3b4c702d83.exe	30
PID 2400 wrote to memory of 1100	2400	JaffaCakes118_e8b54fc781582dcb16662284177afa31be736474e2ec6f0d072f0a3b4c702d83.exe	30
PID 2400 wrote to memory of 1100	2400	JaffaCakes118_e8b54fc781582dcb16662284177afa31be736474e2ec6f0d072f0a3b4c702d83.exe	30
PID 2400 wrote to memory of 1100	2400	JaffaCakes118_e8b54fc781582dcb16662284177afa31be736474e2ec6f0d072f0a3b4c702d83.exe	30
PID 1100 wrote to memory of 2284	1100	WScript.exe	31
PID 1100 wrote to memory of 2284	1100	WScript.exe	31
PID 1100 wrote to memory of 2284	1100	WScript.exe	31
PID 1100 wrote to memory of 2284	1100	WScript.exe	31
PID 2284 wrote to memory of 2720	2284	cmd.exe	33
PID 2284 wrote to memory of 2720	2284	cmd.exe	33
PID 2284 wrote to memory of 2720	2284	cmd.exe	33
PID 2284 wrote to memory of 2720	2284	cmd.exe	33
PID 2720 wrote to memory of 1236	2720	DllCommonsvc.exe	47
PID 2720 wrote to memory of 1236	2720	DllCommonsvc.exe	47
PID 2720 wrote to memory of 1236	2720	DllCommonsvc.exe	47
PID 2720 wrote to memory of 1980	2720	DllCommonsvc.exe	48
PID 2720 wrote to memory of 1980	2720	DllCommonsvc.exe	48
PID 2720 wrote to memory of 1980	2720	DllCommonsvc.exe	48
PID 2720 wrote to memory of 1728	2720	DllCommonsvc.exe	49
PID 2720 wrote to memory of 1728	2720	DllCommonsvc.exe	49
PID 2720 wrote to memory of 1728	2720	DllCommonsvc.exe	49
PID 2720 wrote to memory of 1736	2720	DllCommonsvc.exe	50
PID 2720 wrote to memory of 1736	2720	DllCommonsvc.exe	50
PID 2720 wrote to memory of 1736	2720	DllCommonsvc.exe	50
PID 2720 wrote to memory of 2144	2720	DllCommonsvc.exe	51
PID 2720 wrote to memory of 2144	2720	DllCommonsvc.exe	51
PID 2720 wrote to memory of 2144	2720	DllCommonsvc.exe	51
PID 2720 wrote to memory of 768	2720	DllCommonsvc.exe	57
PID 2720 wrote to memory of 768	2720	DllCommonsvc.exe	57
PID 2720 wrote to memory of 768	2720	DllCommonsvc.exe	57
PID 768 wrote to memory of 1724	768	cmd.exe	59
PID 768 wrote to memory of 1724	768	cmd.exe	59
PID 768 wrote to memory of 1724	768	cmd.exe	59
PID 768 wrote to memory of 960	768	cmd.exe	60
PID 768 wrote to memory of 960	768	cmd.exe	60
PID 768 wrote to memory of 960	768	cmd.exe	60
PID 960 wrote to memory of 1648	960	csrss.exe	61
PID 960 wrote to memory of 1648	960	csrss.exe	61
PID 960 wrote to memory of 1648	960	csrss.exe	61
PID 1648 wrote to memory of 2560	1648	cmd.exe	63
PID 1648 wrote to memory of 2560	1648	cmd.exe	63
PID 1648 wrote to memory of 2560	1648	cmd.exe	63
PID 1648 wrote to memory of 1712	1648	cmd.exe	64
PID 1648 wrote to memory of 1712	1648	cmd.exe	64
PID 1648 wrote to memory of 1712	1648	cmd.exe	64
PID 1712 wrote to memory of 1636	1712	csrss.exe	65
PID 1712 wrote to memory of 1636	1712	csrss.exe	65
PID 1712 wrote to memory of 1636	1712	csrss.exe	65
PID 1636 wrote to memory of 2052	1636	cmd.exe	67
PID 1636 wrote to memory of 2052	1636	cmd.exe	67
PID 1636 wrote to memory of 2052	1636	cmd.exe	67
PID 1636 wrote to memory of 2308	1636	cmd.exe	68
PID 1636 wrote to memory of 2308	1636	cmd.exe	68
PID 1636 wrote to memory of 2308	1636	cmd.exe	68
PID 2308 wrote to memory of 1396	2308	csrss.exe	69
PID 2308 wrote to memory of 1396	2308	csrss.exe	69
PID 2308 wrote to memory of 1396	2308	csrss.exe	69
PID 1396 wrote to memory of 588	1396	cmd.exe	71
PID 1396 wrote to memory of 588	1396	cmd.exe	71
PID 1396 wrote to memory of 588	1396	cmd.exe	71
PID 1396 wrote to memory of 1912	1396	cmd.exe	72
PID 1396 wrote to memory of 1912	1396	cmd.exe	72
PID 1396 wrote to memory of 1912	1396	cmd.exe	72
PID 1912 wrote to memory of 776	1912	csrss.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8b54fc781582dcb16662284177afa31be736474e2ec6f0d072f0a3b4c702d83.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8b54fc781582dcb16662284177afa31be736474e2ec6f0d072f0a3b4c702d83.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rEhgKfjipi.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:768
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1724
      - C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2560
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2052
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:588
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"
        13⤵
        
        PID:776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1508
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"
        15⤵
        
        PID:2780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1776
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat"
        17⤵
        
        PID:708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1308
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat"
        19⤵
        
        PID:988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2352
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat"
        21⤵
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1704
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat"
        23⤵
        
        PID:1888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2828
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat"
        25⤵
        
        PID:336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:920
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"
        27⤵
        
        PID:888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de36b39af6c869a26cc2f4163f8bd88d

SHA1
29530ebda90541890cd167e7062f2303609939fa

SHA256
f65477ee88be388ad8e9daed433e56d4fa438d492362b226b738f1ad13dbce19

SHA512
9fbb6d71930d4f9197654be40f0f943ec27e4cd93a8fa6b89147a0faacb2828856b2623753d501fd7cbafa75e8f7fd0afd2341eaf9ad1e2462f6007ca311358c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e46d0dd1319ce1762872010a459bc2cb

SHA1
60db8550cb3ffb6f6fb2f2dca8d6e21dc1c7d859

SHA256
c9d2a030ae25fe6a54ab5d7d5b4567a372206674ec44cb32e4ea6cb92acf490e

SHA512
ad1a119f529ee8764985127c3f4c108421781ea7911d2f1a9b8dc645ed4d7df7029cdb6cd22aa35ec0c3d6185cfe005ebd7c83b38011775468b272c12c390e6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f8e2311f8f54812351bc26f2767a9fe

SHA1
05257a30514224e787c406d2e310c94cba0ff985

SHA256
80d9e7809ba63741f539990a2d576a626c428b81b9cef23604894f20d0773a6e

SHA512
83e911bf5c462141a4c38b53277c5f11538145fda7797362f04f7c731a590f181a93666d09163c66a1c19ced5c60c37a27a812c5cb59f35ffd0ae5d2f2306be8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e99bbf2d69c0c79f89d925363152295d

SHA1
e37ce081d8bcebbfe54c68ea33f993fe79cc62b6

SHA256
81fc15ea9645c5ac9689f2799a75cc953d90a3b3f30d42b4b4cd8990b4dc013c

SHA512
e098c33c43761aa5d5f82d58ac13293ab1217beeaf179995f7eabd7f26190b41f5646c6c2182c6c64d71014d2f1b8461d0feff156c5f489e4c00b9aad9ae0cfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e778a80e9d67648f6903fcea30ac0f0

SHA1
a2f4b6c8c4f2c1c3032e21c62f3974f64a1d7baa

SHA256
998bd4d9ab38846f33bf97d82cff4499c46a5c7023e8917ad7f9b5143ea5ec50

SHA512
6868ee1d8674118fbcd160443514859d84d508a79f6f7610f5edbb136f21e1c1856fafa47892468f5b5a55093bb91de28221ae09b19509bf663e20c5d788b93a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0444b29659960adb86d169c660218d9

SHA1
fc9122f3e96936181fe8f3a5d5ddf86995e2c7ce

SHA256
df775d7b3544216070e8b1643cd4a8e4f277f06ba77afdb705eab2a714770290

SHA512
876f087513c168f34dcbd553309af149b770824f81d3bfaf82527d868f48dc85dbe09d4428306e95f32747657f63712d924f5cdcc479bfb9b83b06ace2f99f8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02f37be18e62469a0e8eb9f3917e03e6

SHA1
5f440c78ca5c77b1961ce2686e40677e9c1a6e34

SHA256
cea31c1d62b51d131d61fbe77600270f16598eb458c6ad833420338bffe510f2

SHA512
a02376999356a2d9dddf941d4d6ce3e200b754b0220b6c59e555e87d2e36e71fc6e3db1dbe7d1117465b3de490bcf4e92bc859dc7539583608c9522197409794

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08d5157dcfcf0fcf60134232d043bdd3

SHA1
d606cd83e7e137f62296b6e725d7a8a7f7989f69

SHA256
50b3a7bbac00f3a582986009333d0892c52c9bcdf9cff67f4c4be1408563e034

SHA512
41d8a1c937f22fc93c846fb39dec167c5a76308b86517d4b2bfd87104abe5cd5e15d84c9161a4322644902cff33785e6a397ce8f8b3c3a5128b1951c0b17b8d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73dbb1c3879625d5ca435406c7372619

SHA1
1e32c5643aa56e48774f6efe75c72773d084e14c

SHA256
efa7ac241b1fbe2f1b4d70d1450bd91f11e1edb8341b68b66f83c672688f4977

SHA512
ceef622453f90b559929835bf269dbe8ae2b2e74c930b0717de62787fada0e99e6002be0bf802467756ba3fd9743b47232c7725b680ace6d693707a2ed7aca3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
950bec5b32e86c4aa0f2adc2426529d2

SHA1
ed866bb9102f9e3271fdbcc6c26c0d02f388d26a

SHA256
2a5b87812a1446667e90349a138847e7a7d12bb2c903afe85bb0835c1ea41dd0

SHA512
5e0150e922a80ba6575d3579aae971d01f2e273a6539bef294b5a407017e76f9c8b2f7d7a56367232ba21f66d9f04a10aa4993aea7b706a5f47fd4315aa893c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat

Filesize
192B

MD5
9026c8330770950a2d5382af86d730ff

SHA1
729ddf380aeff7e543e16a5001a21872bdf1d305

SHA256
8028e7c3e32933d84d856ba9185490d3ca52e1d3e10b3d9d22617a64a4411fcf

SHA512
ad231455b5d7e57dd62ce2059bd69106dbc6060bc2510755587b46d1c4d977c7f11d12c9c1ec144aef7d0416c4ae8e672645d82c85bff0b2b82139352afafdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat

Filesize
192B

MD5
c5b4860c4286cffc6868950a125372df

SHA1
53a8f70a9c92e3053059f5f677b6770f2a845f2f

SHA256
50562a79b1a27e87970b0f3758e2261af93e3e0196b29e2952e152fb01bb958e

SHA512
45a64b2a2999bae63c581b1ffe3d466d980f0701b703db972cc56c03a1878e7fdabdd6959f19c206805ab48a3c5d35c68e4bb4831ab71d84d756ce039ca4d0d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat

Filesize
192B

MD5
f7ea9ed791e3a924750407fb8a979089

SHA1
9f932f269692520d0208d72d76077d551fc8c27f

SHA256
65d4a430bfcb41fef4969b2c8ba16db1375017fa43714537037182348b8123bb

SHA512
e5e63ddceb52f4d29fe8385e9f49de744a985d697572e5d713b6bbdb050c9cfad0c82762c6c1c83219cf2a6780c129831010ab3607e9c10b68887fa3fb055c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5E29.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat

Filesize
192B

MD5
bfa440589af3162963f6944306c06f97

SHA1
719e04fbff36d20a1d6e6fa4ec37b19306211cb9

SHA256
255fd5c0f49ea8acbe6d62a8a7cc22366e0fc28c967ada3713fbc64456f6349b

SHA512
c6b58a872dc68227a2f07e5b204d49f6433a90e7cb9cc854d5a68165231726c13b88c3d75d47a96b3b1d19221a4433140347bf29198ac12e3c31da3d61970120

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

Filesize
192B

MD5
f5ec330c4cf9c580df3451a32b3e829e

SHA1
39b2d467335e4a457b07c15d19a7637897e959dd

SHA256
3554d25968f6fe75a970ccd8bb7b51cb60aae15f35f88b9f8139a698ef78ff3f

SHA512
1d860b5c0c721380dda0492dba975850c4adeeb04e6c3a414d7953a55bd8bf840c8c056535469ca16352f5fbf801541f047c8f2ff9d00d98de59516c31186f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5E3C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat

Filesize
192B

MD5
8f920cfc87dd152a024a5d3530083b2f

SHA1
183038d4ab4ecba8aa99f395d550223b73682512

SHA256
1e4388dc52bd9ce8a7f9fe0a10d2600c473385e794cfdd42e079d75679400fa1

SHA512
3da4877dfed70a049562c9b1c0da4cfc772704573346c07cd478bdb3407a4311f9a133c0b0554817de3ac5786e52d27a6739b9e470c0bf88cffd7d6b9ecba935

Download Submit
C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat

Filesize
192B

MD5
27a7710a70084f8f5e5b69740ad65225

SHA1
4bdb543d3c564b71114872db0ffa655cf8365d85

SHA256
06fa70299ce83bf163e66ad8dc03dae981fa54052ba9b40dbedfe738d1a6fd3e

SHA512
b0cb431dd46de73d108abdbc829651013305fd7b987bc9125ec5cfc4ed2cdbaf20ca75191312a29c54e75645e7c5d00e7381f1af9025db0edec86f0b1c88024d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat

Filesize
192B

MD5
2dfcc7a5d381f13eb7a0ab76e4d53d89

SHA1
912a7c3485d3894849568d54789456010f2ba661

SHA256
7b405f5b3593e9bf445c7fa21d99ff4d042d6af8010499f52b60a8ecdcf6ab07

SHA512
82411fb8598b9eef9cddb9b58f6a1b3bd302e82d6ae806730e64e35920087957c5e2e0e3a705c3e0936d24a988c7b638c82ac14800071ba75872ffe0a483de4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat

Filesize
192B

MD5
7ffcb78cf6853fc7eca196cc33349489

SHA1
1fa2df339262c17eb33f9c290f32accb2522e925

SHA256
10ac11a43e652e819da5ec6eaa42a10bd4365bbcdeab484176a8beee8207b0a2

SHA512
ecd005fef3ad994ae00f40bb2fc72124cc2c5d9303919c1c5a4af598c14ab7bc6cb116d8cb4a3d6790f12c3ea08b5cc52c626bc942baa71446e6930a8d5f8b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat

Filesize
192B

MD5
d7c37342e2985db0a15d2cdc41550a0c

SHA1
0b140b7779e76b2e102f4b3392e54a52e99272ba

SHA256
97b1685fbdad63dfcb8c74784c5c782c051aacdfd324157ac8768687618bb0c3

SHA512
40ffd0a937a4b7aaaa05ffac0be65eb4f2ecb88c442670204b2a465bfd2711369a160647b5d250d317f3a8c7c6d8aa030b55ee1eb290bd4dcc3e6a3a3ee0b8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rEhgKfjipi.bat

Filesize
192B

MD5
ec2f915bed29e3822b605032cb303a22

SHA1
220dfa590356d47c18b8e81a9782e3224d80e6c8

SHA256
607dae0d313af4d1f83d724f7ff3308a604361edefd4e4b5fc177396c178191b

SHA512
ae4c7fe593687d739ab813048f72ffec68a7092abefa70c2df5046208350cc97a13f5d5eee42f7281f7bca6e0ac6cce10bdf007d7bdd5d2dc3ffa87c3c857ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat

Filesize
192B

MD5
ad23293246f852ae680c1eca91794d57

SHA1
94d76e71a73e2c253233c688c6522553697639cd

SHA256
49f870e0efc165f9a7a0a4f0436599343d580cde8717ce2977a7cc07af243270

SHA512
f75c631c4fb14e5d6930f9fc84edd79f1cd55941cab78bb667b623a300ff06f4956a0e021e2c292d36b492e8d7ea1731688aaba9e5c9af2f04670d82d82cc3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\63P2SNU60H79D4S7M1MS.temp

Filesize
7KB

MD5
b7d1855a9bfa50a050a218f54ee0b1cb

SHA1
3b0b90274773acaeb644ebfbd3ae6d206b1f6ccf

SHA256
2aefa11fb347609fe2700f0c54882500591ca0a82583ac7ba55ba1a9e7756067

SHA512
48df8a9f24e07c62d23230439a99c650b97d1cdd9ebc41a512c80c8c10a9af2ae7a59f1b006de830ceba6a1d2a53b84a9ae776b20bbb5612686ab9125b19b967

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/880-654-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/960-60-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/960-59-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/1860-534-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/1912-237-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/1980-54-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/1980-55-0x0000000002050000-0x0000000002058000-memory.dmp

Filesize
32KB

Download
memory/2284-594-0x0000000000A80000-0x0000000000B90000-memory.dmp

Filesize
1.1MB

Download
memory/2720-15-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2720-14-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2720-13-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/2720-16-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2720-17-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2928-356-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download