dcrat | 3283f46a9f1c895c001243b0f619a0dc3539f96f36ad0a5b601edcdbbefd32d1

Analysis

max time kernel
146s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3283f46a9f1c895c001243b0f619a0dc3539f96f36ad0a5b601edcdbbefd32d1.exe
Size

1.3MB
MD5

04db33de23cc8d39c2c0568900a9f721
SHA1

f4c4c05b1cf5b4d3fc34b4e80261bba9ae508caa
SHA256

3283f46a9f1c895c001243b0f619a0dc3539f96f36ad0a5b601edcdbbefd32d1
SHA512

4d4cc044bf88f863e35b6e9a1f95c962d34d87d5a289f7c33720f2dea4c5061e224d39784f8646d3d0b369cd2076eacfe8b78e0a5fc3472b67189a0c8c601229
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2624	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001706d-9.dat	dcrat
behavioral1/memory/2596-13-0x0000000000BC0000-0x0000000000CD0000-memory.dmp	dcrat
behavioral1/memory/1704-59-0x0000000000D00000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/memory/2764-118-0x0000000001010000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/3048-178-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/2872-238-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/1572-298-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/2584-358-0x0000000000960000-0x0000000000A70000-memory.dmp	dcrat
behavioral1/memory/2180-418-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/3000-479-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat
behavioral1/memory/2192-539-0x0000000001040000-0x0000000001150000-memory.dmp	dcrat
behavioral1/memory/1612-599-0x0000000000100000-0x0000000000210000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1044	powershell.exe
1296	powershell.exe
1664	powershell.exe
1740	powershell.exe
2856	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2596	DllCommonsvc.exe
1704	csrss.exe
2764	csrss.exe
3048	csrss.exe
2872	csrss.exe
1572	csrss.exe
2584	csrss.exe
2180	csrss.exe
3000	csrss.exe
2192	csrss.exe
1612	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2680	cmd.exe
2680	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
23	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3283f46a9f1c895c001243b0f619a0dc3539f96f36ad0a5b601edcdbbefd32d1.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2256	schtasks.exe
3064	schtasks.exe
1360	schtasks.exe
776	schtasks.exe
1720	schtasks.exe
1976	schtasks.exe
2984	schtasks.exe
1088	schtasks.exe
2656	schtasks.exe
1804	schtasks.exe
1780	schtasks.exe
2244	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2596	DllCommonsvc.exe
1664	powershell.exe
1740	powershell.exe
1296	powershell.exe
1044	powershell.exe
2856	powershell.exe
1704	csrss.exe
2764	csrss.exe
3048	csrss.exe
2872	csrss.exe
1572	csrss.exe
2584	csrss.exe
2180	csrss.exe
3000	csrss.exe
2192	csrss.exe
1612	csrss.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	DllCommonsvc.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	1704	csrss.exe
Token: SeDebugPrivilege	2764	csrss.exe
Token: SeDebugPrivilege	3048	csrss.exe
Token: SeDebugPrivilege	2872	csrss.exe
Token: SeDebugPrivilege	1572	csrss.exe
Token: SeDebugPrivilege	2584	csrss.exe
Token: SeDebugPrivilege	2180	csrss.exe
Token: SeDebugPrivilege	3000	csrss.exe
Token: SeDebugPrivilege	2192	csrss.exe
Token: SeDebugPrivilege	1612	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2760	2652	JaffaCakes118_3283f46a9f1c895c001243b0f619a0dc3539f96f36ad0a5b601edcdbbefd32d1.exe	30
PID 2652 wrote to memory of 2760	2652	JaffaCakes118_3283f46a9f1c895c001243b0f619a0dc3539f96f36ad0a5b601edcdbbefd32d1.exe	30
PID 2652 wrote to memory of 2760	2652	JaffaCakes118_3283f46a9f1c895c001243b0f619a0dc3539f96f36ad0a5b601edcdbbefd32d1.exe	30
PID 2652 wrote to memory of 2760	2652	JaffaCakes118_3283f46a9f1c895c001243b0f619a0dc3539f96f36ad0a5b601edcdbbefd32d1.exe	30
PID 2760 wrote to memory of 2680	2760	WScript.exe	31
PID 2760 wrote to memory of 2680	2760	WScript.exe	31
PID 2760 wrote to memory of 2680	2760	WScript.exe	31
PID 2760 wrote to memory of 2680	2760	WScript.exe	31
PID 2680 wrote to memory of 2596	2680	cmd.exe	33
PID 2680 wrote to memory of 2596	2680	cmd.exe	33
PID 2680 wrote to memory of 2596	2680	cmd.exe	33
PID 2680 wrote to memory of 2596	2680	cmd.exe	33
PID 2596 wrote to memory of 1296	2596	DllCommonsvc.exe	47
PID 2596 wrote to memory of 1296	2596	DllCommonsvc.exe	47
PID 2596 wrote to memory of 1296	2596	DllCommonsvc.exe	47
PID 2596 wrote to memory of 1664	2596	DllCommonsvc.exe	48
PID 2596 wrote to memory of 1664	2596	DllCommonsvc.exe	48
PID 2596 wrote to memory of 1664	2596	DllCommonsvc.exe	48
PID 2596 wrote to memory of 1740	2596	DllCommonsvc.exe	49
PID 2596 wrote to memory of 1740	2596	DllCommonsvc.exe	49
PID 2596 wrote to memory of 1740	2596	DllCommonsvc.exe	49
PID 2596 wrote to memory of 2856	2596	DllCommonsvc.exe	51
PID 2596 wrote to memory of 2856	2596	DllCommonsvc.exe	51
PID 2596 wrote to memory of 2856	2596	DllCommonsvc.exe	51
PID 2596 wrote to memory of 1044	2596	DllCommonsvc.exe	52
PID 2596 wrote to memory of 1044	2596	DllCommonsvc.exe	52
PID 2596 wrote to memory of 1044	2596	DllCommonsvc.exe	52
PID 2596 wrote to memory of 1820	2596	DllCommonsvc.exe	57
PID 2596 wrote to memory of 1820	2596	DllCommonsvc.exe	57
PID 2596 wrote to memory of 1820	2596	DllCommonsvc.exe	57
PID 1820 wrote to memory of 2152	1820	cmd.exe	59
PID 1820 wrote to memory of 2152	1820	cmd.exe	59
PID 1820 wrote to memory of 2152	1820	cmd.exe	59
PID 1820 wrote to memory of 1704	1820	cmd.exe	60
PID 1820 wrote to memory of 1704	1820	cmd.exe	60
PID 1820 wrote to memory of 1704	1820	cmd.exe	60
PID 1704 wrote to memory of 2524	1704	csrss.exe	61
PID 1704 wrote to memory of 2524	1704	csrss.exe	61
PID 1704 wrote to memory of 2524	1704	csrss.exe	61
PID 2524 wrote to memory of 2272	2524	cmd.exe	63
PID 2524 wrote to memory of 2272	2524	cmd.exe	63
PID 2524 wrote to memory of 2272	2524	cmd.exe	63
PID 2524 wrote to memory of 2764	2524	cmd.exe	64
PID 2524 wrote to memory of 2764	2524	cmd.exe	64
PID 2524 wrote to memory of 2764	2524	cmd.exe	64
PID 2764 wrote to memory of 1700	2764	csrss.exe	65
PID 2764 wrote to memory of 1700	2764	csrss.exe	65
PID 2764 wrote to memory of 1700	2764	csrss.exe	65
PID 1700 wrote to memory of 2584	1700	cmd.exe	67
PID 1700 wrote to memory of 2584	1700	cmd.exe	67
PID 1700 wrote to memory of 2584	1700	cmd.exe	67
PID 1700 wrote to memory of 3048	1700	cmd.exe	68
PID 1700 wrote to memory of 3048	1700	cmd.exe	68
PID 1700 wrote to memory of 3048	1700	cmd.exe	68
PID 3048 wrote to memory of 1688	3048	csrss.exe	69
PID 3048 wrote to memory of 1688	3048	csrss.exe	69
PID 3048 wrote to memory of 1688	3048	csrss.exe	69
PID 1688 wrote to memory of 1044	1688	cmd.exe	71
PID 1688 wrote to memory of 1044	1688	cmd.exe	71
PID 1688 wrote to memory of 1044	1688	cmd.exe	71
PID 1688 wrote to memory of 2872	1688	cmd.exe	72
PID 1688 wrote to memory of 2872	1688	cmd.exe	72
PID 1688 wrote to memory of 2872	1688	cmd.exe	72
PID 2872 wrote to memory of 2416	2872	csrss.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3283f46a9f1c895c001243b0f619a0dc3539f96f36ad0a5b601edcdbbefd32d1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3283f46a9f1c895c001243b0f619a0dc3539f96f36ad0a5b601edcdbbefd32d1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Utfk4Eg9N4.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1820
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2152
      - C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2272
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2584
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1044
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat"
        13⤵
        
        PID:2416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1524
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
        15⤵
        
        PID:648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2764
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat"
        17⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2448
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"
        19⤵
        
        PID:1036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1564
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RIE4o2SCx.bat"
        21⤵
        
        PID:1276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2804
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fdSjcfTSOA.bat"
        23⤵
        
        PID:2380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1732
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c615f6d579913feaeabd4597686960c

SHA1
f2c7ca807c486e5830b20dc99a4ae96548ab34cd

SHA256
0aa0cdf9553fe95b7f8042965ec3f285132b4d994031447e55d684aa8c18ad55

SHA512
a6f19d770b952d8eddf707fc5f1bdc005fc80d84ec4c13e2661ab03ddc9b877623430ab8f245086daf2d06c138c7652a0871ee639691711bfc33e0b6656b3f99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e75e764868726c38c4266b5b7d14c67

SHA1
89bc256a568edd9a4173d744c3cc8663138c9a52

SHA256
634e0f96b18a6402ed78b7960378e1563187dd74b8d7844c0d60a837f6ffb7e9

SHA512
3f0a30bb1065ec826cef088df0d373277254cb6e63fa960922cb88c9da7a6c71431c825cad9d41aa898244f0632d0f72aee5296c17b8bb2e55842836d887218d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b250161a749acec3a480d7beaf3d3ad

SHA1
ff756c3708223c143cb76a8e0be81e3914be8224

SHA256
06e23940f77268fa1aaeeef453825eb498666db331417bcb87def264ae9ca5d9

SHA512
9302d0d01586a189ef11432ea9561497682068845ccb1fdbcf40891fafa5521bc415aa63c072b2b7b6329eed56d5bc34711c194f12d00be23de84618fd193875

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d93bb35d3167c1ea0404aa0dea11a6b9

SHA1
ea6d1eff1ef790c742c7056911680b51e023415b

SHA256
09a93fa6c878fa8cd1e6003e13e5f0fde91ec8125ca18fd282d1009849a61d92

SHA512
b2e94c28485c305022376c5e7d0161a290dc3bd50a46d9b94584d64ac907dbd30d2426ec8eede604aaa91bcd6c18e99155cacc3092c79283a01ddb39ea2489cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d79875fa61c8f236ff99eed2a517aae4

SHA1
eb4bdd9fe19768ba56395f8b43db01eb2c2353ae

SHA256
6ae591fe5df1692e62b5ef2e46b17c39a6f58b441d393205bd69151e213f450c

SHA512
c0e4a64e8afda09796c3bc6e0c069c7ad4bb10fd139890a87f2dff61aa94955e2a54e1977db88fad4468c756eeaa779f805b4d9ba95d07f35fc7851857d89a33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27e3ba8e0f3c2a7fe3f1cdeb0b616d7b

SHA1
6b96b7be3d14c4d54c77c99b5ccf27dea1c2f31f

SHA256
373ceeca870edfe04181e2678dcaa51129bc0fbcc5396dcf517f2f47aa590c20

SHA512
13b709a5d830c9a0dd86693ec43f8dd91b74e73cc33ea12f190940b8b4637f43e43312b58c11c63a1ecc4eb9d2f1de992916a0674a78519d863addea06fa91b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11c289ea235053bb3a36011eb4088af2

SHA1
55a643628cf3afc5466b29f83d5cbc9ed1b7eb6f

SHA256
ac7a01aa1be999f2b3a9f33949118bf31756ed12f03cf7ff69c9a0e585bc6160

SHA512
88adb482d48aac1ebee9d286e1ef4acf45595f77e39a06a5886060c8d8c427baddcfeb284b0ef098880b62520b855e779310c78b4a0afc7a6212836ceebebd6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d08475a275998a1409a0668bb7df167a

SHA1
72657a89e165a27b7ecbbdd554b869ec134334c5

SHA256
53ec101e0a1e1f1be6314a3396478e21a2c1d7b21fac4fea302262aa5ef8804a

SHA512
61c2a24fb1b1f3b213789644a1b6bcc1be76c3c726871ef86d43be7fa3460c7788c0d0756e9b16ed8a6317d46deda6d8da79c9b68a7fd588f3af99451c2f6e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat

Filesize
222B

MD5
595dbc7377ccc04f07c879575b5173c3

SHA1
7e07aac5eba8e871f0f67aa0f8f4da99c81a1e28

SHA256
16c427730c4432a3c9619de37337a5f91dcf5ceac40a9df4b5a7351a22baa0c8

SHA512
6a56f94a05b066305920cd65664568aba6d872d0e7d59ae5a6cbd50df206cbb5eb71a3be8eceff970c2b72b3222d1e6e0314e6ecae68d64bad857708790e7a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat

Filesize
222B

MD5
7355b5af395c1d1b2143b15c34e94bd5

SHA1
5299b8bafbd750a9d598f13700233c7df8e9302b

SHA256
b594552425af8d34b6db3e49af97ba75f14ec0b3ca60f8e699e5815b0258d8a6

SHA512
9b2e4e1fc1446626df36985c87064f765553daf6272eb4042fcb44cf4deb6eea70f9bdb25a1f06000700f70fa4188ef04555ee86da194c7c43e2695ec5486ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8RIE4o2SCx.bat

Filesize
222B

MD5
eee94369f6b73979c3f831cfd86d2ca3

SHA1
b84fc22ea3c9b0a2a6c97d5b6bddb63053fe00b4

SHA256
b558c1063d5e4057ecc9b8f70d355f6c62ba530d3c5f2387bd02fc83645caba2

SHA512
8d1ae541c8b8af7550761567d559c69bb4758b4d1fa132952726bf2b48338468b1221a0512d8eb8d27b68212a91c99941411e6b565b07766150297228685a1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7CEF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat

Filesize
222B

MD5
f41ae2f2dc46748c482f97cac1c2d778

SHA1
84f36a3f7de364620a455eb3e99416db564a2f6d

SHA256
504d0cce1c0136df47717e45dbba01d5ec4e0f6652b1ab530f6e6245129956a4

SHA512
c4f432628bc0b9af67ab3cd165adc86b9af9d4c3030e2954ae625c7da49e873c008c8e10de6c8ee8eab73aac1e8152d5d0a581fd5379652faae5bccce8840f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat

Filesize
222B

MD5
033a21ccc9a004e824cbeb307508937d

SHA1
b1b0b4580df810b27dacedf4ad18c8ea7fbc0ad2

SHA256
e2ed73225d470fa0a8d34a0d8b7952df495a35af27ee81e32d497ffa79679eb1

SHA512
e6fdbccd2ef677ba614d61d4019159c5df54063b2a73da793b4d1b2ff779629b4d388298801c633e68bbe53bc0e42e180e3bcdb9d095dd4ad57560aa3d2e66a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7D02.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Utfk4Eg9N4.bat

Filesize
222B

MD5
0c4e54d3b730db40add627a01ff3ef28

SHA1
c6248e12438cbe90cb7d73fa7c444150767bfc56

SHA256
87ae8d2fa78c3d80cbfd63b289688ce42109dddef96a6c838174beefa45b2ee3

SHA512
654438e68ef23deb229a8276d6a5ee1053a7fa7f7e0387ccc952e1515f077a32d722ff33a78c3887d802d6575ecd1c23043f7512292f8d0d505697cfc114f058

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat

Filesize
222B

MD5
43a0be8dfc4f4f1bb964ab57a8115420

SHA1
7579d9bf4a9ae4fe479642eabec6590927a3dc01

SHA256
83711585159ab7cccc39c03939520161589bf33e3678942b78c7db2c274ea4c0

SHA512
10154424e37c9e30905c6b88c9f106d15072b5baee3d9a15cc509e596c84bf8a801c802f5f7ba5343c21cc8ea193e7e50fade6d667db235492e4008fa9e63265

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdSjcfTSOA.bat

Filesize
222B

MD5
182f5741c11d508152dfd0c04886a2c2

SHA1
949257f30b420efa809346ba9ef63bcbb4dabbf7

SHA256
a2142ff150401ecd0e70cdd31af32514e82ad49a59316dac4dd4fec86189134d

SHA512
992307176ffd55c6899544d732953e6aaac23203e020f3dc87385a66d401b5beeebc6c3489df73397adb99fe536322c515ec214298ebdd50ea4653a9f3d65d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat

Filesize
222B

MD5
5db595c045f66a090906e4109a9e321a

SHA1
fa63c42debc44d579574afb19cb5c0a8ece28ef9

SHA256
3bc64f8e0aa12fc27601f03b6e95df25eabf5c677aca2cd530db7a9e939fe64a

SHA512
e24d1524aff201d6a6cac698fd368471c70d28a5143b7b141bb82ea11fa0298ebc243cc7c92d24de6d6105323843aab6090b9c18ca040b8d42c9874dc54865ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat

Filesize
222B

MD5
84b5fcb1c1a16fb3a366461b23d53774

SHA1
932ae1fe00bcbb9b6689250480ae783f95f2f778

SHA256
4a01ba53d71711334ab726e246d09a827d6bd7066a34df2b4e54eec8c5c5eb5c

SHA512
690e893d3795980d26598039c6c516d317749a7b258fb5e99e1b30d8371b4bca9c75eb64e6f63919ef21448b37404dd92514d593870b8548bc08ce7bef0c24b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ef2f4c6ab9af2cf2612d3829e1ccae80

SHA1
3c7b2d1d3a5765479cafb7b6224b78deaf8a5bbc

SHA256
43b00bc80ba3212088baacca11c30d341d9d13f0d7c6607ba037b017e5eb36a7

SHA512
ca70d700741b355cb8ff919d6c17e26c5e713fd526fe46c9dd9ad331c70f822684b415d751498547d53f0a664a9ecf631b3e9257d7685592bba49527868c2232

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1572-298-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/1612-599-0x0000000000100000-0x0000000000210000-memory.dmp

Filesize
1.1MB

Download
memory/1664-35-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/1664-36-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/1704-59-0x0000000000D00000-0x0000000000E10000-memory.dmp

Filesize
1.1MB

Download
memory/2180-418-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/2180-419-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2192-539-0x0000000001040000-0x0000000001150000-memory.dmp

Filesize
1.1MB

Download
memory/2584-358-0x0000000000960000-0x0000000000A70000-memory.dmp

Filesize
1.1MB

Download
memory/2596-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2596-13-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

Filesize
1.1MB

Download
memory/2596-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2596-16-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2596-15-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2764-118-0x0000000001010000-0x0000000001120000-memory.dmp

Filesize
1.1MB

Download
memory/2872-238-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/3000-479-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download
memory/3048-178-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download