dcrat | 4c515d3dbf9ecaffb9159c3b8ad6915f8fa0c293dfa524008848b9dd2cb9565e

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c515d3dbf9ecaffb9159c3b8ad6915f8fa0c293dfa524008848b9dd2cb9565e.exe
Size

1.3MB
MD5

aca556190729f0f2f90b12a52c440453
SHA1

f9c791e5be25dd97b1b7982a9d09074cc3d14b8c
SHA256

4c515d3dbf9ecaffb9159c3b8ad6915f8fa0c293dfa524008848b9dd2cb9565e
SHA512

09d7a43c22996b8220366f07c77999d1676ef7305bec7e4fb9b28eff25d501a6065e50727de9b48e75db918aa3d10529bbe8ec9f73e3678e210f9b1d6ede8f5e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjCZ:UbA30GnzV/q+DnsXgP

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2076	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	2076	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2076	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2076	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2076	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2076	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2076	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2076	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2076	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2076	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2076	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2076	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2076	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2076	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2076	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001756b-9.dat	dcrat
behavioral1/memory/2692-13-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/1060-60-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/2840-124-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/920-185-0x0000000000C10000-0x0000000000D20000-memory.dmp	dcrat
behavioral1/memory/2164-245-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/1060-305-0x0000000000B70000-0x0000000000C80000-memory.dmp	dcrat
behavioral1/memory/2688-424-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/2968-484-0x0000000000EB0000-0x0000000000FC0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
700	powershell.exe
760	powershell.exe
2376	powershell.exe
1944	powershell.exe
2084	powershell.exe
648	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2692	DllCommonsvc.exe
1060	Idle.exe
2840	Idle.exe
920	Idle.exe
2164	Idle.exe
1060	Idle.exe
2388	Idle.exe
2688	Idle.exe
2968	Idle.exe
2196	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2756	cmd.exe
2756	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
19	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\inf\de-DE\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\inf\de-DE\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\addins\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\addins\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c515d3dbf9ecaffb9159c3b8ad6915f8fa0c293dfa524008848b9dd2cb9565e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
432	schtasks.exe
1500	schtasks.exe
3068	schtasks.exe
832	schtasks.exe
2412	schtasks.exe
1936	schtasks.exe
1672	schtasks.exe
1484	schtasks.exe
316	schtasks.exe
1384	schtasks.exe
1652	schtasks.exe
2952	schtasks.exe
2968	schtasks.exe
3036	schtasks.exe
2132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2692	DllCommonsvc.exe
700	powershell.exe
648	powershell.exe
1944	powershell.exe
2084	powershell.exe
2376	powershell.exe
760	powershell.exe
1060	Idle.exe
2840	Idle.exe
920	Idle.exe
2164	Idle.exe
1060	Idle.exe
2388	Idle.exe
2688	Idle.exe
2968	Idle.exe
2196	Idle.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	DllCommonsvc.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1060	Idle.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	2840	Idle.exe
Token: SeDebugPrivilege	920	Idle.exe
Token: SeDebugPrivilege	2164	Idle.exe
Token: SeDebugPrivilege	1060	Idle.exe
Token: SeDebugPrivilege	2388	Idle.exe
Token: SeDebugPrivilege	2688	Idle.exe
Token: SeDebugPrivilege	2968	Idle.exe
Token: SeDebugPrivilege	2196	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2812	2808	4c515d3dbf9ecaffb9159c3b8ad6915f8fa0c293dfa524008848b9dd2cb9565e.exe	30
PID 2808 wrote to memory of 2812	2808	4c515d3dbf9ecaffb9159c3b8ad6915f8fa0c293dfa524008848b9dd2cb9565e.exe	30
PID 2808 wrote to memory of 2812	2808	4c515d3dbf9ecaffb9159c3b8ad6915f8fa0c293dfa524008848b9dd2cb9565e.exe	30
PID 2808 wrote to memory of 2812	2808	4c515d3dbf9ecaffb9159c3b8ad6915f8fa0c293dfa524008848b9dd2cb9565e.exe	30
PID 2812 wrote to memory of 2756	2812	WScript.exe	31
PID 2812 wrote to memory of 2756	2812	WScript.exe	31
PID 2812 wrote to memory of 2756	2812	WScript.exe	31
PID 2812 wrote to memory of 2756	2812	WScript.exe	31
PID 2756 wrote to memory of 2692	2756	cmd.exe	33
PID 2756 wrote to memory of 2692	2756	cmd.exe	33
PID 2756 wrote to memory of 2692	2756	cmd.exe	33
PID 2756 wrote to memory of 2692	2756	cmd.exe	33
PID 2692 wrote to memory of 1944	2692	DllCommonsvc.exe	50
PID 2692 wrote to memory of 1944	2692	DllCommonsvc.exe	50
PID 2692 wrote to memory of 1944	2692	DllCommonsvc.exe	50
PID 2692 wrote to memory of 2084	2692	DllCommonsvc.exe	51
PID 2692 wrote to memory of 2084	2692	DllCommonsvc.exe	51
PID 2692 wrote to memory of 2084	2692	DllCommonsvc.exe	51
PID 2692 wrote to memory of 648	2692	DllCommonsvc.exe	53
PID 2692 wrote to memory of 648	2692	DllCommonsvc.exe	53
PID 2692 wrote to memory of 648	2692	DllCommonsvc.exe	53
PID 2692 wrote to memory of 2376	2692	DllCommonsvc.exe	54
PID 2692 wrote to memory of 2376	2692	DllCommonsvc.exe	54
PID 2692 wrote to memory of 2376	2692	DllCommonsvc.exe	54
PID 2692 wrote to memory of 760	2692	DllCommonsvc.exe	55
PID 2692 wrote to memory of 760	2692	DllCommonsvc.exe	55
PID 2692 wrote to memory of 760	2692	DllCommonsvc.exe	55
PID 2692 wrote to memory of 700	2692	DllCommonsvc.exe	56
PID 2692 wrote to memory of 700	2692	DllCommonsvc.exe	56
PID 2692 wrote to memory of 700	2692	DllCommonsvc.exe	56
PID 2692 wrote to memory of 1060	2692	DllCommonsvc.exe	62
PID 2692 wrote to memory of 1060	2692	DllCommonsvc.exe	62
PID 2692 wrote to memory of 1060	2692	DllCommonsvc.exe	62
PID 1060 wrote to memory of 3052	1060	Idle.exe	63
PID 1060 wrote to memory of 3052	1060	Idle.exe	63
PID 1060 wrote to memory of 3052	1060	Idle.exe	63
PID 3052 wrote to memory of 2904	3052	cmd.exe	65
PID 3052 wrote to memory of 2904	3052	cmd.exe	65
PID 3052 wrote to memory of 2904	3052	cmd.exe	65
PID 3052 wrote to memory of 2840	3052	cmd.exe	66
PID 3052 wrote to memory of 2840	3052	cmd.exe	66
PID 3052 wrote to memory of 2840	3052	cmd.exe	66
PID 2840 wrote to memory of 2200	2840	Idle.exe	67
PID 2840 wrote to memory of 2200	2840	Idle.exe	67
PID 2840 wrote to memory of 2200	2840	Idle.exe	67
PID 2200 wrote to memory of 2260	2200	cmd.exe	69
PID 2200 wrote to memory of 2260	2200	cmd.exe	69
PID 2200 wrote to memory of 2260	2200	cmd.exe	69
PID 2200 wrote to memory of 920	2200	cmd.exe	70
PID 2200 wrote to memory of 920	2200	cmd.exe	70
PID 2200 wrote to memory of 920	2200	cmd.exe	70
PID 920 wrote to memory of 2168	920	Idle.exe	71
PID 920 wrote to memory of 2168	920	Idle.exe	71
PID 920 wrote to memory of 2168	920	Idle.exe	71
PID 2168 wrote to memory of 1648	2168	cmd.exe	73
PID 2168 wrote to memory of 1648	2168	cmd.exe	73
PID 2168 wrote to memory of 1648	2168	cmd.exe	73
PID 2168 wrote to memory of 2164	2168	cmd.exe	74
PID 2168 wrote to memory of 2164	2168	cmd.exe	74
PID 2168 wrote to memory of 2164	2168	cmd.exe	74
PID 2164 wrote to memory of 2888	2164	Idle.exe	75
PID 2164 wrote to memory of 2888	2164	Idle.exe	75
PID 2164 wrote to memory of 2888	2164	Idle.exe	75
PID 2888 wrote to memory of 2492	2888	cmd.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4c515d3dbf9ecaffb9159c3b8ad6915f8fa0c293dfa524008848b9dd2cb9565e.exe
"C:\Users\Admin\AppData\Local\Temp\4c515d3dbf9ecaffb9159c3b8ad6915f8fa0c293dfa524008848b9dd2cb9565e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\it-IT\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\de-DE\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
    - - C:\Windows\addins\Idle.exe
        
        "C:\Windows\addins\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2904
        
        C:\Windows\addins\Idle.exe
        
        "C:\Windows\addins\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2260
        
        C:\Windows\addins\Idle.exe
        
        "C:\Windows\addins\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1648
        
        C:\Windows\addins\Idle.exe
        
        "C:\Windows\addins\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2492
        
        C:\Windows\addins\Idle.exe
        
        "C:\Windows\addins\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat"
        14⤵
        
        PID:3016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2724
        
        C:\Windows\addins\Idle.exe
        
        "C:\Windows\addins\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat"
        16⤵
        
        PID:908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2024
        
        C:\Windows\addins\Idle.exe
        
        "C:\Windows\addins\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"
        18⤵
        
        PID:740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2960
        
        C:\Windows\addins\Idle.exe
        
        "C:\Windows\addins\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat"
        20⤵
        
        PID:1960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2700
        
        C:\Windows\addins\Idle.exe
        
        "C:\Windows\addins\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d8IMWcflW5.bat"
        22⤵
        
        PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\inf\de-DE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\inf\de-DE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\inf\de-DE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ea0b6b9c62f04877010a513910cbd44

SHA1
c5bd48d8b7b7c5a5f5a086d8d79451d210fe768d

SHA256
dbb0e8e6fbdf647cc97e852d89eb4831be851b44021d99bd8c8c9a84ac3279df

SHA512
e11076ec9ab4e83c6a566c9b459b5d60dcbd34d927f0848764bd250f9caef379558283e03447289ce5ed55e3f3a0c865fbc37536d436d70d562d216da0f8ac1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76abaf0ed043ec3900b8565eca48f654

SHA1
38afb0b183c632bf5e5e28e427ddcab48be5d94d

SHA256
793d460c075056b7f20dd590f001b19c583acb1e416c13336e93c2c3eb0b5d39

SHA512
a980bf9160777f0b84a145e578a934f8706a39f004ad1759f5d658e086617e88464d5302ce8d1888a5d1273814af2fd2cbf40433dc8101efbdfb6d6994290dd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eac5fc88adc5b08caa470431569a21ae

SHA1
1ad183bc06840935b0c97ad5cb41047e91646c27

SHA256
c523b37ead4b64b0932dad3ecdf9e2915ae25eebcd106a650b0072da4dce38f8

SHA512
3c7340e1b0202d0a279fd5b1fe077a015069fd52bbec2924aaf2ba0b7ecfea5be80d9ed6d7246ac1f5701a8d203951de6635cf8853faed4099a2f689da625c21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b25a962b82df4f98f657b09f389f19d3

SHA1
deecfa890aaa6770fd03709ea393c7bcf02bf71f

SHA256
1871a8e53836916302d755f34418be58a04f488eafb0e608512e338ad5e7a2c9

SHA512
bd32a7255b43bc569c858cf0a14a922965264374352a5443be77d1b25f3d6ac3bf8266adde1878b35bde17b652954f9db7b6c91e4c39cf41d4cefbd65740075a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
541ccc943d4744801e21c0a85482aabf

SHA1
4afbbe93e992ab50c315011519223b64db4b3ed9

SHA256
5dd24ba5ebeb648d2639f77395f72c6163db484fda3b74d7065a3fa3ce8b4d0e

SHA512
90c5353ac0c78190e33092cc9e431367f2b5b5c47b487d70400cc88fde8a7b69df3f0c6b669f8b002c18626b92888f54a11ef3294ccd0885aacb5ad3ffd1d239

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
280ada96827fe9ea8e74e92d4b2e2cd8

SHA1
8886548b2432e601524d69364576a0df845ced73

SHA256
55783b15ee51b6aeb599399086ad00ff7f184fe76083af37b8a3bb11301bfa63

SHA512
4bf11f58ca81455012ede4ae7c1084bddb33622d360a7b5bfbd540e4fb820c3b271cfd431e09e6b720a9f0c022449275986060401ea87a7000a2323986433a86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85c2fc92423d0e1523a9a9b7d9ee8c4e

SHA1
a8539bef7650a35bede0e7d35a1b7671681a5444

SHA256
f75cf0ce7ec139acc6cb2903bae244f3d6e866245cf18c66409ce54741189691

SHA512
cca2fd42b17ddccaf739f2665551c7b2565b04514f7e0de8f40429512e4c205176c36378017af60023a72bca3c3cd295f51f7d4d59f004a814dfd411097edfcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
117e70ecd3810d1c7519358d819975bc

SHA1
761899a06ec829cb58522098f97ae639ffd19eac

SHA256
b9a9d5939fc6bab4ae9b2de2826a5847ac03ba25a793412c2874324a894147ed

SHA512
db544425da167d57eb8eb6d6a91e94b059a8e8f4ea6b0d248c49852300c423cdf8a44f0012965f0284c6463f00fbd5213ef1a1e4e46faa828f1e93c6abfd0897

Download Submit
C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat

Filesize
191B

MD5
8fc1df7f9e085da86a59127b09e649f1

SHA1
c810c09c55f24dc5cf4f6afbd5f0595814cb696d

SHA256
0a164943f4d20c64d3ce116bc2369080d47dcc7f2edf3253eb7089dd85045f47

SHA512
9a6676d19b34868f3fe3a7b3fc990aaf6091daa609ddb43701f953ef7b6453cbf12d39c159d521e7957d1aa5a474a5a9351bda7fd6a2c26d4a3d257456064415

Download Submit
C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat

Filesize
191B

MD5
d920c467f644f4ebcd5bfb9a57145ce4

SHA1
b394a3c4837fd32011e1289b05c375a5f79279a5

SHA256
d64a7f65b76c399aee99473c35917963fe42f0d6708f1fdbbf879f91876e4d1b

SHA512
b4f428583165b6a4d6b0d354034f1f57def16c72c62afe3d45737c9984a4e70b39c5631398d93a3d193c029f557f38839417eb1553ff45aa175d8064644a39f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9926.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat

Filesize
191B

MD5
2a5fac2a86cfc9f8f9d5ce3473bbb56a

SHA1
2a498088a255a9eb674504702cf9510a6d103845

SHA256
30dd069137bd470a8fe1962471b9cf7fd571d614120d9eceb3e625d607b92619

SHA512
93e82648d8be7892b8383eeb375873c71f32588480e463cd622ad3798f31623788c4fbd394eaa58d35ea419bad9d532eefd70d20c671fca9eab2a630dae2dc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat

Filesize
191B

MD5
5a8d0d1b99d3ea459994c2528ef7d416

SHA1
03e00308d81d133648540a58cac22efc23df38be

SHA256
f38a7173a4cc1a5be510380136aa8edb84281e6e8d0a59274f563104e5caf980

SHA512
b36ed975b215e88d1a9402e9188b78f7f3784e341aaad99ae56027c82a5ffa4cb00e996721ea172ef8d434d98dfde21309d649d11f7fc79af031bac3e7b10692

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9948.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat

Filesize
191B

MD5
a463b17541c868ef72db9e97c967b3d9

SHA1
4b6483f388bebabe15e62aa8c9e84d38b3ad9e18

SHA256
60605efc6d7332953133de49c66e0866421319ee392810543e47f7822b34da55

SHA512
77abf69a408c51822944b765ffa57608ea1cc676c37ee50ce76a2ab3ebd4cd2c16f47e93021ab49acbb40543103415feaf963d4a91108c87df52360d7b55a220

Download Submit
C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat

Filesize
191B

MD5
2d94c719f0d3264cbce35c57701ee7b7

SHA1
ebba4a8f442183b2faa7bc5cfcacf688b8074fdd

SHA256
d3022b77b55ef49b5934a7083e813e6cea3011a3b9817370a80b90410b95cb31

SHA512
c1fe038da45ecaedad779992b08cd6bd88dfcebb0697142ecc93d899ead7883ab876592aedc1dafd5d657f00146068f0756f3ccc9a1f7bb994d5a089ee3cfd8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

Filesize
191B

MD5
8d4bf224c14befbe233f7a1c045f536c

SHA1
2f99da43b929ace574325e6eeeb69cb5cc01171e

SHA256
ce028d820ddf1db65a5d5834fa931dd1c1a13885a105ea1f15f82bb57e402758

SHA512
42aec384ee8ababb08c16fe643268e3f423d2309a0b234a313b6ad836aed6044bd5074c68971bdd1200cf2b06f6f8bb741bd27c414e63ef2ffd67164cf9ec8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat

Filesize
191B

MD5
c1d2d8d6cb8fa558448323b529de7307

SHA1
88f3d64250752c9ab735b4c4827907e2741d40ea

SHA256
0add4fff2d91adac3bc79ecfe7ff85e3c672e21a5ae80c38fbfd6f08aaf8c5a2

SHA512
d3f682153deb598614dd39fb6de360fb8f06c03ede1482cea30b8b920e71ecf4a1690f6f1ec35e1a0d4a3a21260c13db9af8c71e87003da37e04c99d85bb56f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
38a799ebf40470311f3803ea0f497acc

SHA1
14204c0f60508efdeb481de3b8e35f9ce1dac0aa

SHA256
b28548cb5cf9e5ddc33a4c3dc26fd6c546f6498d5fbb81d8b2c1eb307a12aa83

SHA512
000433f44a05b90657becead9e2834a110030059a3a838af3cb0a376a4c9076a6d7e4afae8dbe6c2d5150a1ad58dc8f09902fd0fc22b343a2bf51ecc5baed018

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/700-48-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/700-53-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/920-185-0x0000000000C10000-0x0000000000D20000-memory.dmp

Filesize
1.1MB

Download
memory/1060-305-0x0000000000B70000-0x0000000000C80000-memory.dmp

Filesize
1.1MB

Download
memory/1060-60-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/2164-245-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/2688-424-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/2692-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2692-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2692-15-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2692-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2692-13-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/2840-125-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2840-124-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/2968-484-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

Filesize
1.1MB

Download