dcrat | 9e2df30523a2f0c15ba006bf150c68f0a05b8e4ced2f43ddd290497729a678e1

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e2df30523a2f0c15ba006bf150c68f0a05b8e4ced2f43ddd290497729a678e1N.exe
Size

1.3MB
MD5

ec4f34cea86ce61c46ffac823672e450
SHA1

1229848b8f4aca65f70e0cfc43c070471c477c95
SHA256

9e2df30523a2f0c15ba006bf150c68f0a05b8e4ced2f43ddd290497729a678e1
SHA512

96d452f3616f1e367018fb352510cefee2ce5af9549f1c85c910cf897d0794d82a02acba89882ddfbb03c29256c9206dfc9c8f43a4c7a3c75566271cebc145a4
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2656	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2656	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000019219-9.dat	dcrat
behavioral1/memory/2408-13-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/2628-84-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/736-143-0x0000000000BB0000-0x0000000000CC0000-memory.dmp	dcrat
behavioral1/memory/3016-203-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/2696-263-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/2892-382-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat
behavioral1/memory/2012-442-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3020	powershell.exe
2728	powershell.exe
1864	powershell.exe
2136	powershell.exe
576	powershell.exe
1396	powershell.exe
2080	powershell.exe
1592	powershell.exe
2448	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
2408	DllCommonsvc.exe
2628	conhost.exe
736	conhost.exe
3016	conhost.exe
2696	conhost.exe
2904	conhost.exe
2892	conhost.exe
2012	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1924	cmd.exe
1924	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sv-SE\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\sv-SE\101b941d020240	DllCommonsvc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\24dbde2999530e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e2df30523a2f0c15ba006bf150c68f0a05b8e4ced2f43ddd290497729a678e1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2784	schtasks.exe
1136	schtasks.exe
2856	schtasks.exe
2892	schtasks.exe
2404	schtasks.exe
1488	schtasks.exe
2436	schtasks.exe
2712	schtasks.exe
2888	schtasks.exe
3028	schtasks.exe
2600	schtasks.exe
1952	schtasks.exe
2588	schtasks.exe
1568	schtasks.exe
1264	schtasks.exe
1988	schtasks.exe
2880	schtasks.exe
1400	schtasks.exe
1920	schtasks.exe
2608	schtasks.exe
2568	schtasks.exe
2720	schtasks.exe
2612	schtasks.exe
1380	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2408	DllCommonsvc.exe
1864	powershell.exe
2136	powershell.exe
2448	powershell.exe
2728	powershell.exe
1396	powershell.exe
3020	powershell.exe
576	powershell.exe
1592	powershell.exe
2080	powershell.exe
2628	conhost.exe
736	conhost.exe
3016	conhost.exe
2696	conhost.exe
2904	conhost.exe
2892	conhost.exe
2012	conhost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	DllCommonsvc.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2628	conhost.exe
Token: SeDebugPrivilege	736	conhost.exe
Token: SeDebugPrivilege	3016	conhost.exe
Token: SeDebugPrivilege	2696	conhost.exe
Token: SeDebugPrivilege	2904	conhost.exe
Token: SeDebugPrivilege	2892	conhost.exe
Token: SeDebugPrivilege	2012	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 1800	3048	9e2df30523a2f0c15ba006bf150c68f0a05b8e4ced2f43ddd290497729a678e1N.exe	30
PID 3048 wrote to memory of 1800	3048	9e2df30523a2f0c15ba006bf150c68f0a05b8e4ced2f43ddd290497729a678e1N.exe	30
PID 3048 wrote to memory of 1800	3048	9e2df30523a2f0c15ba006bf150c68f0a05b8e4ced2f43ddd290497729a678e1N.exe	30
PID 3048 wrote to memory of 1800	3048	9e2df30523a2f0c15ba006bf150c68f0a05b8e4ced2f43ddd290497729a678e1N.exe	30
PID 1800 wrote to memory of 1924	1800	WScript.exe	32
PID 1800 wrote to memory of 1924	1800	WScript.exe	32
PID 1800 wrote to memory of 1924	1800	WScript.exe	32
PID 1800 wrote to memory of 1924	1800	WScript.exe	32
PID 1924 wrote to memory of 2408	1924	cmd.exe	34
PID 1924 wrote to memory of 2408	1924	cmd.exe	34
PID 1924 wrote to memory of 2408	1924	cmd.exe	34
PID 1924 wrote to memory of 2408	1924	cmd.exe	34
PID 2408 wrote to memory of 2136	2408	DllCommonsvc.exe	60
PID 2408 wrote to memory of 2136	2408	DllCommonsvc.exe	60
PID 2408 wrote to memory of 2136	2408	DllCommonsvc.exe	60
PID 2408 wrote to memory of 2448	2408	DllCommonsvc.exe	61
PID 2408 wrote to memory of 2448	2408	DllCommonsvc.exe	61
PID 2408 wrote to memory of 2448	2408	DllCommonsvc.exe	61
PID 2408 wrote to memory of 576	2408	DllCommonsvc.exe	62
PID 2408 wrote to memory of 576	2408	DllCommonsvc.exe	62
PID 2408 wrote to memory of 576	2408	DllCommonsvc.exe	62
PID 2408 wrote to memory of 3020	2408	DllCommonsvc.exe	63
PID 2408 wrote to memory of 3020	2408	DllCommonsvc.exe	63
PID 2408 wrote to memory of 3020	2408	DllCommonsvc.exe	63
PID 2408 wrote to memory of 2728	2408	DllCommonsvc.exe	64
PID 2408 wrote to memory of 2728	2408	DllCommonsvc.exe	64
PID 2408 wrote to memory of 2728	2408	DllCommonsvc.exe	64
PID 2408 wrote to memory of 1396	2408	DllCommonsvc.exe	65
PID 2408 wrote to memory of 1396	2408	DllCommonsvc.exe	65
PID 2408 wrote to memory of 1396	2408	DllCommonsvc.exe	65
PID 2408 wrote to memory of 2080	2408	DllCommonsvc.exe	66
PID 2408 wrote to memory of 2080	2408	DllCommonsvc.exe	66
PID 2408 wrote to memory of 2080	2408	DllCommonsvc.exe	66
PID 2408 wrote to memory of 1592	2408	DllCommonsvc.exe	67
PID 2408 wrote to memory of 1592	2408	DllCommonsvc.exe	67
PID 2408 wrote to memory of 1592	2408	DllCommonsvc.exe	67
PID 2408 wrote to memory of 1864	2408	DllCommonsvc.exe	68
PID 2408 wrote to memory of 1864	2408	DllCommonsvc.exe	68
PID 2408 wrote to memory of 1864	2408	DllCommonsvc.exe	68
PID 2408 wrote to memory of 1520	2408	DllCommonsvc.exe	78
PID 2408 wrote to memory of 1520	2408	DllCommonsvc.exe	78
PID 2408 wrote to memory of 1520	2408	DllCommonsvc.exe	78
PID 1520 wrote to memory of 2632	1520	cmd.exe	80
PID 1520 wrote to memory of 2632	1520	cmd.exe	80
PID 1520 wrote to memory of 2632	1520	cmd.exe	80
PID 1520 wrote to memory of 2628	1520	cmd.exe	81
PID 1520 wrote to memory of 2628	1520	cmd.exe	81
PID 1520 wrote to memory of 2628	1520	cmd.exe	81
PID 2628 wrote to memory of 1380	2628	conhost.exe	82
PID 2628 wrote to memory of 1380	2628	conhost.exe	82
PID 2628 wrote to memory of 1380	2628	conhost.exe	82
PID 1380 wrote to memory of 2748	1380	cmd.exe	84
PID 1380 wrote to memory of 2748	1380	cmd.exe	84
PID 1380 wrote to memory of 2748	1380	cmd.exe	84
PID 1380 wrote to memory of 736	1380	cmd.exe	85
PID 1380 wrote to memory of 736	1380	cmd.exe	85
PID 1380 wrote to memory of 736	1380	cmd.exe	85
PID 736 wrote to memory of 2420	736	conhost.exe	86
PID 736 wrote to memory of 2420	736	conhost.exe	86
PID 736 wrote to memory of 2420	736	conhost.exe	86
PID 2420 wrote to memory of 3028	2420	cmd.exe	88
PID 2420 wrote to memory of 3028	2420	cmd.exe	88
PID 2420 wrote to memory of 3028	2420	cmd.exe	88
PID 2420 wrote to memory of 3016	2420	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9e2df30523a2f0c15ba006bf150c68f0a05b8e4ced2f43ddd290497729a678e1N.exe
"C:\Users\Admin\AppData\Local\Temp\9e2df30523a2f0c15ba006bf150c68f0a05b8e4ced2f43ddd290497729a678e1N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\sv-SE\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IOZcvMZhO6.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2632
      - C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2748
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3028
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"
        11⤵
        
        PID:2012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1632
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat"
        13⤵
        
        PID:1656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2756
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"
        15⤵
        
        PID:1556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:884
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat"
        17⤵
        
        PID:2364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2336
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\sv-SE\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\SysWOW64\sv-SE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\SysWOW64\sv-SE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\Sample Media\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\Sample Media\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\My Documents\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\My Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbd6a170279bbeb54c88267c8f10f15d

SHA1
ece721eef95f3ba3797d9761d51520eae8a5fa66

SHA256
17222637a2bb45068af758a4e49d58b9b6510fd564037ce3a26b69505a341888

SHA512
530ed0809c52c1f020a85af2308fe35aed04df4b6c233436d4a12a06da2f2c8f7866750c2794430e720de4ff1a37ef25c746591244fdbbc7bc0e70b90d9a4c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
faa82db531fea6ac07e345478c211b62

SHA1
ab4fef526afe68ffa05d04b04b69e14721796191

SHA256
420a0ab8603fad55e61324a9a65cd2d536e5b3ffac6517538ed1a8f24f32bb30

SHA512
48adf3b99dd274902423c15e9353909a96df32b4b446b001d62c190bbddb8eb2cfaff5cb0c6688f9455ff052ca6c92f4f92e66426bd30118ba9c308eb06e1320

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec48ac279bcc67f110dc3fe9f5bc6f39

SHA1
e47bd9fc65ddc3d039fd4885ffd03fdda69215d5

SHA256
4fb62c99f10cf4cfb52c2354f370dd0ba4866392a7fc0126e17967c784ef56b2

SHA512
02a78ef1a08a06476d63a9ce9a19c0a0caeed9d5ca8918b9753de297cf152b34379f20bf2c8c840ee10eef81b4197c948503920970ccc055123bd4941039b982

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50b9a76516ab9286faaeed2d7ee719a4

SHA1
88ed3a5982a05cf599c3a7ffe7682d46011f06a4

SHA256
e2736b58eed1390bdb8d72c41eb5068702822a93788bb0674c4eca1b3599b804

SHA512
d819a745e0124daed2739ddb159b76c498a38a11c9e7579967c0e2f348b2a0d8a5778005b21339c14df5184e8008663f748b5320ee9aae414d85834661555ea7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
666ebe598b04ed8291c60c1a9ffec8ff

SHA1
d009b0fd61b020f91f2f8099a4a5d5a2d1d9b927

SHA256
cac34832e55251d5a381e045128921a0ebdd76cbb3ffafdca067488ae630ce5e

SHA512
7e0600fb00eaf89ca4c884629c80ecf42bd6b53b1e68f906b38b7a76e6eeb164d28d56c08f22bb4f60ba3dfc614c60b67c5a25d107a1311300ee096efd7f87d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62d39d79fa53a94665b47537545ef163

SHA1
8551792a42acb91189e84d96bb4e5c38d0a5402f

SHA256
bd65aeaf72c59372ce13222a28f95c7185d42845689cd6c150924458f912f3b8

SHA512
42a8a0e58bb171a58e8c051a0636ecc1fdca0d719b97688d9ae5a57cda41bbd7a77b046134179c7896892f09c5c7c9852729b547c6e6ebe37d520c9fdd7252ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat

Filesize
225B

MD5
f590d01dc04fee91b6d3dbcc09c59211

SHA1
d973f302fe02a972c1f50639ec7defd1e2de3f13

SHA256
52f6d610a9cf91357b18b8c92b83dd7128e31f9f18599ce651627517d9754944

SHA512
22ff6dd4bd39a96ad6b02f0a34ed06fe9d2e8bd9559a0194050104ff13b1c5887414e9e4472e32c02a32f43a4b68a91c2153e317e535bf24a3d1eb114f457e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab16AE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IOZcvMZhO6.bat

Filesize
225B

MD5
f8887ec36d1a516f7159ee1d865800cd

SHA1
f8e15ec1e13b77949df18ea86c4b09510222fe28

SHA256
57f04670624bb92cc5ddaa248f6eedf1ae2151fa61affdab048f36810176e2a5

SHA512
c827ed232b211b59cc0a61ac2a1aad89b2f97ab7ab218b522dbf2195ee69dca3a379cd15e7484bc598d4bd39fcb4dc10294fd6488d4e84626114a58e6214bbfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat

Filesize
225B

MD5
38d77016fa127c7dff2c1a91145c83d3

SHA1
57b23d912e5af5ed7d04d288efbd899afdb37d51

SHA256
0c29d47fa17cf8b76d2f0c16049e4f0bf5ce251d09653cd1168fd2d2fcf9520b

SHA512
07e09678036d752f96d65f618fb466b91c96762b81afc981a1177916b34d9acb75fc28bce30ffb4860c2e3088b3c6b13ccb868bf8523af81a69420017ef61f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar16D0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat

Filesize
225B

MD5
633f50a634795a3104f46ddd4d6f7f23

SHA1
01dca47f173d50551b916d5e7aeab50ecfaca959

SHA256
1000b201b8e1cdf99f7c11c14588f762491ef933dabceb70e783389ec6853641

SHA512
98ca2fbfd6b56549645d66b9c1e3437f5dc94643b1d257b228d8b5536b96fe19b42d26ee5c84ef00855cac661400e5c8ec29808465c8a50ecca354db55a3b81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat

Filesize
225B

MD5
1bfac2afc03feaf2c7131961df485801

SHA1
099436a41adb5db7675a6d67bb7f27b883e765a6

SHA256
3759fa31079c53f914a6a5feddf6ae0a3c8269afa5556532c11f859f698199d5

SHA512
a910d4a3a554f8df7fe9477a00a1b2f6d741b0241c2b8366270ce897b61b6ca048392f563e4ce2b37d1f7a235d3b459900ee61dfb1d97a530a7fe63175036aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

Filesize
225B

MD5
5e35acc256c6196915f763c849ee6ed2

SHA1
b5642f26689ec1ac0618b92fe2096e2c85fc3f12

SHA256
cbe8456152c6645d3a3c165c798e798469b3c28243b892bfd2e1b1efdaa27fd3

SHA512
564eca6f12cc69ee8414a8fc56ec66aba76150cf65b9c823e766a2ae08ca8c62d7943cd3316ba6aaf79e47be3f501a3e40847b7270ac5aa6888e79ed08b2e8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat

Filesize
225B

MD5
0395018be8773bbb7bd00fcc9de23a9d

SHA1
cfeefc9868bdf2f3ef231f3631dfae1d0d49764c

SHA256
6711f3699412ea93d1b6f09a062761f8589e9bfe7f59454e07cd386c750588b5

SHA512
daaa233c7d67c7e22458bcb504f0724db070eb4bbb92b150bf68da912489db983edc38baa5afa5dcd740c2ee17e880361a5754e0328fcbd664b3ea139479386e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b0f77ddd8cf5f2fe3f4bcfabf6f6e982

SHA1
e68ce73b1cd1a52530fdc8e6bf0d89354e33fed0

SHA256
f4c4f62ca3e4fe83b7a5491ff37b20e96934a9b941997c657c47b59a41241ba9

SHA512
32cffb1232eecac80d61d28497b48b97bafe29c0d052cd2ff3708efac5979cc4a6dc95a9b7e5a2509afdeafd6544bbc18da909b40932243d5bfa6a43c435c37b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/736-143-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

Filesize
1.1MB

Download
memory/1864-67-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/1864-70-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2012-442-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/2408-16-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/2408-17-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2408-15-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/2408-14-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/2408-13-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/2628-84-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/2696-263-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/2892-382-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download
memory/3016-203-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download