dcrat | c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63.exe
Size

1.3MB
MD5

c404461ae893f2b2204ffa1172f71fb3
SHA1

356dd751dfe6c80ddd5da67b3edce71add99ccff
SHA256

c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63
SHA512

272380f5630526cf41be8eb24a565575a7612b2f78a54e64913325e29cda71131b6940d9653c864929199ffe23c85c5d75326d90b933368dcfee96ba5594b6f6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2988	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2988	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016650-12.dat	dcrat
behavioral1/memory/2860-13-0x0000000000A30000-0x0000000000B40000-memory.dmp	dcrat
behavioral1/memory/1292-39-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/2124-110-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat
behavioral1/memory/2060-407-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/580-467-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/memory/864-527-0x0000000000CE0000-0x0000000000DF0000-memory.dmp	dcrat
behavioral1/memory/808-587-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2008	powershell.exe
1412	powershell.exe
1832	powershell.exe
1888	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2860	DllCommonsvc.exe
1292	winlogon.exe
2124	winlogon.exe
1280	winlogon.exe
1832	winlogon.exe
2200	winlogon.exe
2964	winlogon.exe
2060	winlogon.exe
580	winlogon.exe
864	winlogon.exe
808	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2540	cmd.exe
2540	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\IMESC5\applets\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\IME\IMESC5\applets\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2728	schtasks.exe
2420	schtasks.exe
2760	schtasks.exe
2432	schtasks.exe
1116	schtasks.exe
2724	schtasks.exe
2772	schtasks.exe
2428	schtasks.exe
376	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2860	DllCommonsvc.exe
1412	powershell.exe
1832	powershell.exe
1888	powershell.exe
2008	powershell.exe
1292	winlogon.exe
2124	winlogon.exe
1280	winlogon.exe
1832	winlogon.exe
2200	winlogon.exe
2964	winlogon.exe
2060	winlogon.exe
580	winlogon.exe
864	winlogon.exe
808	winlogon.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	DllCommonsvc.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1292	winlogon.exe
Token: SeDebugPrivilege	2124	winlogon.exe
Token: SeDebugPrivilege	1280	winlogon.exe
Token: SeDebugPrivilege	1832	winlogon.exe
Token: SeDebugPrivilege	2200	winlogon.exe
Token: SeDebugPrivilege	2964	winlogon.exe
Token: SeDebugPrivilege	2060	winlogon.exe
Token: SeDebugPrivilege	580	winlogon.exe
Token: SeDebugPrivilege	864	winlogon.exe
Token: SeDebugPrivilege	808	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1940	2392	c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63.exe	31
PID 2392 wrote to memory of 1940	2392	c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63.exe	31
PID 2392 wrote to memory of 1940	2392	c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63.exe	31
PID 2392 wrote to memory of 1940	2392	c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63.exe	31
PID 1940 wrote to memory of 2540	1940	WScript.exe	32
PID 1940 wrote to memory of 2540	1940	WScript.exe	32
PID 1940 wrote to memory of 2540	1940	WScript.exe	32
PID 1940 wrote to memory of 2540	1940	WScript.exe	32
PID 2540 wrote to memory of 2860	2540	cmd.exe	34
PID 2540 wrote to memory of 2860	2540	cmd.exe	34
PID 2540 wrote to memory of 2860	2540	cmd.exe	34
PID 2540 wrote to memory of 2860	2540	cmd.exe	34
PID 2860 wrote to memory of 1888	2860	DllCommonsvc.exe	45
PID 2860 wrote to memory of 1888	2860	DllCommonsvc.exe	45
PID 2860 wrote to memory of 1888	2860	DllCommonsvc.exe	45
PID 2860 wrote to memory of 2008	2860	DllCommonsvc.exe	46
PID 2860 wrote to memory of 2008	2860	DllCommonsvc.exe	46
PID 2860 wrote to memory of 2008	2860	DllCommonsvc.exe	46
PID 2860 wrote to memory of 1832	2860	DllCommonsvc.exe	47
PID 2860 wrote to memory of 1832	2860	DllCommonsvc.exe	47
PID 2860 wrote to memory of 1832	2860	DllCommonsvc.exe	47
PID 2860 wrote to memory of 1412	2860	DllCommonsvc.exe	48
PID 2860 wrote to memory of 1412	2860	DllCommonsvc.exe	48
PID 2860 wrote to memory of 1412	2860	DllCommonsvc.exe	48
PID 2860 wrote to memory of 1292	2860	DllCommonsvc.exe	53
PID 2860 wrote to memory of 1292	2860	DllCommonsvc.exe	53
PID 2860 wrote to memory of 1292	2860	DllCommonsvc.exe	53
PID 1292 wrote to memory of 2196	1292	winlogon.exe	54
PID 1292 wrote to memory of 2196	1292	winlogon.exe	54
PID 1292 wrote to memory of 2196	1292	winlogon.exe	54
PID 2196 wrote to memory of 2344	2196	cmd.exe	56
PID 2196 wrote to memory of 2344	2196	cmd.exe	56
PID 2196 wrote to memory of 2344	2196	cmd.exe	56
PID 2196 wrote to memory of 2124	2196	cmd.exe	57
PID 2196 wrote to memory of 2124	2196	cmd.exe	57
PID 2196 wrote to memory of 2124	2196	cmd.exe	57
PID 2124 wrote to memory of 2700	2124	winlogon.exe	58
PID 2124 wrote to memory of 2700	2124	winlogon.exe	58
PID 2124 wrote to memory of 2700	2124	winlogon.exe	58
PID 2700 wrote to memory of 536	2700	cmd.exe	60
PID 2700 wrote to memory of 536	2700	cmd.exe	60
PID 2700 wrote to memory of 536	2700	cmd.exe	60
PID 2700 wrote to memory of 1280	2700	cmd.exe	61
PID 2700 wrote to memory of 1280	2700	cmd.exe	61
PID 2700 wrote to memory of 1280	2700	cmd.exe	61
PID 1280 wrote to memory of 1216	1280	winlogon.exe	62
PID 1280 wrote to memory of 1216	1280	winlogon.exe	62
PID 1280 wrote to memory of 1216	1280	winlogon.exe	62
PID 1216 wrote to memory of 860	1216	cmd.exe	64
PID 1216 wrote to memory of 860	1216	cmd.exe	64
PID 1216 wrote to memory of 860	1216	cmd.exe	64
PID 1216 wrote to memory of 1832	1216	cmd.exe	65
PID 1216 wrote to memory of 1832	1216	cmd.exe	65
PID 1216 wrote to memory of 1832	1216	cmd.exe	65
PID 1832 wrote to memory of 912	1832	winlogon.exe	66
PID 1832 wrote to memory of 912	1832	winlogon.exe	66
PID 1832 wrote to memory of 912	1832	winlogon.exe	66
PID 912 wrote to memory of 2512	912	cmd.exe	68
PID 912 wrote to memory of 2512	912	cmd.exe	68
PID 912 wrote to memory of 2512	912	cmd.exe	68
PID 912 wrote to memory of 2200	912	cmd.exe	69
PID 912 wrote to memory of 2200	912	cmd.exe	69
PID 912 wrote to memory of 2200	912	cmd.exe	69
PID 2200 wrote to memory of 2396	2200	winlogon.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63.exe
"C:\Users\Admin\AppData\Local\Temp\c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\IME\IMESC5\applets\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
    - - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2344
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:536
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:860
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2512
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat"
        14⤵
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2916
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat"
        16⤵
        
        PID:2144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1756
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"
        18⤵
        
        PID:1368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1376
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"
        20⤵
        
        PID:1536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2100
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat"
        22⤵
        
        PID:2908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2764
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"
        24⤵
        
        PID:2492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\IME\IMESC5\applets\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\IME\IMESC5\applets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\SysWOW64\IME\IMESC5\applets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e465bae78848a6e4499b64a1d351a704

SHA1
3f837236ccd24eb0d1d4f43cd3f9273e8de1700e

SHA256
07c92ee2e57e8cf5a7d1930892bf80602ba7167a7cdad64c8c39eadc68d74548

SHA512
600fb334b0b2a4213772495ecec8413758fc1c044249b86e919cdb4270800aa50895f1c53fd9f176bc1da9c799d43b3f042faefebd08b6879264345d734c1879

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
886f2f84218e71cd7ed3427fc9258a88

SHA1
2c93c9752a87892ba3c22573bd7fe161e0a464d1

SHA256
a3ece95c0f8402e1f72d1615f6c6454cf38061c72cbad137bace2986cfdb063d

SHA512
32ec35588aa515d93a6530a0d1586f43d53712bf74dd8c05e9ec8c23ce3b7fbdcc7c249ba8e095ebeffa1e046a3ce62ab1844a23fce6a712222e016828abb49d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9126ee9d815679175fda24d0a3669fdd

SHA1
c8715c91f46e3fb8326b14a52b7d4d13e56ddc47

SHA256
8c8471f7161b5491042e1c6e25bc851eeedcab45775b00f1669d6c8cf2b116cd

SHA512
570ffe3fab19e63c97c191d4eba7b0e9ba0410bd2d0f1f5c1927e841c09a009ab0d7571b3c5d322a4ff58e1a38b456a0db1601bc10f260544bb06ca521073faf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3871c30cb4ee215d2fd6b9c12f58bb7d

SHA1
1ca934e0fa29c69fdd9fcb18e4deb1807b5a1aaf

SHA256
49073022d8dd7dae1fa49d35d48254766aa9a28b253c52b5ad734322b2e7a0ec

SHA512
4d6fdcad9da2152e57b290f04773f9205020139e8a197841380f2f46b7e7562e0544671cd36ea438365d04c0ffd49c68454152df6bcd1eb0f8f7454d1b1e1f27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33d3184d3d45960910c685f4b21fd6e7

SHA1
300aadcbd06720276812b1293d83361216eb2afd

SHA256
795a9368d733f82125c40db1079d8a63f91aeff4457ad4ed5e92a0f495a5dfb5

SHA512
3a0331c065d271ddbe7906ba43616e6fb178e888684ed7c1c7e7b0eef62a59ed6c02a8cf6b0124e43b718647e00aa320f9246e75e53625c92f98bdad8dcbcf8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2b4e7a10063718b5964c0727d476fcc

SHA1
89d913bdd6b8d6619cf3128fb376bd8eae717247

SHA256
209959ae268a57e552cff0ee611ff12bba6f3ba6d681128d31f573d6aad299fc

SHA512
c6223f6defea327b1569eb59a1dd815cf690edc75c2efbabee6dd3b8c66d5c1831978d7844dfc0e4ec55fc7f5cbed8a490c84ce5b0e9182f039f8289e2665a40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcec1565fbc77d68da2b829e8a633e02

SHA1
9c9c3dd9821aef54730d11ff60ec4adbe2d4807e

SHA256
6b0053eb82dd9fca4bf4c7ec8a9794db2e14121028935add6342202ff160628f

SHA512
ed3865bb938458b3f4a4d809b68154665f5d31f535cf26922fe72d6903b346b8762edb01939188c91dca1c02815659649c0b3e5c8a3c91dfbd3b1f5e6908f5d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c610785a56d74a49acf1a5ae6cc9f4f2

SHA1
c7dc7b4a82480db1d2ec207260c94372c9905aeb

SHA256
e47ca3bff4f890ada85d93ba1ba06646fc7b72f42d3fa8d57f663996eed53abc

SHA512
6757a9cf6372ee224dacd437268fe50ce35c739c0389ea38a73dd90a14804f147384800e845577d2af59e07a10dbf284f69bb1003032e003645e96856426bc95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02cadc13e1390215b353cb38f5803c36

SHA1
1def28ce1712cfcd23988724dd5ecc8569f3ec6c

SHA256
a385c252d89e43336ac0a4a415353906070104a389efd4b63bdc9ed128192477

SHA512
325d2fa8b7ef686b64de8e7b993fbbb82adb327a71bd1f8150d3c61ca70734596e021eb34b53e5552d30e8fec2c76c60de59e626c01bbdbcf9fb9a2a1ee91c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat

Filesize
253B

MD5
c08d7394c44091968d3cc3cbd2a97043

SHA1
8ec5bd43d0388a349416dd88b59b99d0957e8364

SHA256
c24c59f8f144c5266ad3ba0ac5ec8adbfa9be9cf1199f066f128064952529d07

SHA512
77d5927af12652edea0e19289778f179dcac1aa7a92bdd2fd022704d69bfd7917b619cc234ebf85999ec7d9d7327beb29f96bb53dc9f422d755ef3332e95284e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab87B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat

Filesize
253B

MD5
2b28708ed506811b217c1905434a44b1

SHA1
edbff54658fdaa303a0c08b931ff7e35407cfdfe

SHA256
fca24e731b8b85c9cb22c8f6ab3d22b75424f6fe3c5c7c936965d6ec6a57dcff

SHA512
8204d973710709a0536580d57f5c109e8333c4958ec3108ffc3fc435624ee83e21e8a0684dbdf8c630871e36bd4955238f32ad47b7df1db6d69b8055deddd271

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat

Filesize
253B

MD5
e027e2dca258e8f9a6e48066feb87ae7

SHA1
e867a4d09ec4a6ac6966c46869b2ece2a516c75f

SHA256
cce80d9de1d791c445a518d0588a0f2fc9aa51053870973213d20852e0754dd1

SHA512
f31332fef2412c615e20cacd0f73af51a64f78e67e8ec79c9934f2a70e55ed3d7a54dc22db0a2062bb93fdd92a31aba390ec442d09cafb2733b8337b60dd78ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat

Filesize
253B

MD5
177c565ad53bccb03f0d6c8566544fa9

SHA1
a2d292f85f9997ff46b3d83d88138d8ff664709d

SHA256
e7c35571463fcb3bb22dd43da3b3aa0173fc3d13f25ebfa42896e7ad51c0f4ec

SHA512
11ab6e4ec26cf74cb3bb0ef3c6bba536e2376669ee651d8180e0160ffa772fa2dc5a7b06e7a90dff8811d775016535f4acc04df2f3203789c3d6d64f69cc3fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar89D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat

Filesize
253B

MD5
ff9e5d35301438382df10d3a0ca0760b

SHA1
79aa6fcc8cb56b0a31f7effbd7d95c3daf5a4b80

SHA256
884f480d47ffdfd07e5b262b4ce018ce2e35a2c4d9d89c85f4b0332edf9aa26e

SHA512
fab574e5383a3f50563da6d46b6aabb86fa70ffefcee5480b687efb6baabd629c14a9e5cf45b803bfb9f684c9456a0fef99eea60b6c0a4fa6b6ee60f56059408

Download Submit
C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat

Filesize
253B

MD5
7dcc136b289547551071611bcb18209e

SHA1
1f9537d61c2c2eb6c6a194a488217396fde1f418

SHA256
51c60ee8e8921922f6054f313d0f0c7133f67a8b1dd862488c6dd9770e1d2d16

SHA512
ceb75c50d0be28a19309c50f7cd773ac117a6fd64317d07d80178d4760df3d6baa6e20c312287d4ce04fc2a9c3af9ee6321bcf382e5f6308ecc6f4af6d073a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat

Filesize
253B

MD5
6257bb940a8fbbc9541fbc3263d31ea6

SHA1
c5b1c9bf870f2dc5f57f8ee8801679a526ca37bf

SHA256
51b63d4bd31f2f5153fa6657992cc41aa777913a44609795c5bd9ccb1b2097cb

SHA512
031f5a4ba122200669758f8dd49cccf15c4d76f754e99af6a0fcb2423277684a946ef4b1abc62680f50df42d50c64ac44fa7b2b0104600d28c7256bc697bf446

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat

Filesize
253B

MD5
bf764b0d0a1e884331f38c59f31d84d5

SHA1
c038d527ac47e7b94104b666dcbbd3a9a56c5691

SHA256
b461b7fa7a9f811653b2c3b27c25dcdf303e42311e50bd57b1ec369a36255445

SHA512
242ad83c2b5a9c7874af76e345ce6759feb3f846960aed6e4ea263d073afcdd458b8ba88d7e1670d3499263ba1432978f14e8725b7fa0e7969f386366785fd5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat

Filesize
253B

MD5
d0e490d9d7dfdca0c55e3e1ef65d678b

SHA1
26469773014929727cdb77efa2cfd8f32e01f5d4

SHA256
0d3d80f9b3cbb5d01a192dba9a8622f4b7fefbd1c041d9002b3f641fe846cd6c

SHA512
c14ab42707b9ffa92e6b258c31b43ce6383ad33e0adf9f0ba7d412fb84952d468d863c1db80e2e65c88148ba69077777b79ffc26b5b4ba114d6226345dcb804e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat

Filesize
253B

MD5
087d5c76565a4e72af95e79bb6b3ace9

SHA1
49b174e4e680aee38268cae05bd19f96a0784dfb

SHA256
b139cfb01bc781da9a09958f7362345a04272aad25e2b4fef20d01aa2d32b498

SHA512
fb76cb31bdfab2b948ec4670bda895c29e56d1798c190d24ec1c44161e7e810ffa07a464c71c9393fd8798fa2f366e5327cb82d5e7cc5fd79310dcffbd5a0504

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8111930a8838c6a5fa40c6e0786ec6f0

SHA1
2e2e98f84332f195e7c928185881e9ce151782b9

SHA256
fa1f060a2cdaefcb4385ca93774d6ad0ac24b0c467cb159aa6747ea89d322d92

SHA512
09d8f57b056d5ceef5dbda8bed866f386e0780621ebaed07f29374b591079abdc1d05e1a4e868b93a51f17392cb9624ade39b5090e4561737bea54aab0cc122e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/580-467-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/808-587-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download
memory/864-527-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

Filesize
1.1MB

Download
memory/1292-39-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/1412-41-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/1888-51-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2060-407-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/2124-111-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2124-110-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download
memory/2860-17-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/2860-16-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/2860-15-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/2860-14-0x00000000006A0000-0x00000000006B2000-memory.dmp

Filesize
72KB

Download
memory/2860-13-0x0000000000A30000-0x0000000000B40000-memory.dmp

Filesize
1.1MB

Download