dcrat | 8bce143f502cb2df010fa386ae477ad86e2ed8b71df801c71c80e26a336d366d

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8bce143f502cb2df010fa386ae477ad86e2ed8b71df801c71c80e26a336d366d.exe
Size

1.3MB
MD5

48be58c558901d5b8909e9f512140119
SHA1

dea81ade448dca8ab4fe2612a9aa0bfae34042bf
SHA256

8bce143f502cb2df010fa386ae477ad86e2ed8b71df801c71c80e26a336d366d
SHA512

b1a8d93f0671f02b0aa0c4d4cc2fd04e1d66a6cd893cc60ec3f65a404007cedbf139658dee0ca0a05020b39363a8bcb46ca165289551fb3d9a6e568fd4473aed
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	532	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	532	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016ce1-12.dat	dcrat
behavioral1/memory/2944-13-0x0000000000B10000-0x0000000000C20000-memory.dmp	dcrat
behavioral1/memory/936-39-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/1936-110-0x0000000000F10000-0x0000000001020000-memory.dmp	dcrat
behavioral1/memory/1904-170-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/796-230-0x00000000008A0000-0x00000000009B0000-memory.dmp	dcrat
behavioral1/memory/1068-290-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/1904-410-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/2548-471-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/2700-532-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/memory/1876-592-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/964-652-0x0000000000C80000-0x0000000000D90000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2856	powershell.exe
2844	powershell.exe
2920	powershell.exe
1812	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2944	DllCommonsvc.exe
936	winlogon.exe
1936	winlogon.exe
1904	winlogon.exe
796	winlogon.exe
1068	winlogon.exe
2504	winlogon.exe
1904	winlogon.exe
2548	winlogon.exe
2700	winlogon.exe
1876	winlogon.exe
964	winlogon.exe
2340	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
840	cmd.exe
840	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
30	raw.githubusercontent.com
41	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\winlogon.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Defender\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8bce143f502cb2df010fa386ae477ad86e2ed8b71df801c71c80e26a336d366d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2288	schtasks.exe
2908	schtasks.exe
2836	schtasks.exe
2308	schtasks.exe
1108	schtasks.exe
556	schtasks.exe
1580	schtasks.exe
2228	schtasks.exe
376	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2944	DllCommonsvc.exe
2844	powershell.exe
1812	powershell.exe
2920	powershell.exe
2856	powershell.exe
936	winlogon.exe
1936	winlogon.exe
1904	winlogon.exe
796	winlogon.exe
1068	winlogon.exe
2504	winlogon.exe
1904	winlogon.exe
2548	winlogon.exe
2700	winlogon.exe
1876	winlogon.exe
964	winlogon.exe
2340	winlogon.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	DllCommonsvc.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	936	winlogon.exe
Token: SeDebugPrivilege	1936	winlogon.exe
Token: SeDebugPrivilege	1904	winlogon.exe
Token: SeDebugPrivilege	796	winlogon.exe
Token: SeDebugPrivilege	1068	winlogon.exe
Token: SeDebugPrivilege	2504	winlogon.exe
Token: SeDebugPrivilege	1904	winlogon.exe
Token: SeDebugPrivilege	2548	winlogon.exe
Token: SeDebugPrivilege	2700	winlogon.exe
Token: SeDebugPrivilege	1876	winlogon.exe
Token: SeDebugPrivilege	964	winlogon.exe
Token: SeDebugPrivilege	2340	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2864	1448	JaffaCakes118_8bce143f502cb2df010fa386ae477ad86e2ed8b71df801c71c80e26a336d366d.exe	30
PID 1448 wrote to memory of 2864	1448	JaffaCakes118_8bce143f502cb2df010fa386ae477ad86e2ed8b71df801c71c80e26a336d366d.exe	30
PID 1448 wrote to memory of 2864	1448	JaffaCakes118_8bce143f502cb2df010fa386ae477ad86e2ed8b71df801c71c80e26a336d366d.exe	30
PID 1448 wrote to memory of 2864	1448	JaffaCakes118_8bce143f502cb2df010fa386ae477ad86e2ed8b71df801c71c80e26a336d366d.exe	30
PID 2864 wrote to memory of 840	2864	WScript.exe	31
PID 2864 wrote to memory of 840	2864	WScript.exe	31
PID 2864 wrote to memory of 840	2864	WScript.exe	31
PID 2864 wrote to memory of 840	2864	WScript.exe	31
PID 840 wrote to memory of 2944	840	cmd.exe	33
PID 840 wrote to memory of 2944	840	cmd.exe	33
PID 840 wrote to memory of 2944	840	cmd.exe	33
PID 840 wrote to memory of 2944	840	cmd.exe	33
PID 2944 wrote to memory of 2856	2944	DllCommonsvc.exe	44
PID 2944 wrote to memory of 2856	2944	DllCommonsvc.exe	44
PID 2944 wrote to memory of 2856	2944	DllCommonsvc.exe	44
PID 2944 wrote to memory of 2844	2944	DllCommonsvc.exe	45
PID 2944 wrote to memory of 2844	2944	DllCommonsvc.exe	45
PID 2944 wrote to memory of 2844	2944	DllCommonsvc.exe	45
PID 2944 wrote to memory of 2920	2944	DllCommonsvc.exe	46
PID 2944 wrote to memory of 2920	2944	DllCommonsvc.exe	46
PID 2944 wrote to memory of 2920	2944	DllCommonsvc.exe	46
PID 2944 wrote to memory of 1812	2944	DllCommonsvc.exe	47
PID 2944 wrote to memory of 1812	2944	DllCommonsvc.exe	47
PID 2944 wrote to memory of 1812	2944	DllCommonsvc.exe	47
PID 2944 wrote to memory of 936	2944	DllCommonsvc.exe	52
PID 2944 wrote to memory of 936	2944	DllCommonsvc.exe	52
PID 2944 wrote to memory of 936	2944	DllCommonsvc.exe	52
PID 936 wrote to memory of 2220	936	winlogon.exe	53
PID 936 wrote to memory of 2220	936	winlogon.exe	53
PID 936 wrote to memory of 2220	936	winlogon.exe	53
PID 2220 wrote to memory of 2264	2220	cmd.exe	55
PID 2220 wrote to memory of 2264	2220	cmd.exe	55
PID 2220 wrote to memory of 2264	2220	cmd.exe	55
PID 2220 wrote to memory of 1936	2220	cmd.exe	56
PID 2220 wrote to memory of 1936	2220	cmd.exe	56
PID 2220 wrote to memory of 1936	2220	cmd.exe	56
PID 1936 wrote to memory of 2592	1936	winlogon.exe	57
PID 1936 wrote to memory of 2592	1936	winlogon.exe	57
PID 1936 wrote to memory of 2592	1936	winlogon.exe	57
PID 2592 wrote to memory of 2824	2592	cmd.exe	59
PID 2592 wrote to memory of 2824	2592	cmd.exe	59
PID 2592 wrote to memory of 2824	2592	cmd.exe	59
PID 2592 wrote to memory of 1904	2592	cmd.exe	60
PID 2592 wrote to memory of 1904	2592	cmd.exe	60
PID 2592 wrote to memory of 1904	2592	cmd.exe	60
PID 1904 wrote to memory of 2852	1904	winlogon.exe	61
PID 1904 wrote to memory of 2852	1904	winlogon.exe	61
PID 1904 wrote to memory of 2852	1904	winlogon.exe	61
PID 2852 wrote to memory of 2252	2852	cmd.exe	63
PID 2852 wrote to memory of 2252	2852	cmd.exe	63
PID 2852 wrote to memory of 2252	2852	cmd.exe	63
PID 2852 wrote to memory of 796	2852	cmd.exe	64
PID 2852 wrote to memory of 796	2852	cmd.exe	64
PID 2852 wrote to memory of 796	2852	cmd.exe	64
PID 796 wrote to memory of 1756	796	winlogon.exe	65
PID 796 wrote to memory of 1756	796	winlogon.exe	65
PID 796 wrote to memory of 1756	796	winlogon.exe	65
PID 1756 wrote to memory of 2020	1756	cmd.exe	67
PID 1756 wrote to memory of 2020	1756	cmd.exe	67
PID 1756 wrote to memory of 2020	1756	cmd.exe	67
PID 1756 wrote to memory of 1068	1756	cmd.exe	68
PID 1756 wrote to memory of 1068	1756	cmd.exe	68
PID 1756 wrote to memory of 1068	1756	cmd.exe	68
PID 1068 wrote to memory of 2000	1068	winlogon.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bce143f502cb2df010fa386ae477ad86e2ed8b71df801c71c80e26a336d366d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bce143f502cb2df010fa386ae477ad86e2ed8b71df801c71c80e26a336d366d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
    - - C:\Program Files\Windows Defender\winlogon.exe
        
        "C:\Program Files\Windows Defender\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:936
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2264
        
        C:\Program Files\Windows Defender\winlogon.exe
        
        "C:\Program Files\Windows Defender\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2824
        
        C:\Program Files\Windows Defender\winlogon.exe
        
        "C:\Program Files\Windows Defender\winlogon.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2252
        
        C:\Program Files\Windows Defender\winlogon.exe
        
        "C:\Program Files\Windows Defender\winlogon.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2020
        
        C:\Program Files\Windows Defender\winlogon.exe
        
        "C:\Program Files\Windows Defender\winlogon.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat"
        14⤵
        
        PID:2000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1760
        
        C:\Program Files\Windows Defender\winlogon.exe
        
        "C:\Program Files\Windows Defender\winlogon.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8iYvsD9nO.bat"
        16⤵
        
        PID:580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1804
        
        C:\Program Files\Windows Defender\winlogon.exe
        
        "C:\Program Files\Windows Defender\winlogon.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"
        18⤵
        
        PID:1884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2916
        
        C:\Program Files\Windows Defender\winlogon.exe
        
        "C:\Program Files\Windows Defender\winlogon.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat"
        20⤵
        
        PID:1704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2784
        
        C:\Program Files\Windows Defender\winlogon.exe
        
        "C:\Program Files\Windows Defender\winlogon.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat"
        22⤵
        
        PID:2444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2820
        
        C:\Program Files\Windows Defender\winlogon.exe
        
        "C:\Program Files\Windows Defender\winlogon.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"
        24⤵
        
        PID:2944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2904
        
        C:\Program Files\Windows Defender\winlogon.exe
        
        "C:\Program Files\Windows Defender\winlogon.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
        26⤵
        
        PID:3060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2372
        
        C:\Program Files\Windows Defender\winlogon.exe
        
        "C:\Program Files\Windows Defender\winlogon.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
376f88c34bb954f070439da191ceda71

SHA1
0b7130e3ba6cd5318332698e7f37ba2952b5262b

SHA256
98b5fd852caf04de8af6533c392f408a87ca86af17523aea8b1c0040d894e2aa

SHA512
95621cfd025074d9261b6047e67f26b8b92f4e47932dc1dad6be3cdbab6a563379eec64dce3236566dc0547bbc31897f71dad7d27e2b04e1f2bfcb172be78625

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afdbb7fd004a276e03abeb602b13e699

SHA1
c9f8dcbc5959d41c8f1a6a5f6bf95f2551f99312

SHA256
2ade6bd28d251ef634472f51afc590db9a1c7e0373aadd0f9ce7f224aaa68cb4

SHA512
1fc507a213aa2135d14c88e72b2987d60d9efe3349850facfd9d3c633f00e19a5e9b7fa09e0b212ae907c2fb0e72d7ab4dfec0779aac3735c130b630479c07a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eef096d8504ef29ce87009d91a10ae6e

SHA1
7d005198ad4047bfe4e7eaddb78d8963463883e4

SHA256
acee09b42b18c193494682a7e1acf5b17697ed4fbcd5c2b962d014f1d6f5c2f2

SHA512
92ef8049a298b00eb53ad905049acc8d61c3bfd833f479f87b6797f696cab4474a6d88c621f7b4c63d967286eca52a682aa751d8e350482b5340ac16f7a55813

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1565cd5cdda8cc3101da4620c5a49ea

SHA1
ce9bddc5b192a1bdd02f902282c5bccbe7083072

SHA256
39db20efe6bb0ad5e36a39fae6b06f8430fb297f8a7570e21ff4dbbf2a688d1c

SHA512
80d97f8911a90222fca06c92dd811d0aed7b1a0ee3dad6537ff54ae46e75be0c102259fceb624f3493f3b4cedeade65edd5d2e161222d57052f2c90b59a1de47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f8035aa5001bc6b47b6e229237feedb

SHA1
e369ba2c9c4998729ff1c2159cdb2b74f02916bd

SHA256
3d7db1196e2012b2a139888a989e5560c6cc2c30a19e645ef930ec038696643a

SHA512
42aefbe1d2fd98b3c3c22e1dc8d66fbebf44c0e056d2cde0a91821bb096da25c629c71046286b5b507b2e4156c8404779ef163c86d1a107a025bdc250226e54d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1633130055196abf28972b65fe90fd4c

SHA1
b4d4ad43c03bf25a0e8d07275b31548c1fed6126

SHA256
56c8ffdbe8ee1cf20b32d1d6145873c617d693d7e6133d5596bae40e801050a5

SHA512
a7a53c058c7d24fbc5f6c0a29a2964af25f6d23b0103abb5e360f16ead6ab46e6e84bea20ae146069a3de172cfc279aad918fdcf762932cb6b01b8e0b873a0e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
beab88d1e2aec5e67eb8bff260235690

SHA1
b51e4177eb0246eb43cdb5bda3440534badbe379

SHA256
11155de982ed2f283f44639f3b61d4d826b2322249cf3818447500362ce53713

SHA512
7bca68aba3ad97a50946368f6384cd6c042a0da86238dd81703102f53839210728493220435cfda30e45f9e2db2550dffd3ff373b0f15ecf75c6a65df28aca9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9abcf96bbfdbd53a6257171dbebf32a2

SHA1
21d09563ed1d8f4c0a041b4a6ce40c7ad23fc539

SHA256
57087ca8a05c5656e587edf54473a4b74d4add789c58b08bdb81384c0595f97f

SHA512
35d4d9adf6fad508fc0479269172ba9d61627ca1c65d409f8af95d6a03184c3ab68bfb13738f3d061d583a9cd4402423246497e493b58ff2b25e8797dbebf3af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eeab5cd938d98a74b267ccded4b330f5

SHA1
819739cbffa24aadfc9f5002d2326f2a23581879

SHA256
0c45a0ced725abe98fcd7c88a0ef6fcb1aa43afea873c5f55d816fe9d06d06eb

SHA512
f8407e654fad405a839839e7f065b7dd4a1bdeae1810db2c07d48c4145749fb9b1d16e7c240d93bb7bcfbf65aa76d13ab61165fea5085367dd968f210433f097

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db52e948c1d47f18a11c6e7d205ddbbf

SHA1
f5563db9aa52eee23ba79ade8e9001b64765295f

SHA256
452471a23fe541de69ee29d9a626cd2b902102bf29f61cc2ac820303cbd0c0ea

SHA512
15c6dcf8730a2e474cdccaad5aeb8b9a0c1c18fa4263f40a1bad79429d4c453a44debe26c57e38a8d4cb2acd9bb20b100c0b238877d1ab85b1fc34790ddef6cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat

Filesize
211B

MD5
19953c2f86027fe8fec8cad2e02ae613

SHA1
4e419b1d4d5fdf626dc093c77b70708457a08d3a

SHA256
f1a2f32da39113582a107ce74501b914ce14ce403c2529d9c6f99210712000a8

SHA512
a7d534a94bb4d41688a99fb23cb6a3ad79a9ebccf621c1a9a5131be19319aa61f2cfd336938806243ee29f7a15125f728855b3fe0d8da54a3dfb3eb844f12309

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat

Filesize
211B

MD5
48b2e05ff41bf7fd3c67445a24f51760

SHA1
510e379829b716ee78b9373f1665c1e27fd6b360

SHA256
6128569579e48268fe6e0a15e7859603f74b4fa90ed0b21d7476f75083f3f678

SHA512
86540a3afdd79bc80249ca3b274e31956e961e88d119b0135c1bf105e75c17e6163f09d02e704771eb015794f8c519d4d3f89fc60a6443493d455f4dbfe5bfd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4E60.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat

Filesize
211B

MD5
29b0b5174a8e35fc2d7792a4ec854c55

SHA1
8bb3a0c4ee1993fe48568ed80f5b770517d0d1f5

SHA256
d8f719a00b2bb6c5b76492c6ac01fbf6a5bc260dd7b9962450b0b7923b32f2b4

SHA512
09c0911c4064067062324cd497d3cab7bfcacbadd058c1700f8b7a9c5784919f78e286a17d85731cebeb85a5920c0696f6fe77e8141b0a1f26372693dba42671

Download Submit
C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat

Filesize
211B

MD5
cb908ea32dbe2b7161690a15dcfbc757

SHA1
5b0cd309f6ed41212f0c394b62a514dfdac3e0f3

SHA256
a7932391bc04ab5a40ad0425925a084160bfc55d9a703566f7cd7b8b376f3714

SHA512
854f5c00eb084910a7b94fb15e145bcbc3196fc482096e990154c56c57b3955dc08ac6abb449ae6acbca350d92b2043eda383cdfa6a3d0dcc61d42d3db778422

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8iYvsD9nO.bat

Filesize
211B

MD5
49d8b8c87a5498332ed9d33049f854b5

SHA1
abca740ecc81b3b02c5827aa63070cebfa6e5ee4

SHA256
38140014a26158722d17458161e48d4ebd11006d4b88c87634ef1e61a904ad1f

SHA512
2a656901fa4fc7e64d546d50250a38bf0fe8d30ed63b580ea0fe70ecc559a94b60a5215393052140c349668f0de1434ab08b27bfaaec8a9c95f99d3b2967d960

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat

Filesize
211B

MD5
68d4415b33c5e7cedfb2d00e4da2c9a8

SHA1
3447c965d61a4bae5fbfd25991b2260ea233d8d7

SHA256
b27c902244990526578da428687da40952eaac8f2d35a6186445d31abdf4edb2

SHA512
10f11ef2354c21c55e9e75f202458d6324551d66b0f9cde0a54956681b3bbe448ffd7a330a07aec25418b38b35cfa13a9c5be2797f7138a339fd5b51741bca6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4E83.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat

Filesize
211B

MD5
954fd3051738987003365983841560e4

SHA1
a505ea7e0f14a5833c6b8113ebb546d90e941e66

SHA256
5afb037b198109d475113b8890ed6fa95c7e2512a9ae1306b675e2fe42eb80a4

SHA512
81d18e08115fe1616900d89f5ed21d540fef92f3f9f9909ff81727c428608fb0fd2b595c383e3c8259b26f635aecfa3e44ee34908ee7d84d770d3677e34a7835

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat

Filesize
211B

MD5
14895517b11b3ac45583c56dba5884c2

SHA1
30f2b7c10d33266930562af901536b924fd31264

SHA256
271de92910a2dee90467fd8aca99f6fa247912696ab3a875e6be83031c283bdc

SHA512
3fd1a9f84f0026bfb4a825d8d884884c75e9e3f1783614051c2a426f401e5a3cd0716c606bad03f5a961c1d416cd2630b55e76be021ae4ad265689e3f70debb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat

Filesize
211B

MD5
78501f8a4d93fb348b175947b40d7c32

SHA1
714c177d636dae4a32c54a06cecbb8608270a3c8

SHA256
e4e0f08e036e9ee0c9bd0a2fafda5d972517c0f2089b0bf813a262efb10b2b61

SHA512
e0682c1ac73827d00ba0348bc118a480c1defb7c919b3324c4fd4b40bcea7a5c3cea1d4d67ca7c928ad396c6550d33a3db28248662fe318229682a5cd785f8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat

Filesize
211B

MD5
c3ff12414517f620dc1eb78a35ac9120

SHA1
709161664ce7af83ada9a20613d3e51cdfa19c9e

SHA256
9c5bdfe452113b0499423f9f53bfee3d01931256d12dd00df54c01f5c2b3753e

SHA512
cbf8ad3e3aff1d168b8fcbb928e35cdeaa4988728e16495fa7a6ea6a7b254875dd27e3c2ccc99f3b7045ba62fa047c8173424f05f96d458d7f1c73a4584705eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat

Filesize
211B

MD5
ac51e865a67281b2c8d163f34c8508ed

SHA1
a406b5718b024ea8f0de8fd26d8ea8936486c59d

SHA256
50febb388543a839f6a00997ada0319c9bb04e1d286933c2627da28045d86ec4

SHA512
fd8267bd722a6bb4917466741d05a9e1ce9c7ffc42d3712e710dfa95603cbeb8eae00839e6522229fe428f53291c27e1a81d0a8b2d0950ffc8ed93cf7482d0e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
17e2735633af96e1539b0a89ab106935

SHA1
4f5461cd41c366c0fac9f1d8a27eaec513fc6ebf

SHA256
077a5aac1051950232b912dbd5d1631f0037983425238231bebb68ca3bb16fc7

SHA512
89b120a5cc92f999f35f575abb5a579770916b293c2d6dfd619316ec160517a7418cca1c8941bc36021a72ca628f1f3eb6284b0981c3a46ddee03a6bed8c1dd0

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/796-230-0x00000000008A0000-0x00000000009B0000-memory.dmp

Filesize
1.1MB

Download
memory/936-39-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/964-652-0x0000000000C80000-0x0000000000D90000-memory.dmp

Filesize
1.1MB

Download
memory/1068-291-0x00000000009C0000-0x00000000009D2000-memory.dmp

Filesize
72KB

Download
memory/1068-290-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/1876-592-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/1904-410-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/1904-411-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/1904-170-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/1936-110-0x0000000000F10000-0x0000000001020000-memory.dmp

Filesize
1.1MB

Download
memory/2340-712-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2548-472-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2548-471-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/2700-532-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download
memory/2844-46-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2844-40-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2944-17-0x0000000002170000-0x000000000217C000-memory.dmp

Filesize
48KB

Download
memory/2944-15-0x0000000002160000-0x000000000216C000-memory.dmp

Filesize
48KB

Download
memory/2944-16-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/2944-13-0x0000000000B10000-0x0000000000C20000-memory.dmp

Filesize
1.1MB

Download
memory/2944-14-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download