dcrat | 997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7.exe
Size

1.3MB
MD5

74a561602ad435e4e531f35363dbe15a
SHA1

7b3bdc81ca994b3fb65262528ac020624ee768e9
SHA256

997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7
SHA512

cdefdbd76096bd95410c42868e3dea8b1ca71fe98909f8acaecd023594b12f73bd1602ad4decbbfb36da0b0ca69e9af52fb4cd5a4ed179603cb6208e4a278be5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	2744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	2744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	2744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2744	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cb2-9.dat	dcrat
behavioral2/memory/3884-13-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2376	powershell.exe
5060	powershell.exe
4052	powershell.exe
4576	powershell.exe
3384	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7.exe

Executes dropped EXE 15 IoCs

pid	Process
3884	DllCommonsvc.exe
3676	sysmon.exe
2624	sysmon.exe
1504	sysmon.exe
4072	sysmon.exe
4432	sysmon.exe
3408	sysmon.exe
2588	sysmon.exe
4528	sysmon.exe
4624	sysmon.exe
1500	sysmon.exe
1964	sysmon.exe
3232	sysmon.exe
3152	sysmon.exe
528	sysmon.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
56	raw.githubusercontent.com
58	raw.githubusercontent.com
46	raw.githubusercontent.com
47	raw.githubusercontent.com
57	raw.githubusercontent.com
48	raw.githubusercontent.com
55	raw.githubusercontent.com
27	raw.githubusercontent.com
43	raw.githubusercontent.com
41	raw.githubusercontent.com
42	raw.githubusercontent.com
59	raw.githubusercontent.com
20	raw.githubusercontent.com
21	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\conhost.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Vss\sysmon.exe	DllCommonsvc.exe
File created	C:\Windows\Vss\121e5b5079f7c0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	JaffaCakes118_997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sysmon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2144	schtasks.exe
1060	schtasks.exe
3268	schtasks.exe
2372	schtasks.exe
2696	schtasks.exe
2432	schtasks.exe
812	schtasks.exe
3988	schtasks.exe
2896	schtasks.exe
5012	schtasks.exe
868	schtasks.exe
1132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3384	powershell.exe
5060	powershell.exe
4052	powershell.exe
4576	powershell.exe
4052	powershell.exe
2376	powershell.exe
2376	powershell.exe
3384	powershell.exe
3676	sysmon.exe
4576	powershell.exe
5060	powershell.exe
2624	sysmon.exe
1504	sysmon.exe
4072	sysmon.exe
4432	sysmon.exe
3408	sysmon.exe
2588	sysmon.exe
4528	sysmon.exe
4624	sysmon.exe
1500	sysmon.exe
1964	sysmon.exe
3232	sysmon.exe
3152	sysmon.exe
528	sysmon.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3884	DllCommonsvc.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	3676	sysmon.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2624	sysmon.exe
Token: SeDebugPrivilege	1504	sysmon.exe
Token: SeDebugPrivilege	4072	sysmon.exe
Token: SeDebugPrivilege	4432	sysmon.exe
Token: SeDebugPrivilege	3408	sysmon.exe
Token: SeDebugPrivilege	2588	sysmon.exe
Token: SeDebugPrivilege	4528	sysmon.exe
Token: SeDebugPrivilege	4624	sysmon.exe
Token: SeDebugPrivilege	1500	sysmon.exe
Token: SeDebugPrivilege	1964	sysmon.exe
Token: SeDebugPrivilege	3232	sysmon.exe
Token: SeDebugPrivilege	3152	sysmon.exe
Token: SeDebugPrivilege	528	sysmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 1820	2748	JaffaCakes118_997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7.exe	82
PID 2748 wrote to memory of 1820	2748	JaffaCakes118_997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7.exe	82
PID 2748 wrote to memory of 1820	2748	JaffaCakes118_997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7.exe	82
PID 1820 wrote to memory of 3952	1820	WScript.exe	83
PID 1820 wrote to memory of 3952	1820	WScript.exe	83
PID 1820 wrote to memory of 3952	1820	WScript.exe	83
PID 3952 wrote to memory of 3884	3952	cmd.exe	85
PID 3952 wrote to memory of 3884	3952	cmd.exe	85
PID 3884 wrote to memory of 2376	3884	DllCommonsvc.exe	101
PID 3884 wrote to memory of 2376	3884	DllCommonsvc.exe	101
PID 3884 wrote to memory of 5060	3884	DllCommonsvc.exe	102
PID 3884 wrote to memory of 5060	3884	DllCommonsvc.exe	102
PID 3884 wrote to memory of 4052	3884	DllCommonsvc.exe	103
PID 3884 wrote to memory of 4052	3884	DllCommonsvc.exe	103
PID 3884 wrote to memory of 4576	3884	DllCommonsvc.exe	104
PID 3884 wrote to memory of 4576	3884	DllCommonsvc.exe	104
PID 3884 wrote to memory of 3384	3884	DllCommonsvc.exe	105
PID 3884 wrote to memory of 3384	3884	DllCommonsvc.exe	105
PID 3884 wrote to memory of 3676	3884	DllCommonsvc.exe	110
PID 3884 wrote to memory of 3676	3884	DllCommonsvc.exe	110
PID 3676 wrote to memory of 4960	3676	sysmon.exe	116
PID 3676 wrote to memory of 4960	3676	sysmon.exe	116
PID 4960 wrote to memory of 1432	4960	cmd.exe	118
PID 4960 wrote to memory of 1432	4960	cmd.exe	118
PID 4960 wrote to memory of 2624	4960	cmd.exe	119
PID 4960 wrote to memory of 2624	4960	cmd.exe	119
PID 2624 wrote to memory of 676	2624	sysmon.exe	120
PID 2624 wrote to memory of 676	2624	sysmon.exe	120
PID 676 wrote to memory of 5012	676	cmd.exe	122
PID 676 wrote to memory of 5012	676	cmd.exe	122
PID 676 wrote to memory of 1504	676	cmd.exe	125
PID 676 wrote to memory of 1504	676	cmd.exe	125
PID 1504 wrote to memory of 2028	1504	sysmon.exe	126
PID 1504 wrote to memory of 2028	1504	sysmon.exe	126
PID 2028 wrote to memory of 3356	2028	cmd.exe	128
PID 2028 wrote to memory of 3356	2028	cmd.exe	128
PID 2028 wrote to memory of 4072	2028	cmd.exe	129
PID 2028 wrote to memory of 4072	2028	cmd.exe	129
PID 4072 wrote to memory of 1316	4072	sysmon.exe	130
PID 4072 wrote to memory of 1316	4072	sysmon.exe	130
PID 1316 wrote to memory of 4476	1316	cmd.exe	132
PID 1316 wrote to memory of 4476	1316	cmd.exe	132
PID 1316 wrote to memory of 4432	1316	cmd.exe	133
PID 1316 wrote to memory of 4432	1316	cmd.exe	133
PID 4432 wrote to memory of 2400	4432	sysmon.exe	134
PID 4432 wrote to memory of 2400	4432	sysmon.exe	134
PID 2400 wrote to memory of 1576	2400	cmd.exe	136
PID 2400 wrote to memory of 1576	2400	cmd.exe	136
PID 2400 wrote to memory of 3408	2400	cmd.exe	137
PID 2400 wrote to memory of 3408	2400	cmd.exe	137
PID 3408 wrote to memory of 5060	3408	sysmon.exe	138
PID 3408 wrote to memory of 5060	3408	sysmon.exe	138
PID 5060 wrote to memory of 100	5060	cmd.exe	140
PID 5060 wrote to memory of 100	5060	cmd.exe	140
PID 5060 wrote to memory of 2588	5060	cmd.exe	141
PID 5060 wrote to memory of 2588	5060	cmd.exe	141
PID 2588 wrote to memory of 2148	2588	sysmon.exe	142
PID 2588 wrote to memory of 2148	2588	sysmon.exe	142
PID 2148 wrote to memory of 3048	2148	cmd.exe	144
PID 2148 wrote to memory of 3048	2148	cmd.exe	144
PID 2148 wrote to memory of 4528	2148	cmd.exe	145
PID 2148 wrote to memory of 4528	2148	cmd.exe	145
PID 4528 wrote to memory of 3120	4528	sysmon.exe	146
PID 4528 wrote to memory of 3120	4528	sysmon.exe	146

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
    - - C:\Windows\Vss\sysmon.exe
        
        "C:\Windows\Vss\sysmon.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3676
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1432
        
        C:\Windows\Vss\sysmon.exe
        
        "C:\Windows\Vss\sysmon.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5012
        
        C:\Windows\Vss\sysmon.exe
        
        "C:\Windows\Vss\sysmon.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3356
        
        C:\Windows\Vss\sysmon.exe
        
        "C:\Windows\Vss\sysmon.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4476
        
        C:\Windows\Vss\sysmon.exe
        
        "C:\Windows\Vss\sysmon.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1576
        
        C:\Windows\Vss\sysmon.exe
        
        "C:\Windows\Vss\sysmon.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:100
        
        C:\Windows\Vss\sysmon.exe
        
        "C:\Windows\Vss\sysmon.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3048
        
        C:\Windows\Vss\sysmon.exe
        
        "C:\Windows\Vss\sysmon.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"
        20⤵
        
        PID:3120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3956
        
        C:\Windows\Vss\sysmon.exe
        
        "C:\Windows\Vss\sysmon.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"
        22⤵
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4748
        
        C:\Windows\Vss\sysmon.exe
        
        "C:\Windows\Vss\sysmon.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"
        24⤵
        
        PID:1868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4384
        
        C:\Windows\Vss\sysmon.exe
        
        "C:\Windows\Vss\sysmon.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat"
        26⤵
        
        PID:1700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3668
        
        C:\Windows\Vss\sysmon.exe
        
        "C:\Windows\Vss\sysmon.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"
        28⤵
        
        PID:4448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4260
        
        C:\Windows\Vss\sysmon.exe
        
        "C:\Windows\Vss\sysmon.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat"
        30⤵
        
        PID:4380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:452
        
        C:\Windows\Vss\sysmon.exe
        
        "C:\Windows\Vss\sysmon.exe"
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Vss\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat

Filesize
190B

MD5
e64c334661fd4548fe51a520e0af9246

SHA1
c3ac297682979c0d7e7feb821ac86ca377ad26f9

SHA256
4291a272df6fac2921a9fb111752ce40b331f78003ab0378b011a8290a812eb0

SHA512
e6b2d6cc4b376cf5af3f81e3064f6bebf3e7113eec7ca443720d5a60ed7b1dbaa678e8f2ba7dceffae5dbbc68fd9c0156010288236a3b8900527856180cccdf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat

Filesize
190B

MD5
1646e90ef3fb61cb5861e003cfcb7c4c

SHA1
204c675ac12b28e8ae1aa8b356b9f67bcaee4fa5

SHA256
196ad755c5e6d67e4ea06d0eff89104036b66cec467ce00b0cad1b65a192d0fa

SHA512
ec1109a4059c5870bad47ff186687b600f1520f92a650156ef2b83ffceccb52d356f20c58bad5c727fcd52fb500b64963e7dfc8d2e8243285fca7c8792b27dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat

Filesize
190B

MD5
e983d9544e7df424d40258e9a8f40827

SHA1
6e37803715402c2460d34d0d78b052bef9793e48

SHA256
db2c2f84cc7f076e2697cc2b05df26a8b1d28aa4836aff84a4221190474f32e9

SHA512
7426150f68db417f4688b89e0c43b73fdaa4ac1ae7c7279e69a435ef957c5f4e7f202bcb4b909b2b5939cff7732edba822e0f080cf6f98ca1d48f841e8a3aa31

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat

Filesize
190B

MD5
8ec227cdbe0e82ad97a44a228586f280

SHA1
1eb8a7c6def617a63f9f83b5f300a0475138c935

SHA256
2f63f8212ccd1fa74e012d926a877057c8539ee2957fa3cc1f30e2a0cdafa498

SHA512
4fde762fc080d6f78f501d46fc536901d8127f01321e77609537f767613a2e8dfc2488775e59f6f188a9e9e4b0d7f49b33fc36240c5beb7b93c87971fd5b3e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat

Filesize
190B

MD5
73811ed2303b10026ee03e193656fd5d

SHA1
e21098ec179b60b890b9edbc99bd555909a3b904

SHA256
55b75dfbf07b36ddad4958d87e89389ddd5f798700a09042bda3cd34caf0e6c4

SHA512
87f1ca29f55546350012cce7960f26d859ef887c7a2a43418f28596cf98fd268ddfbbf4266b1a1464275efba75004625270d1e06ef1dadead2ce1c444ae43e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat

Filesize
190B

MD5
eced1ce38238ad0b3987191ea25a611b

SHA1
414934850ca5cbb0b6d48e661074953e64cabf83

SHA256
2937b32adfb1f97a0b351480a8b8576273f2bcd15113623a7c2dd4470e1ffbbb

SHA512
bf225966238341e859782e5817f6ab8100f315b3b7bb5af35c87a91458e1b6e9f9ce0abb48d6eb6c7320179902fbac53d1a658f5d7e8b708ea3d36a021d37bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat

Filesize
190B

MD5
7e844000c38272493766912e85799005

SHA1
e9ea3a6349fe6a7ba561c3df083438cbd9a19e2a

SHA256
16c0b2d68f68481d4ec5ffe9bfbcd868a10fef3f4f5fe21c136cb8850016489d

SHA512
9c8f27423a290f2a2568d625d2c632baf33ef3b11e6536e291e33e7d7129c9ea084e03791c9657107c31ac07b7aa990ddcad3b43fdb7ac81adba61fd454a488b

Download Submit
C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat

Filesize
190B

MD5
28c91a9bbbb12d6b3531eb3e2dc7fa9a

SHA1
6e7315a5634fb8e8fbb3f7d7a274980c8c9fef8b

SHA256
84fe4d93ce285cf99738fcb3b3077985c44a5db50e0269fe6cb7bb41a0eba784

SHA512
b34706e20cf91ec1bfa1d2a706f0f7c391411bfcea16cefa60897bc319f37020b5c86ac826a0bd5ce70f9acbfc23884d591f0981418486ba9e62781ea92b1741

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nbvjxt5p.42l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat

Filesize
190B

MD5
80eca188129cbbc12c2aa0e2d7cbf9ef

SHA1
541d4cc36fad4bf1dc32899594bfda89860d23f4

SHA256
410b81ec103208b3a2c13cc0d937d6cfb7c6128868e5d48643c7fbdf6397cbc4

SHA512
90600e1950241d209b34cab5e3bd01c5630bb2551b723a53dbdf185deddc1a3ac2838a7610cd8b93f05ddab8fd97aac501db63642375d2a17f10625ea9b621c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat

Filesize
190B

MD5
46bdd187e5e479f6fdf1148e0ecc63ea

SHA1
87ffa26481b716a4623f58119289d5069af2420c

SHA256
1d1202fe8410c0a98b39878d7855eb81acddb2c378ff2cce8f51ec066d74603d

SHA512
602eb2546e91e571e36fa2257461a4bed5fa3774234f2f932849ce603931027d4fbc10059502c0a0e774fba17415af5cfe1926013b479920a102921359ce069f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/3676-83-0x0000000002F50000-0x0000000002F62000-memory.dmp

Filesize
72KB

Download
memory/3884-15-0x000000001BD00000-0x000000001BD0C000-memory.dmp

Filesize
48KB

Download
memory/3884-12-0x00007FF9D5413000-0x00007FF9D5415000-memory.dmp

Filesize
8KB

Download
memory/3884-13-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/3884-14-0x000000001BCD0000-0x000000001BCE2000-memory.dmp

Filesize
72KB

Download
memory/3884-16-0x000000001BCE0000-0x000000001BCEC000-memory.dmp

Filesize
48KB

Download
memory/3884-17-0x000000001BCF0000-0x000000001BCFC000-memory.dmp

Filesize
48KB

Download
memory/4052-47-0x000001FA4E4E0000-0x000001FA4E502000-memory.dmp

Filesize
136KB

Download
memory/4072-115-0x0000000002E90000-0x0000000002EA2000-memory.dmp

Filesize
72KB

Download