dcrat | 7c8360ea997ed64efa0b7b9b97bddbf9f098a7efc8a97cfba4472c4e5bb677d0

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7c8360ea997ed64efa0b7b9b97bddbf9f098a7efc8a97cfba4472c4e5bb677d0.exe
Size

1.3MB
MD5

28eca1cc252fb1d5d37662d80092c6b4
SHA1

430f11aa8e8bcd6ac402dcbaf363707a9619b42c
SHA256

7c8360ea997ed64efa0b7b9b97bddbf9f098a7efc8a97cfba4472c4e5bb677d0
SHA512

667c29a46820218652a1832fc4ca7db73422700d966604170d58b37744de6891c6a5d2ef9d4640f07d610564daaad97e8e3a7baf0209a5429b9f3d13b10df664
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	1412	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1412	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	1412	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	1412	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	1412	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	1412	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023ce1-10.dat	dcrat
behavioral2/memory/3196-13-0x0000000000270000-0x0000000000380000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2408	powershell.exe
972	powershell.exe
1428	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7c8360ea997ed64efa0b7b9b97bddbf9f098a7efc8a97cfba4472c4e5bb677d0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 14 IoCs

pid	Process
3196	DllCommonsvc.exe
4856	OfficeClickToRun.exe
3820	OfficeClickToRun.exe
3124	OfficeClickToRun.exe
3752	OfficeClickToRun.exe
3912	OfficeClickToRun.exe
1428	OfficeClickToRun.exe
3604	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
4816	OfficeClickToRun.exe
4572	OfficeClickToRun.exe
228	OfficeClickToRun.exe
3208	OfficeClickToRun.exe
2780	OfficeClickToRun.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
53	raw.githubusercontent.com
37	raw.githubusercontent.com
48	raw.githubusercontent.com
52	raw.githubusercontent.com
56	raw.githubusercontent.com
44	raw.githubusercontent.com
54	raw.githubusercontent.com
55	raw.githubusercontent.com
39	raw.githubusercontent.com
43	raw.githubusercontent.com
14	raw.githubusercontent.com
23	raw.githubusercontent.com
38	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\e6c9b481da804f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7c8360ea997ed64efa0b7b9b97bddbf9f098a7efc8a97cfba4472c4e5bb677d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	JaffaCakes118_7c8360ea997ed64efa0b7b9b97bddbf9f098a7efc8a97cfba4472c4e5bb677d0.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2864	schtasks.exe
4380	schtasks.exe
736	schtasks.exe
4620	schtasks.exe
3668	schtasks.exe
1868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3196	DllCommonsvc.exe
3196	DllCommonsvc.exe
3196	DllCommonsvc.exe
3196	DllCommonsvc.exe
3196	DllCommonsvc.exe
972	powershell.exe
972	powershell.exe
1428	powershell.exe
2408	powershell.exe
4856	OfficeClickToRun.exe
1428	powershell.exe
2408	powershell.exe
3820	OfficeClickToRun.exe
3124	OfficeClickToRun.exe
3752	OfficeClickToRun.exe
3912	OfficeClickToRun.exe
1428	OfficeClickToRun.exe
3604	OfficeClickToRun.exe
1628	OfficeClickToRun.exe
4816	OfficeClickToRun.exe
4572	OfficeClickToRun.exe
228	OfficeClickToRun.exe
3208	OfficeClickToRun.exe
2780	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3196	DllCommonsvc.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	4856	OfficeClickToRun.exe
Token: SeDebugPrivilege	3820	OfficeClickToRun.exe
Token: SeDebugPrivilege	3124	OfficeClickToRun.exe
Token: SeDebugPrivilege	3752	OfficeClickToRun.exe
Token: SeDebugPrivilege	3912	OfficeClickToRun.exe
Token: SeDebugPrivilege	1428	OfficeClickToRun.exe
Token: SeDebugPrivilege	3604	OfficeClickToRun.exe
Token: SeDebugPrivilege	1628	OfficeClickToRun.exe
Token: SeDebugPrivilege	4816	OfficeClickToRun.exe
Token: SeDebugPrivilege	4572	OfficeClickToRun.exe
Token: SeDebugPrivilege	228	OfficeClickToRun.exe
Token: SeDebugPrivilege	3208	OfficeClickToRun.exe
Token: SeDebugPrivilege	2780	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 4528	4592	JaffaCakes118_7c8360ea997ed64efa0b7b9b97bddbf9f098a7efc8a97cfba4472c4e5bb677d0.exe	84
PID 4592 wrote to memory of 4528	4592	JaffaCakes118_7c8360ea997ed64efa0b7b9b97bddbf9f098a7efc8a97cfba4472c4e5bb677d0.exe	84
PID 4592 wrote to memory of 4528	4592	JaffaCakes118_7c8360ea997ed64efa0b7b9b97bddbf9f098a7efc8a97cfba4472c4e5bb677d0.exe	84
PID 4528 wrote to memory of 4884	4528	WScript.exe	85
PID 4528 wrote to memory of 4884	4528	WScript.exe	85
PID 4528 wrote to memory of 4884	4528	WScript.exe	85
PID 4884 wrote to memory of 3196	4884	cmd.exe	87
PID 4884 wrote to memory of 3196	4884	cmd.exe	87
PID 3196 wrote to memory of 2408	3196	DllCommonsvc.exe	95
PID 3196 wrote to memory of 2408	3196	DllCommonsvc.exe	95
PID 3196 wrote to memory of 972	3196	DllCommonsvc.exe	96
PID 3196 wrote to memory of 972	3196	DllCommonsvc.exe	96
PID 3196 wrote to memory of 1428	3196	DllCommonsvc.exe	97
PID 3196 wrote to memory of 1428	3196	DllCommonsvc.exe	97
PID 3196 wrote to memory of 4856	3196	DllCommonsvc.exe	101
PID 3196 wrote to memory of 4856	3196	DllCommonsvc.exe	101
PID 4856 wrote to memory of 1608	4856	OfficeClickToRun.exe	106
PID 4856 wrote to memory of 1608	4856	OfficeClickToRun.exe	106
PID 1608 wrote to memory of 4916	1608	cmd.exe	108
PID 1608 wrote to memory of 4916	1608	cmd.exe	108
PID 1608 wrote to memory of 3820	1608	cmd.exe	111
PID 1608 wrote to memory of 3820	1608	cmd.exe	111
PID 3820 wrote to memory of 2608	3820	OfficeClickToRun.exe	112
PID 3820 wrote to memory of 2608	3820	OfficeClickToRun.exe	112
PID 2608 wrote to memory of 2216	2608	cmd.exe	114
PID 2608 wrote to memory of 2216	2608	cmd.exe	114
PID 2608 wrote to memory of 3124	2608	cmd.exe	115
PID 2608 wrote to memory of 3124	2608	cmd.exe	115
PID 3124 wrote to memory of 1052	3124	OfficeClickToRun.exe	118
PID 3124 wrote to memory of 1052	3124	OfficeClickToRun.exe	118
PID 1052 wrote to memory of 2708	1052	cmd.exe	120
PID 1052 wrote to memory of 2708	1052	cmd.exe	120
PID 1052 wrote to memory of 3752	1052	cmd.exe	121
PID 1052 wrote to memory of 3752	1052	cmd.exe	121
PID 3752 wrote to memory of 1908	3752	OfficeClickToRun.exe	122
PID 3752 wrote to memory of 1908	3752	OfficeClickToRun.exe	122
PID 1908 wrote to memory of 3772	1908	cmd.exe	124
PID 1908 wrote to memory of 3772	1908	cmd.exe	124
PID 1908 wrote to memory of 3912	1908	cmd.exe	125
PID 1908 wrote to memory of 3912	1908	cmd.exe	125
PID 3912 wrote to memory of 4352	3912	OfficeClickToRun.exe	126
PID 3912 wrote to memory of 4352	3912	OfficeClickToRun.exe	126
PID 4352 wrote to memory of 1048	4352	cmd.exe	128
PID 4352 wrote to memory of 1048	4352	cmd.exe	128
PID 4352 wrote to memory of 1428	4352	cmd.exe	129
PID 4352 wrote to memory of 1428	4352	cmd.exe	129
PID 1428 wrote to memory of 796	1428	OfficeClickToRun.exe	130
PID 1428 wrote to memory of 796	1428	OfficeClickToRun.exe	130
PID 796 wrote to memory of 1820	796	cmd.exe	132
PID 796 wrote to memory of 1820	796	cmd.exe	132
PID 796 wrote to memory of 3604	796	cmd.exe	133
PID 796 wrote to memory of 3604	796	cmd.exe	133
PID 3604 wrote to memory of 652	3604	OfficeClickToRun.exe	134
PID 3604 wrote to memory of 652	3604	OfficeClickToRun.exe	134
PID 652 wrote to memory of 1404	652	cmd.exe	136
PID 652 wrote to memory of 1404	652	cmd.exe	136
PID 652 wrote to memory of 1628	652	cmd.exe	137
PID 652 wrote to memory of 1628	652	cmd.exe	137
PID 1628 wrote to memory of 2216	1628	OfficeClickToRun.exe	138
PID 1628 wrote to memory of 2216	1628	OfficeClickToRun.exe	138
PID 2216 wrote to memory of 4548	2216	cmd.exe	140
PID 2216 wrote to memory of 4548	2216	cmd.exe	140
PID 2216 wrote to memory of 4816	2216	cmd.exe	141
PID 2216 wrote to memory of 4816	2216	cmd.exe	141

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c8360ea997ed64efa0b7b9b97bddbf9f098a7efc8a97cfba4472c4e5bb677d0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c8360ea997ed64efa0b7b9b97bddbf9f098a7efc8a97cfba4472c4e5bb677d0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
    - - C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4916
        
        C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2216
        
        C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2708
        
        C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3772
        
        C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1048
        
        C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1820
        
        C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1404
        
        C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4548
        
        C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat"
        22⤵
        
        PID:328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4896
        
        C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat"
        24⤵
        
        PID:4848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1216
        
        C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"
        26⤵
        
        PID:2336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2404
        
        C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yJyIm7wr5G.bat"
        28⤵
        
        PID:1632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3728
        
        C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat"
        30⤵
        
        PID:4760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\providercommon\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat

Filesize
216B

MD5
b8e5b36d35b66885dfe417d5f9da129b

SHA1
7605457017d2428da84c504ec06e4b28bb9ea38e

SHA256
93c2a7ba20810e5e1744913dae8a93cd89f3ce4f95fbbd93135fda00f6471d53

SHA512
c0b8a39bf0a343e8bdfbe5d615274742837bb470e3c4338d9b9678d792f1df27defcf385efcd5840c98f4107f9641c8e7f6465244cd655426a3049afb9c61817

Download Submit
C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat

Filesize
216B

MD5
c39f773ac0e7f406e2f4d03de2f984ac

SHA1
367819583e1566b836cca7376680e490b34ae435

SHA256
8db05f997b78a592f1f649ccfd0f358d73042200dcbb71eaccba3f480ee78b7f

SHA512
f1b109584ae222b3efda3ed37b37622f49ccdf13fad37a7625600758e1a1c501b9bfbb694ae04ab654878197f18e0e348e5689a5e9d5dd712d38bfba22ec7d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat

Filesize
216B

MD5
22b796579c1289d7c76290affc0282a0

SHA1
2135c9e486c339f9aef4833fe392dd411aec3fa2

SHA256
259654574e8b7ac2d73a77223c9fa456d7a4960cc91c6b347241c4ae6f00fb03

SHA512
9021c182859bde18dce569f57e84cf35fbfbcec1f8a98f0ab067473dbcfd39a5f57abe2d3dd452d174fc77a918646f4bb4bf6ac34f5839829ae846111e4e5f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat

Filesize
216B

MD5
cb1e33a84f6e4c79dd33479bd40c0ee2

SHA1
3f3316cb66221773228de4a19efccf14927d2ab0

SHA256
244745f1f373951043e797186da058f3100344bc5f1c52d364521da2e6c7084e

SHA512
4d6dcee62fdd12c7719335b0e1de6bf91dea6c2caf4b703c1989f96a9ede35c1143cd498b6381d3cd50912fda66ce833d8dec2ead0a20d625e78dc0ee39b8e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat

Filesize
216B

MD5
72d48a2a38fbfcf6c148d612eefcc362

SHA1
e5084c68dfb0cde8bb27d907d650b86383a2cbd5

SHA256
4b621f9abbd732e7b302808de51141ab6c104a562b72bcfb59ffac9ce6d225a0

SHA512
6284fd0986b98effda142088f3a68f3b93b2328ada168366b987d10bc46d46c1ebb994258fca88e17d7e3996c6c988dec16de7cd8d7fa81d10f68f7ca6d20dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat

Filesize
216B

MD5
ee74aca0084a25beb831ee348d6da87d

SHA1
6fa153d4ffd640e587ec17d9913377b68551af29

SHA256
2f8e9629d8ccf5491309edba1b1c6a8d8ca47ec597ed12214660ae5d95262135

SHA512
f94af317ddf02b8e0100cc065fd0439b42b320f305ad77f4bce486d9d252e87478be05117f680f786248ef5ea83334aac990863e45e1d80aae929be4adb4b9a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gh2i01yr.agk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat

Filesize
216B

MD5
4a1b6cd4342a22f3ff3fdd531f71dfb9

SHA1
51aae07a4b3554a8da95b3463e4ba22ccd7586df

SHA256
2b4bb0105adc452e9b171d9375591681f1f4fea09cc2dff0c179f395149cc623

SHA512
17462cef713cc3b94e7d35a106829a7af16e36e74e745b325836ddbc6a8ba3233f827999f416ac4cd0e3fe4a63125c38bb86b1d56ecf87ea31ac44f86cf115ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

Filesize
216B

MD5
922beeddc88f0304c159a1500945d724

SHA1
8f892cdc0dcb63e7f4883c79b6c1f6f363bb34f1

SHA256
28ef883514b468bbc885b66420f6c4c30a98073cede7fe928f69b3b7a9a0e7c4

SHA512
d4329a02a6d94ec2f34a8920920b3fc3c73df19fabd0883f1fa2eca034a1ced8d0ad047130e31da4eda0f44693f925cda4b1818dc7728598e46d7859fe9dd2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat

Filesize
216B

MD5
4e0cef87059a971244f442e6ee7a7bab

SHA1
4b0e222ad095fbcb9cab54d8e8e65b04b8981e55

SHA256
fb483b8a23ded923048fde022e299e422773e5999dc2a29b281c81c92cc0e6b7

SHA512
180d9ecff0d802720074caa9ace51d23aaaf0bf4cf86af7a6f5e8941278cf649d359dba0669b12a63bfd566f3b80d5e273165fbf9288faf7bc9707588a7e80cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat

Filesize
216B

MD5
65ab0389d277d028f33571066602dc14

SHA1
e304a69ac6df1a93c3074845407208f15439abc7

SHA256
3ff3bf5a86ae6a496b9eb35394288eb12e33817f16e364afe0e5d471ecabd6a8

SHA512
9f28a2624c8f712174e950ff02bbee1cc2bad9416e1a4cfe0ffd75008233804dfa500d0c1854b52c4ee61447fb8bdf8e1baf4295bb17b411081697977b4e8023

Download Submit
C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat

Filesize
216B

MD5
9d1e39828a862b4bedaf47225d18ee66

SHA1
f0c659dbf0d8a972ced3825f0f7c9f1f043816eb

SHA256
e8791f5f4dd1993c0dc2e7ca72aaddf6748e275f7be44412af6f294f89bc079f

SHA512
57c142685ef2e90a50650e4fd21f16ffebb9bb1ad8ee468fc56795cb885ed31a1eacf219d07d95bc3f2b37f94da1ee5c039f026c653a27b10cc2c965f1f43b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat

Filesize
216B

MD5
b4e7cfe1b3491f7f5190a7a6bfed0ac6

SHA1
a74a39b889e96226d6dfa009d3e92e7f3023488d

SHA256
320f5c1f4404f4e144a0fc9f117e159699cc8cedb97098146c173c59ce0716a9

SHA512
fa468ca61fab311de92e8ec0bcf44800d1295b4ffdb78d8c6c3c63342e4777cdb8265254b1a8da38dbf4436b558b3ba0e86c9879221e3a6cbd23f64d22d73dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\yJyIm7wr5G.bat

Filesize
216B

MD5
3dbbe3d23b81555397c26f46aec98ef5

SHA1
56654ffd7a8221cde96659c1fe10f5648c2880c9

SHA256
c2fc615577f25ccdab0acdf9204abcc5dc5c9553321bdd6369eb51b8b84ba237

SHA512
b3029a2dc2175d4c68d402b833f08735384b6cefa3885f9dff292e6f124e0b871e81a1069755174c53d2796e00343731047d067701197475db4d0d16cbf14294

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/972-42-0x000001DDF83F0000-0x000001DDF8412000-memory.dmp

Filesize
136KB

Download
memory/1628-114-0x0000000001600000-0x0000000001612000-memory.dmp

Filesize
72KB

Download
memory/2780-145-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/3124-83-0x0000000001960000-0x0000000001972000-memory.dmp

Filesize
72KB

Download
memory/3196-17-0x00000000025C0000-0x00000000025CC000-memory.dmp

Filesize
48KB

Download
memory/3196-16-0x00000000025B0000-0x00000000025BC000-memory.dmp

Filesize
48KB

Download
memory/3196-15-0x00000000025D0000-0x00000000025DC000-memory.dmp

Filesize
48KB

Download
memory/3196-14-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3196-13-0x0000000000270000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download
memory/3196-12-0x00007FFC53503000-0x00007FFC53505000-memory.dmp

Filesize
8KB

Download
memory/4856-61-0x0000000002990000-0x00000000029A2000-memory.dmp

Filesize
72KB

Download