dcrat | b91a09c1c8bdc767aae32f600ac14942dfcbb172d0065a8390f0c4b433e3059f

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b91a09c1c8bdc767aae32f600ac14942dfcbb172d0065a8390f0c4b433e3059f.exe
Size

1.3MB
MD5

cd3134125db724a0be83f7914c5fb1a3
SHA1

fde92910a2397921cd7de072d6e2126c7c664cd7
SHA256

b91a09c1c8bdc767aae32f600ac14942dfcbb172d0065a8390f0c4b433e3059f
SHA512

208b63e216c163aeba6a49ccd0c0238368826390253253e62459547c39f01083db11d819c61d7b31433a89feb904840d7f547bf0b79a98d5b04a5309c634a626
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2628	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d0c-12.dat	dcrat
behavioral1/memory/2796-13-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/432-58-0x0000000000CC0000-0x0000000000DD0000-memory.dmp	dcrat
behavioral1/memory/1952-117-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/2820-177-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/2684-237-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/600-297-0x0000000001230000-0x0000000001340000-memory.dmp	dcrat
behavioral1/memory/1156-475-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2288-535-0x0000000001080000-0x0000000001190000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2940	powershell.exe
520	powershell.exe
2976	powershell.exe
2916	powershell.exe
2932	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2796	DllCommonsvc.exe
432	WMIADAP.exe
1952	WMIADAP.exe
2820	WMIADAP.exe
2684	WMIADAP.exe
600	WMIADAP.exe
2364	WMIADAP.exe
2828	WMIADAP.exe
1156	WMIADAP.exe
2288	WMIADAP.exe
3024	WMIADAP.exe

Loads dropped DLL 2 IoCs

pid	Process
2488	cmd.exe
2488	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
32	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
18	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\75a57c1bdf437c	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\debug\explorer.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\debug\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\debug\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\es-ES\services.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\CSC\v2.0.6\dllhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b91a09c1c8bdc767aae32f600ac14942dfcbb172d0065a8390f0c4b433e3059f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2768	schtasks.exe
2840	schtasks.exe
1620	schtasks.exe
2896	schtasks.exe
2788	schtasks.exe
2656	schtasks.exe
2288	schtasks.exe
2644	schtasks.exe
1912	schtasks.exe
2652	schtasks.exe
2912	schtasks.exe
2760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2796	DllCommonsvc.exe
2940	powershell.exe
2916	powershell.exe
2932	powershell.exe
520	powershell.exe
2976	powershell.exe
432	WMIADAP.exe
1952	WMIADAP.exe
2820	WMIADAP.exe
2684	WMIADAP.exe
600	WMIADAP.exe
2364	WMIADAP.exe
2828	WMIADAP.exe
1156	WMIADAP.exe
2288	WMIADAP.exe
3024	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	DllCommonsvc.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	432	WMIADAP.exe
Token: SeDebugPrivilege	1952	WMIADAP.exe
Token: SeDebugPrivilege	2820	WMIADAP.exe
Token: SeDebugPrivilege	2684	WMIADAP.exe
Token: SeDebugPrivilege	600	WMIADAP.exe
Token: SeDebugPrivilege	2364	WMIADAP.exe
Token: SeDebugPrivilege	2828	WMIADAP.exe
Token: SeDebugPrivilege	1156	WMIADAP.exe
Token: SeDebugPrivilege	2288	WMIADAP.exe
Token: SeDebugPrivilege	3024	WMIADAP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1948	1728	JaffaCakes118_b91a09c1c8bdc767aae32f600ac14942dfcbb172d0065a8390f0c4b433e3059f.exe	31
PID 1728 wrote to memory of 1948	1728	JaffaCakes118_b91a09c1c8bdc767aae32f600ac14942dfcbb172d0065a8390f0c4b433e3059f.exe	31
PID 1728 wrote to memory of 1948	1728	JaffaCakes118_b91a09c1c8bdc767aae32f600ac14942dfcbb172d0065a8390f0c4b433e3059f.exe	31
PID 1728 wrote to memory of 1948	1728	JaffaCakes118_b91a09c1c8bdc767aae32f600ac14942dfcbb172d0065a8390f0c4b433e3059f.exe	31
PID 1948 wrote to memory of 2488	1948	WScript.exe	32
PID 1948 wrote to memory of 2488	1948	WScript.exe	32
PID 1948 wrote to memory of 2488	1948	WScript.exe	32
PID 1948 wrote to memory of 2488	1948	WScript.exe	32
PID 2488 wrote to memory of 2796	2488	cmd.exe	34
PID 2488 wrote to memory of 2796	2488	cmd.exe	34
PID 2488 wrote to memory of 2796	2488	cmd.exe	34
PID 2488 wrote to memory of 2796	2488	cmd.exe	34
PID 2796 wrote to memory of 2940	2796	DllCommonsvc.exe	48
PID 2796 wrote to memory of 2940	2796	DllCommonsvc.exe	48
PID 2796 wrote to memory of 2940	2796	DllCommonsvc.exe	48
PID 2796 wrote to memory of 520	2796	DllCommonsvc.exe	49
PID 2796 wrote to memory of 520	2796	DllCommonsvc.exe	49
PID 2796 wrote to memory of 520	2796	DllCommonsvc.exe	49
PID 2796 wrote to memory of 2976	2796	DllCommonsvc.exe	50
PID 2796 wrote to memory of 2976	2796	DllCommonsvc.exe	50
PID 2796 wrote to memory of 2976	2796	DllCommonsvc.exe	50
PID 2796 wrote to memory of 2916	2796	DllCommonsvc.exe	51
PID 2796 wrote to memory of 2916	2796	DllCommonsvc.exe	51
PID 2796 wrote to memory of 2916	2796	DllCommonsvc.exe	51
PID 2796 wrote to memory of 2932	2796	DllCommonsvc.exe	52
PID 2796 wrote to memory of 2932	2796	DllCommonsvc.exe	52
PID 2796 wrote to memory of 2932	2796	DllCommonsvc.exe	52
PID 2796 wrote to memory of 432	2796	DllCommonsvc.exe	58
PID 2796 wrote to memory of 432	2796	DllCommonsvc.exe	58
PID 2796 wrote to memory of 432	2796	DllCommonsvc.exe	58
PID 432 wrote to memory of 1748	432	WMIADAP.exe	59
PID 432 wrote to memory of 1748	432	WMIADAP.exe	59
PID 432 wrote to memory of 1748	432	WMIADAP.exe	59
PID 1748 wrote to memory of 1592	1748	cmd.exe	61
PID 1748 wrote to memory of 1592	1748	cmd.exe	61
PID 1748 wrote to memory of 1592	1748	cmd.exe	61
PID 1748 wrote to memory of 1952	1748	cmd.exe	62
PID 1748 wrote to memory of 1952	1748	cmd.exe	62
PID 1748 wrote to memory of 1952	1748	cmd.exe	62
PID 1952 wrote to memory of 2508	1952	WMIADAP.exe	63
PID 1952 wrote to memory of 2508	1952	WMIADAP.exe	63
PID 1952 wrote to memory of 2508	1952	WMIADAP.exe	63
PID 2508 wrote to memory of 2060	2508	cmd.exe	65
PID 2508 wrote to memory of 2060	2508	cmd.exe	65
PID 2508 wrote to memory of 2060	2508	cmd.exe	65
PID 2508 wrote to memory of 2820	2508	cmd.exe	66
PID 2508 wrote to memory of 2820	2508	cmd.exe	66
PID 2508 wrote to memory of 2820	2508	cmd.exe	66
PID 2820 wrote to memory of 1508	2820	WMIADAP.exe	67
PID 2820 wrote to memory of 1508	2820	WMIADAP.exe	67
PID 2820 wrote to memory of 1508	2820	WMIADAP.exe	67
PID 1508 wrote to memory of 952	1508	cmd.exe	69
PID 1508 wrote to memory of 952	1508	cmd.exe	69
PID 1508 wrote to memory of 952	1508	cmd.exe	69
PID 1508 wrote to memory of 2684	1508	cmd.exe	70
PID 1508 wrote to memory of 2684	1508	cmd.exe	70
PID 1508 wrote to memory of 2684	1508	cmd.exe	70
PID 2684 wrote to memory of 276	2684	WMIADAP.exe	71
PID 2684 wrote to memory of 276	2684	WMIADAP.exe	71
PID 2684 wrote to memory of 276	2684	WMIADAP.exe	71
PID 276 wrote to memory of 1476	276	cmd.exe	73
PID 276 wrote to memory of 1476	276	cmd.exe	73
PID 276 wrote to memory of 1476	276	cmd.exe	73
PID 276 wrote to memory of 600	276	cmd.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b91a09c1c8bdc767aae32f600ac14942dfcbb172d0065a8390f0c4b433e3059f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b91a09c1c8bdc767aae32f600ac14942dfcbb172d0065a8390f0c4b433e3059f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Program Files\Windows Journal\WMIADAP.exe
        
        "C:\Program Files\Windows Journal\WMIADAP.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:432
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1592
        
        C:\Program Files\Windows Journal\WMIADAP.exe
        
        "C:\Program Files\Windows Journal\WMIADAP.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2060
        
        C:\Program Files\Windows Journal\WMIADAP.exe
        
        "C:\Program Files\Windows Journal\WMIADAP.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:952
        
        C:\Program Files\Windows Journal\WMIADAP.exe
        
        "C:\Program Files\Windows Journal\WMIADAP.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1476
        
        C:\Program Files\Windows Journal\WMIADAP.exe
        
        "C:\Program Files\Windows Journal\WMIADAP.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
        14⤵
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2324
        
        C:\Program Files\Windows Journal\WMIADAP.exe
        
        "C:\Program Files\Windows Journal\WMIADAP.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat"
        16⤵
        
        PID:288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:996
        
        C:\Program Files\Windows Journal\WMIADAP.exe
        
        "C:\Program Files\Windows Journal\WMIADAP.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"
        18⤵
        
        PID:268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1284
        
        C:\Program Files\Windows Journal\WMIADAP.exe
        
        "C:\Program Files\Windows Journal\WMIADAP.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat"
        20⤵
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2640
        
        C:\Program Files\Windows Journal\WMIADAP.exe
        
        "C:\Program Files\Windows Journal\WMIADAP.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"
        22⤵
        
        PID:1944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1676
        
        C:\Program Files\Windows Journal\WMIADAP.exe
        
        "C:\Program Files\Windows Journal\WMIADAP.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat"
        24⤵
        
        PID:1096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\debug\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37f5f04c73662e711f8ad0704442500b

SHA1
2e1eb7176bbd8feff3de6d83efb4b868fdf6f99b

SHA256
3d85068cd1d1bd961e207297a8bd1b32c3f63bf8a7f9706b62007ce4927c8e20

SHA512
2451bcd652cf77703b28676fc42186fb570c235bf994f6b34423ed9860b7e1a09e9d63b50024ad5b5347b177067720afa64e0e7340375b8aedde5d174eda7423

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
600753bbfda75e191d940a081e45c600

SHA1
83eb9b4afa4352e01582df6380f03aecc66433c8

SHA256
bbc2ad7febf766ceeaa7e80ffbce3905aebeba57422871cfd4c1f715445cf304

SHA512
3f23ea7b20731f0da012c1fefcb87cafacdfab52d5464ecc5bed36a26b45841970b55fd03bb708ebbb4009da52091d653c2fa568b980b5dddaaff6c3f1d78f41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d410c6b59ba9edeaff60f8914b97ff47

SHA1
4cfaab72b609d102fb09c8c35c65924224bbe048

SHA256
a9f309b615902827b81b12c442470e595675dead1b5641ccca214ad7fd6a7b7e

SHA512
8c289d34c70ee7f7184581bd6e72f1c390e13f5fb65ca9b45dfc70b417a29d97ce0113eb39f84f5f156434eb0986b961294298ea8e2e393ffefa391b47122c2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3e7ec045e67b922b233abbccf7fa90e

SHA1
0ed97f99e1289251f608c1892a4b9e68cb750488

SHA256
07f2f9e2b6facb27f5b8e4c6b2c681fcb4f1c264fd77dc93e6d321957189cce0

SHA512
1e4c81633a8094d52bc3f7724fba85b3b666cca11f937e7a760dc13a56500f6a15c94f2f79ba2d1a79cfccaad02367d188ef7323ef866a9c7928993512987639

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72ac94ab256f99b6c51f6aa09face588

SHA1
a9df797cc6561f531486fb4e4b1825f8bcbf5984

SHA256
f49995343dd85f0dfa8a007b869e632a1853ff2bf0f6c942a6739feeef30e105

SHA512
64adebe94dc5f50942a676c58abc6742cb59d57db1c0b5fd926c9839a7b03ed5516654c461dfad4e0068f4b0ae3d1925af5c58a01706760b46b7d89d5efddde0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bced77d7b6568b1aba9b14832087f87f

SHA1
636fd6f6f150a43446ebb6053428bfcc7f75593b

SHA256
7c8ad6b1fdc4af5330c077c983f15f81c08316b53dfdce4243f3674e77aecd9e

SHA512
7bffc73004939e83095936450572b419ffe57d7846d30611b132878f2d26128dc6caf4c4436171783473b7fdab5fee9275d9ff9f116f51025e4e7cdb3cea42e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92e7a88c34eadef4a9b8fffa8717cc58

SHA1
afdcf937b91d3e30dd4baae04e8061539f89593c

SHA256
4d15993d672b0871c4d08c9309972da4f6ba315aa4b1873645c5d32eff9b6393

SHA512
cd6d647bde5ea0b11ed99dbdced7f9137e570c8b456d23a1f57e6546bae9250fe700cf266da65967a7851f26a048659b8e3396dd38ff75a1a3b77654d30a9684

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32ec5d9bd9aae5d5b01214e0051185fc

SHA1
b1e938f72d4014443ac888efa9aca29b5d018418

SHA256
eb9958d53c129950118e12ac067fa111edac486e54c61a29dba9c2de00309aba

SHA512
7087f2741fb32039606d34f8ce780754109f027112a322f3092ac412489c0d7d9d64e837be436c89ba3a6648246dbd36f5d93002cd7fb7ee431f8c2cbcf4300d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de947b0dea7d730cceebe046afb40def

SHA1
2421bcde43f6c36ecc3c055f331b7f93c2be2257

SHA256
0ee437cd48ed79a3863c88857924b3dccdddf1b5e3eda81357cf8d6c1ef80f0c

SHA512
2a1c16f8248c066a1184faa6da54b94cc8fe3b223532e5e9dadf5cd4335188ae9ac8f84942575bdf3b9f1b66058bb89a00222436b9416af6e4762caf65bfa4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat

Filesize
209B

MD5
6f5003756da5bcee47312f00931e7d53

SHA1
ba8abd26b1edeb082d90457fa3f51c8c732976f6

SHA256
0810b9cba6f8b52598cef75361df6dc15ba6c3d97b9ff7df858a60b5a56d4c03

SHA512
aa31e2627dd54febcfb82c904239cadbe64a9b11bb2fe26aa05a80403054077db6a027c036583d216be0c0d76563970f699eae56cf2df3540cc8d61e715c570e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5082.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat

Filesize
209B

MD5
99fce22c02e22a4fbbfc5ff564921740

SHA1
3de0dec5e358a59e2b928a537db63486b69bca98

SHA256
e8cb81505e192f8e2a650f4de3f750294996f060410160e385343c7e09c8fa63

SHA512
086cc04cc6aae76810b748330ff6cfc6fcfcef8b491c7c8a8b2e4f08a670f8c3d31633eb6a08c22a2104b25e723b5cb01e3cfde76a100d792111ed569fcbe44d

Download Submit
C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat

Filesize
209B

MD5
c78c9c268806b5958495741f73f62d7e

SHA1
ffbd25f505eba2e87588eae2864920a220bb8969

SHA256
2ccb94ba712e895b3023fd78a376a81f23436accc19cf816273aa919a5caf1bf

SHA512
95db041ddc794b7dc49f7b603e73500569e932f959406bdbea1347054fa5dc16010864acaca9be55b190d7155f519fdac136f7060189f13b17377c2a072b48c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar50F3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat

Filesize
209B

MD5
83828980cb2af011d97defd6516c282a

SHA1
4b6d847a9e2ab5d06cd19e9c548eba2cc372003f

SHA256
bf7294ec417fe461124bb6b7b9648c0d3f241305e441efea8c2dfb8fef4d8f57

SHA512
fb7224eec47403fb5382bd646ea5c4901b31d1fedfbc7666f395b0dfb2c5769043afb9e5830a1986ee77423f358085e1f73a92bb11e0fac7f93ae0d425ff0c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat

Filesize
209B

MD5
7bfbd8c710ca1e7e2e0012668dabfb95

SHA1
53cf4dc9f48e32717d586cd74b601135424d4e15

SHA256
8168107ef7f59b9d9f2c696b1239335dbd364b7a6e1665e936834779e698bebb

SHA512
95d6b6070b28054f6644bdfcfc950fb7e61731cd8589ba8c7d3ae762cca5a62c91c1193b2f96900de16c4412abdcd2c5332947fe9ffed5c6c133dc5c73fc7db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat

Filesize
209B

MD5
80e3f9a3a0dbda04b4668be0a9621120

SHA1
966edf984d78e06d416c3d92bcff188a558981d5

SHA256
a6d61bf075be8f7276f4e2f9b48c9ea39ef9df6733be3695a418a3f603a72464

SHA512
75672b0604fd217d8fdb0b457be28bb42b257218bafefc2c06006d0e2a8173d36a8d977050c16dc7aab13697c8c622253619ccfe4d0622092cb86f4416a1d84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat

Filesize
209B

MD5
d9a86632d6ec97f444ca397fccd302e5

SHA1
1d6ce6e4de7c1792d45c9c94b07bd95701396b1a

SHA256
a4356f30bd049e62d349cdb3a4468d7f353716ab79dd56e70ec530a93d9eb61f

SHA512
0ddbdde6012a967db175434f56ca441aad8262f991d51a28aac8bafaba3330b4f3d5702f03009a039347e7a0da36e6ae9b93fc1d65e56b2e5425bbe73b948003

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat

Filesize
209B

MD5
0ebc321eb11efa5553465be7f2317700

SHA1
fa60b677f1aae14ad7e4f941f3d12132775710cd

SHA256
cb6c2ba918a7653ff652e4320fd6e3ac1e6c50d07fd9234774c96729a1f827cf

SHA512
2d167e51dc22bfdbddf4ac7adf66a041d7ff5c1bc6a5b4d08a906166255f3de194c13bceec2179ecb41049a12dfa4b47b79f474f6916b3a8091a40f4f10a0a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat

Filesize
209B

MD5
d372c43e9a6ebe806cbae1e54970bc42

SHA1
0004c6c7865eaa2062093254bfaab2752dbbf938

SHA256
14c0e55f4a6f6682ed6bc8e21178860962a8db87e8efc7516742777a89375af1

SHA512
31b068b7017b82eeb9eb745f8a2b6c251d8ef0692c6982639cd96ccbae27baa003ff8d5833dd62f340c8965c6b11e240941bebccd9a06e72394e04f46f994ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat

Filesize
209B

MD5
6c7e4022d8e32f841be62f05c94b7b00

SHA1
d466071bb73bef2bec52665500a824107de78cce

SHA256
d025c17ed93841a65787cff0416c3e71bc48378d6acf4bddf3f38aaa77677483

SHA512
d3c162b2ef7b75752a679be3863971bb46b13e918e613ac86a1629ea5ad8104a0ef2d32f140d91208fa87fce76a4b0628343b6c6aaff600fd768989823bcb9be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8168879593f3c93868af123272d717cd

SHA1
e3700c81ed99f7d4e64e8bcdd1fd484b1091c19c

SHA256
ff28b945fb33fb87e693aa040d97b263f6d37d74acd643e80dbe11c762264dc3

SHA512
b048cf159046ad9906ee005fc60b6448a2ca443ece6fe125c0cf49be5e33884a1b3d8a9fd8971a7b9519883c07af80fd1133c8b4c2456c46b58c32e80f03e502

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/432-58-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

Filesize
1.1MB

Download
memory/600-297-0x0000000001230000-0x0000000001340000-memory.dmp

Filesize
1.1MB

Download
memory/1156-475-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/1952-117-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/2288-535-0x0000000001080000-0x0000000001190000-memory.dmp

Filesize
1.1MB

Download
memory/2684-237-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/2796-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2796-16-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2796-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2796-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2796-13-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2820-177-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/2916-36-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/2940-38-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

Filesize
32KB

Download
memory/3024-595-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download