dcrat | 5c4a6e35a23a841e1a9a293988fb4a7099f11808cf7337be1b8933ffbe9695b0

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5c4a6e35a23a841e1a9a293988fb4a7099f11808cf7337be1b8933ffbe9695b0.exe
Size

1.3MB
MD5

2d38657b3efb0f33b0d5214bfd061476
SHA1

2ed674fe9b432ac71e231601883880a23bb4b258
SHA256

5c4a6e35a23a841e1a9a293988fb4a7099f11808cf7337be1b8933ffbe9695b0
SHA512

1104bf3654e22c1322464f32d43b9ebcabda6d3120d87aa5a675b198375d4d53503f5ea8e49b759199ef804d4f44711558bd2a2a5ce25d33ad18392135b4e814
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2624	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000193df-10.dat	dcrat
behavioral1/memory/2572-13-0x0000000000BF0000-0x0000000000D00000-memory.dmp	dcrat
behavioral1/memory/2220-49-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat
behavioral1/memory/564-109-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/memory/1880-289-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/904-349-0x00000000008D0000-0x00000000009E0000-memory.dmp	dcrat
behavioral1/memory/772-409-0x0000000000CF0000-0x0000000000E00000-memory.dmp	dcrat
behavioral1/memory/376-469-0x0000000001080000-0x0000000001190000-memory.dmp	dcrat
behavioral1/memory/2736-529-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/2836-589-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
652	powershell.exe
1564	powershell.exe
1704	powershell.exe
912	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2572	DllCommonsvc.exe
2220	dwm.exe
564	dwm.exe
3000	dwm.exe
2528	dwm.exe
1880	dwm.exe
904	dwm.exe
772	dwm.exe
376	dwm.exe
2736	dwm.exe
2836	dwm.exe
820	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2712	cmd.exe
2712	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5c4a6e35a23a841e1a9a293988fb4a7099f11808cf7337be1b8933ffbe9695b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
304	schtasks.exe
2584	schtasks.exe
2160	schtasks.exe
2608	schtasks.exe
1780	schtasks.exe
2604	schtasks.exe
2996	schtasks.exe
3004	schtasks.exe
1080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2572	DllCommonsvc.exe
652	powershell.exe
1704	powershell.exe
1564	powershell.exe
912	powershell.exe
2220	dwm.exe
564	dwm.exe
3000	dwm.exe
2528	dwm.exe
1880	dwm.exe
904	dwm.exe
772	dwm.exe
376	dwm.exe
2736	dwm.exe
2836	dwm.exe
820	dwm.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	DllCommonsvc.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	2220	dwm.exe
Token: SeDebugPrivilege	564	dwm.exe
Token: SeDebugPrivilege	3000	dwm.exe
Token: SeDebugPrivilege	2528	dwm.exe
Token: SeDebugPrivilege	1880	dwm.exe
Token: SeDebugPrivilege	904	dwm.exe
Token: SeDebugPrivilege	772	dwm.exe
Token: SeDebugPrivilege	376	dwm.exe
Token: SeDebugPrivilege	2736	dwm.exe
Token: SeDebugPrivilege	2836	dwm.exe
Token: SeDebugPrivilege	820	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2804	2112	JaffaCakes118_5c4a6e35a23a841e1a9a293988fb4a7099f11808cf7337be1b8933ffbe9695b0.exe	30
PID 2112 wrote to memory of 2804	2112	JaffaCakes118_5c4a6e35a23a841e1a9a293988fb4a7099f11808cf7337be1b8933ffbe9695b0.exe	30
PID 2112 wrote to memory of 2804	2112	JaffaCakes118_5c4a6e35a23a841e1a9a293988fb4a7099f11808cf7337be1b8933ffbe9695b0.exe	30
PID 2112 wrote to memory of 2804	2112	JaffaCakes118_5c4a6e35a23a841e1a9a293988fb4a7099f11808cf7337be1b8933ffbe9695b0.exe	30
PID 2804 wrote to memory of 2712	2804	WScript.exe	31
PID 2804 wrote to memory of 2712	2804	WScript.exe	31
PID 2804 wrote to memory of 2712	2804	WScript.exe	31
PID 2804 wrote to memory of 2712	2804	WScript.exe	31
PID 2712 wrote to memory of 2572	2712	cmd.exe	33
PID 2712 wrote to memory of 2572	2712	cmd.exe	33
PID 2712 wrote to memory of 2572	2712	cmd.exe	33
PID 2712 wrote to memory of 2572	2712	cmd.exe	33
PID 2572 wrote to memory of 1564	2572	DllCommonsvc.exe	44
PID 2572 wrote to memory of 1564	2572	DllCommonsvc.exe	44
PID 2572 wrote to memory of 1564	2572	DllCommonsvc.exe	44
PID 2572 wrote to memory of 652	2572	DllCommonsvc.exe	45
PID 2572 wrote to memory of 652	2572	DllCommonsvc.exe	45
PID 2572 wrote to memory of 652	2572	DllCommonsvc.exe	45
PID 2572 wrote to memory of 912	2572	DllCommonsvc.exe	47
PID 2572 wrote to memory of 912	2572	DllCommonsvc.exe	47
PID 2572 wrote to memory of 912	2572	DllCommonsvc.exe	47
PID 2572 wrote to memory of 1704	2572	DllCommonsvc.exe	48
PID 2572 wrote to memory of 1704	2572	DllCommonsvc.exe	48
PID 2572 wrote to memory of 1704	2572	DllCommonsvc.exe	48
PID 2572 wrote to memory of 2864	2572	DllCommonsvc.exe	52
PID 2572 wrote to memory of 2864	2572	DllCommonsvc.exe	52
PID 2572 wrote to memory of 2864	2572	DllCommonsvc.exe	52
PID 2864 wrote to memory of 2044	2864	cmd.exe	54
PID 2864 wrote to memory of 2044	2864	cmd.exe	54
PID 2864 wrote to memory of 2044	2864	cmd.exe	54
PID 2864 wrote to memory of 2220	2864	cmd.exe	55
PID 2864 wrote to memory of 2220	2864	cmd.exe	55
PID 2864 wrote to memory of 2220	2864	cmd.exe	55
PID 2220 wrote to memory of 2332	2220	dwm.exe	56
PID 2220 wrote to memory of 2332	2220	dwm.exe	56
PID 2220 wrote to memory of 2332	2220	dwm.exe	56
PID 2332 wrote to memory of 1216	2332	cmd.exe	58
PID 2332 wrote to memory of 1216	2332	cmd.exe	58
PID 2332 wrote to memory of 1216	2332	cmd.exe	58
PID 2332 wrote to memory of 564	2332	cmd.exe	59
PID 2332 wrote to memory of 564	2332	cmd.exe	59
PID 2332 wrote to memory of 564	2332	cmd.exe	59
PID 564 wrote to memory of 1716	564	dwm.exe	60
PID 564 wrote to memory of 1716	564	dwm.exe	60
PID 564 wrote to memory of 1716	564	dwm.exe	60
PID 1716 wrote to memory of 2128	1716	cmd.exe	62
PID 1716 wrote to memory of 2128	1716	cmd.exe	62
PID 1716 wrote to memory of 2128	1716	cmd.exe	62
PID 1716 wrote to memory of 3000	1716	cmd.exe	63
PID 1716 wrote to memory of 3000	1716	cmd.exe	63
PID 1716 wrote to memory of 3000	1716	cmd.exe	63
PID 3000 wrote to memory of 1344	3000	dwm.exe	64
PID 3000 wrote to memory of 1344	3000	dwm.exe	64
PID 3000 wrote to memory of 1344	3000	dwm.exe	64
PID 1344 wrote to memory of 1112	1344	cmd.exe	66
PID 1344 wrote to memory of 1112	1344	cmd.exe	66
PID 1344 wrote to memory of 1112	1344	cmd.exe	66
PID 1344 wrote to memory of 2528	1344	cmd.exe	67
PID 1344 wrote to memory of 2528	1344	cmd.exe	67
PID 1344 wrote to memory of 2528	1344	cmd.exe	67
PID 2528 wrote to memory of 1684	2528	dwm.exe	68
PID 2528 wrote to memory of 1684	2528	dwm.exe	68
PID 2528 wrote to memory of 1684	2528	dwm.exe	68
PID 1684 wrote to memory of 2092	1684	cmd.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4a6e35a23a841e1a9a293988fb4a7099f11808cf7337be1b8933ffbe9695b0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c4a6e35a23a841e1a9a293988fb4a7099f11808cf7337be1b8933ffbe9695b0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rM02WA8Et9.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2044
      - C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1216
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2128
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOJxze5tr1.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1112
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2092
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3jGxsc69Nm.bat"
        15⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2356
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat"
        17⤵
        
        PID:1324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:968
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat"
        19⤵
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1996
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"
        21⤵
        
        PID:1876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2668
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"
        23⤵
        
        PID:2204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1308
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"
        25⤵
        
        PID:704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3032
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
152a1ab7db621ab519fbab0fda39c9c6

SHA1
51fbe1949a282213ba9e64edbe173105175070e0

SHA256
db06b40ed8be640ee3125727f377089552324f5bc4ca518ff26ab12d10e106ab

SHA512
b743a9dfa9189b044aec9a88c3dde29b44101f62370ccf85dbf0339519389f5562eef5eeac9987e371a876a5fdf2fb99edbd81d3e3fdf23664ab2b9d507b9c8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac191a971a9678c17b8d4fc00cee4ef2

SHA1
fd33ddc68fb398273c4123a3b88124fd28d30d3c

SHA256
1ec15f7f7c60fc1695cae761b7ed5cd728cf6a3245a475b5bd3d9aade34c2c95

SHA512
c17bd671d8ee234cc1b5356575dacb46de8c3266dfa52ec2d182db50d1e8615091e75b44ab5ca4d93d9f4a059f1ec6c279254aa1b2175997572bbfe28d22e8f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96617f827019e9c8f7b17002ae407665

SHA1
d603c7f9ea3eaf83ab884a2180152f03675d1aa6

SHA256
643c99dbe79a9ea551d5f2f5ca41e6770a0615326d3170ee8c79fa71324efa0c

SHA512
caabc22f67137260531e31ee10053fb34f30063c74e55d04ab81d37f724468612be2da0efff9de15b15807b9f364eb23e248d99329739fa682087c9c54866560

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8387462edc5c72a7847497c43a5076dc

SHA1
29b5b592a53b72679c99e75832f50bf0381398eb

SHA256
29da59ce565861a920b45f19dcf0b68ba4eea4f116fd472c6705f2617fb0a850

SHA512
bb89a9e1e3e60b43dac4c20d1e8e204ad92539248c7ba13fd9298a9d21d32423240b9c39ded1cc923dfa356e4fa0c4ed5eabd963bf50731fb2dc756d1a883e0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
898b5e2b1f0bcd922fe9cc0dce4d9f26

SHA1
7e02b8a33aa11b79548a210f26b2619e2ad1ade7

SHA256
871a220fe669349e763716f476813ca5f5e3159bc7704543c8410a9399e56de4

SHA512
bb9686600a42c9ef7b484b96961bd9c459a8069709e39f2694d83c837e60f8f66bf08b4d39f828612356b209d4dc74eb5a7dfd79640531b62b4f8b6d58cbe911

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57e61f279b06e7efc7e060c2d7ea1971

SHA1
ba3d7617e014ea6d6c0fd677e91c92fa03eeb3b8

SHA256
6bc8966c30d2af096896ae73d4d280aa264b8b2203066648953227ae232b4ee9

SHA512
c45b13fed6a55ae1e40a29b56e630d80a3e44893825f9f7f485e5fc3830d858eeb8855b62b30f0dbe9ff370495407e3dd864dfd0218ee915a7b2298318a30995

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb8d487dd87e5f6ac652c69cd2f7d33a

SHA1
39c110d8a77abbcf20234ed38f7e1ce9c18cf45a

SHA256
d5528772994b9fbba4f35f0662d2f2a7bb73a67a9dff8039dd5eca1095f9e39c

SHA512
3f52111520491c82e6690e846a082c9472bd73b65a2e5162d92d73eb743e4c6ea3827e3e82b0a5a066a52d65139bd9ea1d49caec3012fa3a1c9f6dff016e8421

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02c984e54c11d96c4847338ce48d91a8

SHA1
4ffa9947e1f99e9a2ac36ab01937a268b3ebdb36

SHA256
53200f4338784c20331df2a903e8cae969700101983d2aa06bd0bfbcd610dae5

SHA512
60a9c00a6fcc6feff965f31a3a085aa8d3f3c98d500a755f54227ee93067dc7a0c35f4357ec2c7f306bab148271db7eba538fd1841e0b10e771a8d1038d74d03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd420428ef49aeffceefd9166761814e

SHA1
e0d02760c4f2de915916f305bed8d8c28dbe6044

SHA256
844340aa01d89429320cc1fe92009d96a0d5e38a229a0f224bd0bde24a8a41fc

SHA512
97989daa2c59f8e99566a1d43df14635ef87d1d0f90e6c44186714ae95095d2b9e0e866532701e8cbc6c2a17ceaa67f99709e87b8354501410f421578736fa62

Download Submit
C:\Users\Admin\AppData\Local\Temp\3jGxsc69Nm.bat

Filesize
235B

MD5
ab46b2d04ef3c38180843d8e4afd4ddb

SHA1
83d6aae756b3806f26007e25872ce90024cd7bf8

SHA256
de92736f1e4d08de9619adaf73416fb18c1f7d9251df4843e39346ed2d44f282

SHA512
9d2f8770bb96e03f30948df68088efd52ea729a139cc3bbb27759ed27ceb8a4a90dd560cc98f6e101cbc3b6803756956e55c11461a5e24361a27dbb75018a30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat

Filesize
235B

MD5
44336621c08f2586c09c78e2ae3dbee3

SHA1
de9f8868f10657b232203ab3459f6e759de0c781

SHA256
bd432fe1ae842e4a7b5af20c475d7462fa6e4169f9ad07decc88e831b6840c9c

SHA512
57d180384f993d7e69f13aae269b8ac9d92e70f54bca22484e93a264cfdce87c3f0435bdf3b7decbb9f456c1f88ec0ea9975c3c9077f3c5a9f98e7a20ebaf6ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4108.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOJxze5tr1.bat

Filesize
235B

MD5
8b298bb97a0f1499fbe36892d4ebf31e

SHA1
a978f1cdbb49fca6243c747bc0a3160beb4d4358

SHA256
04b4e00e1424eeb926f79391b76e223d127a75597935d478df37c53915e2e6ae

SHA512
6b63541fb3cc38ed86a5701add6243539a2b803db0bc16713f27d55fb35312112605d753b117acd868e9755fd2caf8e2fe4012fc40e359dd7a7051dd52985401

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar411B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat

Filesize
235B

MD5
b4f7a45036eec4716f3e3f86a88f9013

SHA1
a08cd59b83297e1e1069ec5ae4b10ffe5a1b601f

SHA256
e689b4d2e9f2b0afeb691e10e3462fe0ccb768b59756081d1dc6f1b02b0e30f7

SHA512
a6f9e6314f5981b809aaa1b784b160c26c9632a0c5a65cdc7cce96b7ba9ba07830a89e5fe46a1bbf15812938aebf34a20235ec15886b5f5501773b64056a25fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat

Filesize
235B

MD5
c0d4e3fbd753277150a62696b6561b07

SHA1
1ea407b32ec8b5f7143f58bb238c8234d3ebf452

SHA256
291a3ec71220143d29a0fbf2ef32b458acf9e925d30edbf3aa64eb67b5271742

SHA512
3d1a0da819a6551feed554283c9dd424de642600fd62a004a688e2e8d5506cf96e6e5e298bc738045e81a0edcaeef39dd217983e6c3141fcc47f18e72d175fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat

Filesize
235B

MD5
91815469d875482815d1168f0272bc4e

SHA1
55366abbb2345cd69e008522cf5424ac79380224

SHA256
72a0ef371fb631f1b1916ab659893bfacbda8d0e68f2181fcd9ec5ef45bd33fe

SHA512
c65771903cfb4e17609d63eed4b5dff0483542d05b644b3f4ab3cbe773c2956bdba154f438400c2e2718850b816ff027bdb548ec6f275d32c4aa55cccd36f1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rM02WA8Et9.bat

Filesize
235B

MD5
9138cac8cb6bb7f4270ba091728a3299

SHA1
01d80c530fb73060fa273996e0861b643b372e0a

SHA256
3a7f5e45a23a26f5b6820da0752a82075bdb66f793ed248c2d1f79a2c27bdd57

SHA512
c9b16ca161f82925e73f1b13ca8472a2858a15d56c3b8bae83ee358fed7e561ad62b173988b51ec0a6befc2584f1f0e3d32b8f8ecce9a3b29d1fe2dae4d3cd3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat

Filesize
235B

MD5
307fb09d5dd70433c908cf90d93b8826

SHA1
b409e475cce4020c7ceeaf43b39ef5fb97271b80

SHA256
237c42ec6d2c1c7ff3f97b7e7bec6116ee5356eeb9fa59fa6c25fae622e3108b

SHA512
e257fc0b516fb2f602e6321c3590239b92f74a3108abbc3e20d76b64eec952f5f77b5f7ec84ee869023c670877bda88e57746bb6e22086d2f9f6f48ed2000dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat

Filesize
235B

MD5
3a502e7c21ce05a3c9aa477f09e7e570

SHA1
474be55dce6e504ff95453c3d9911118ee2de45d

SHA256
545f9d90c7e97916c7be33850f1ba1def25ccf0e86f6a692912247953ed36230

SHA512
86d035d215d3fb007fb0e8e096c4db5462858f0e837721d8167421a52d20ca7435bd563f9e8a770cce7352961803edfa2fa627ae9abad78c71162fe968a974fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat

Filesize
235B

MD5
1ca7188070fcbe2f00cfc43030c789e6

SHA1
e3a2028a47c6448bb686439a6da8d95cebfa2568

SHA256
9288a2630ebe59c3b8aebef163057bedd9f4a18a811c6ed3766a553f359d1bb7

SHA512
d14423239775b1f13c88ace36265f72aab592f92310195c9054bae5d96b1ae6d532fbcd2d07e84cef6150e31d3e86dfc14638f4a98afb1f8b14b1ee16f3d9133

Download Submit
C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat

Filesize
235B

MD5
f78ebdba72c9d93fd6ffcf93634fe2cd

SHA1
debf891bc3831a9aee467870189dc50954006181

SHA256
2c5197b3f61ed0d631cc25565b061bb4a78e62e5154fe14b6f50a7547115817f

SHA512
f05345eb677481c0e6f08facb5b3b4c55cadf1f55d2480f5903b1b288b60fae55d6ce0e5170f6ee166bf522d7e9ced1b82b6318c9934e8f33ccc91dedea3eb9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RLMESPO8LB1RBVJ7DJ5K.temp

Filesize
7KB

MD5
cdf54cc07adc23913b642738ac4ecb19

SHA1
c023a51c0c40c406b6cb80841fc62e9c3212e434

SHA256
8d81b85c22e11927fd66202a2ebda4d6a60319687b35dc2cfbc9df4bd9710b83

SHA512
dd0756ea2323c84eefca16a11bcd3873574042622842634dd9c75dbbde5dcfb96646b47c321d59532500c24da097674ccd5d5bc43bb3fb564b36a9896a79ebee

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/376-469-0x0000000001080000-0x0000000001190000-memory.dmp

Filesize
1.1MB

Download
memory/564-109-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/772-409-0x0000000000CF0000-0x0000000000E00000-memory.dmp

Filesize
1.1MB

Download
memory/904-349-0x00000000008D0000-0x00000000009E0000-memory.dmp

Filesize
1.1MB

Download
memory/1564-42-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/1564-40-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/1880-289-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/2220-50-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2220-49-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download
memory/2528-229-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2572-15-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2572-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2572-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2572-13-0x0000000000BF0000-0x0000000000D00000-memory.dmp

Filesize
1.1MB

Download
memory/2572-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2736-529-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/2836-589-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download
memory/2836-590-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/3000-169-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download