dcrat | e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe
Size

1.3MB
MD5

6ca2b55a98af0e706208da5bd499ba70
SHA1

ab5dbb5073ed6f7f16fba35786e969d42d7fd2f4
SHA256

e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5
SHA512

804ffb03b884ebdc8d165621cff9b8823773c0843d5f5665c6dd5f6f23f46d96123ca5e5a6565999c9933ac0d44e45c23e855e34259fd2188a96522ace87d4a5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2892	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c51-9.dat	dcrat
behavioral1/memory/2760-13-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/1932-32-0x00000000008E0000-0x00000000009F0000-memory.dmp	dcrat
behavioral1/memory/1620-118-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/280-179-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1652	powershell.exe
1892	powershell.exe
2096	powershell.exe
2580	powershell.exe
772	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2760	DllCommonsvc.exe
1932	csrss.exe
1620	csrss.exe
280	csrss.exe
2044	csrss.exe
1504	csrss.exe
2664	csrss.exe
1732	csrss.exe
2060	csrss.exe
1924	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2472	cmd.exe
2472	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
19	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\cc11b995f2a76d	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\AppPatch\AppPatch64\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\AppPatch\AppPatch64\lsass.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\lsass.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1704	schtasks.exe
2656	schtasks.exe
2660	schtasks.exe
1520	schtasks.exe
1992	schtasks.exe
1104	schtasks.exe
1184	schtasks.exe
2512	schtasks.exe
1624	schtasks.exe
2564	schtasks.exe
1636	schtasks.exe
2036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2760	DllCommonsvc.exe
1652	powershell.exe
2096	powershell.exe
772	powershell.exe
1892	powershell.exe
2580	powershell.exe
1932	csrss.exe
1620	csrss.exe
280	csrss.exe
2044	csrss.exe
1504	csrss.exe
2664	csrss.exe
1732	csrss.exe
2060	csrss.exe
1924	csrss.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	DllCommonsvc.exe
Token: SeDebugPrivilege	1932	csrss.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1620	csrss.exe
Token: SeDebugPrivilege	280	csrss.exe
Token: SeDebugPrivilege	2044	csrss.exe
Token: SeDebugPrivilege	1504	csrss.exe
Token: SeDebugPrivilege	2664	csrss.exe
Token: SeDebugPrivilege	1732	csrss.exe
Token: SeDebugPrivilege	2060	csrss.exe
Token: SeDebugPrivilege	1924	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2092	2272	JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe	30
PID 2272 wrote to memory of 2092	2272	JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe	30
PID 2272 wrote to memory of 2092	2272	JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe	30
PID 2272 wrote to memory of 2092	2272	JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe	30
PID 2092 wrote to memory of 2472	2092	WScript.exe	31
PID 2092 wrote to memory of 2472	2092	WScript.exe	31
PID 2092 wrote to memory of 2472	2092	WScript.exe	31
PID 2092 wrote to memory of 2472	2092	WScript.exe	31
PID 2472 wrote to memory of 2760	2472	cmd.exe	33
PID 2472 wrote to memory of 2760	2472	cmd.exe	33
PID 2472 wrote to memory of 2760	2472	cmd.exe	33
PID 2472 wrote to memory of 2760	2472	cmd.exe	33
PID 2760 wrote to memory of 1652	2760	DllCommonsvc.exe	47
PID 2760 wrote to memory of 1652	2760	DllCommonsvc.exe	47
PID 2760 wrote to memory of 1652	2760	DllCommonsvc.exe	47
PID 2760 wrote to memory of 1892	2760	DllCommonsvc.exe	48
PID 2760 wrote to memory of 1892	2760	DllCommonsvc.exe	48
PID 2760 wrote to memory of 1892	2760	DllCommonsvc.exe	48
PID 2760 wrote to memory of 2096	2760	DllCommonsvc.exe	49
PID 2760 wrote to memory of 2096	2760	DllCommonsvc.exe	49
PID 2760 wrote to memory of 2096	2760	DllCommonsvc.exe	49
PID 2760 wrote to memory of 2580	2760	DllCommonsvc.exe	50
PID 2760 wrote to memory of 2580	2760	DllCommonsvc.exe	50
PID 2760 wrote to memory of 2580	2760	DllCommonsvc.exe	50
PID 2760 wrote to memory of 772	2760	DllCommonsvc.exe	51
PID 2760 wrote to memory of 772	2760	DllCommonsvc.exe	51
PID 2760 wrote to memory of 772	2760	DllCommonsvc.exe	51
PID 2760 wrote to memory of 1932	2760	DllCommonsvc.exe	55
PID 2760 wrote to memory of 1932	2760	DllCommonsvc.exe	55
PID 2760 wrote to memory of 1932	2760	DllCommonsvc.exe	55
PID 1932 wrote to memory of 1412	1932	csrss.exe	59
PID 1932 wrote to memory of 1412	1932	csrss.exe	59
PID 1932 wrote to memory of 1412	1932	csrss.exe	59
PID 1412 wrote to memory of 1108	1412	cmd.exe	61
PID 1412 wrote to memory of 1108	1412	cmd.exe	61
PID 1412 wrote to memory of 1108	1412	cmd.exe	61
PID 1412 wrote to memory of 1620	1412	cmd.exe	62
PID 1412 wrote to memory of 1620	1412	cmd.exe	62
PID 1412 wrote to memory of 1620	1412	cmd.exe	62
PID 1620 wrote to memory of 2764	1620	csrss.exe	63
PID 1620 wrote to memory of 2764	1620	csrss.exe	63
PID 1620 wrote to memory of 2764	1620	csrss.exe	63
PID 2764 wrote to memory of 2472	2764	cmd.exe	65
PID 2764 wrote to memory of 2472	2764	cmd.exe	65
PID 2764 wrote to memory of 2472	2764	cmd.exe	65
PID 2764 wrote to memory of 280	2764	cmd.exe	66
PID 2764 wrote to memory of 280	2764	cmd.exe	66
PID 2764 wrote to memory of 280	2764	cmd.exe	66
PID 280 wrote to memory of 2916	280	csrss.exe	67
PID 280 wrote to memory of 2916	280	csrss.exe	67
PID 280 wrote to memory of 2916	280	csrss.exe	67
PID 2916 wrote to memory of 2316	2916	cmd.exe	69
PID 2916 wrote to memory of 2316	2916	cmd.exe	69
PID 2916 wrote to memory of 2316	2916	cmd.exe	69
PID 2916 wrote to memory of 2044	2916	cmd.exe	70
PID 2916 wrote to memory of 2044	2916	cmd.exe	70
PID 2916 wrote to memory of 2044	2916	cmd.exe	70
PID 2044 wrote to memory of 604	2044	csrss.exe	71
PID 2044 wrote to memory of 604	2044	csrss.exe	71
PID 2044 wrote to memory of 604	2044	csrss.exe	71
PID 604 wrote to memory of 1932	604	cmd.exe	73
PID 604 wrote to memory of 1932	604	cmd.exe	73
PID 604 wrote to memory of 1932	604	cmd.exe	73
PID 604 wrote to memory of 1504	604	cmd.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e0e070257a35489ffda572153d15870c3cc6918a3ee713e465f19c2624c662d5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\AppPatch64\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1108
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2472
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2316
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1932
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDWALPrpmL.bat"
        14⤵
        
        PID:2416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2396
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"
        16⤵
        
        PID:2260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1216
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\InhrPXXuGB.bat"
        18⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1572
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
        20⤵
        
        PID:2880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1764
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rhkc0SdEF2.bat"
        22⤵
        
        PID:1104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\AppPatch64\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\AppPatch\AppPatch64\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\AppPatch64\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b9a36e098f4dea40f4678c713fdc697

SHA1
ca8d4a1520eebb50d5d49fdea860aad8458ebe4e

SHA256
b4245a5f2da171052e7468e933695c03ab6b74aac46f64b058800d912f2517ff

SHA512
0f8e313b4f0aaa9bf816ba31603d960c152ac9ac12d80100991ff8eb245387062763fdc2da0c48cf7fd72f228e1d88485cc313917cfbfb0e103e6c03b77ad462

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b683ab047b7ac0363584ec46f07cee7f

SHA1
66a4f515053577860f8a1448db5861ed53fc3b56

SHA256
847607e3c8b960002ea2d44f8fa4b9b2ad075a7a5fde48d81d3935843d1056e7

SHA512
e016bff3c4b7e623b0b1d60d739902cb6bd1d2ec9350085a1a0fb2fc3f7a4a6b41b6da4f2337fcb77f1c0836bd971d3e7174b45711ea9c17c20b82ff591f44b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
840286847cbc2e4c890a00f250c8814d

SHA1
475fe04ecabf2d46961cf8edd348a22184a2df72

SHA256
06d070e75b967f65d48a778e46241963367ea66a404e26d80303e1dc32bcf732

SHA512
a799ea9c7100c7c6740d151fb8f02aaebae4f99fee39e9e6dff22acd26f4014f8973bd7ec97e6ba5f1480620ace28c6456a6c3a8dce1183fdf9bec8a08752e65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1da0d5ea7e08b666a00d58a06078c13

SHA1
4aa2b84b522f7f828d95549599762ec8e3d5985b

SHA256
3228987f9b8574e1dabe43a536bc3db600eeb5c8d1332fcfa37439c93a75b36f

SHA512
621bb90afb3e3f8f1502bde12f7e33bb2ea55cbcad2adaf8b35bb345d79b159d9504db2e2e50c7bde4df9a68d98b620d6b657503b0b740c44e009de819438e5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87c2a2238ea72e465b1dab84db39cbe2

SHA1
657b3abe354dc1325904e13741e1eb8700877bf1

SHA256
83e795928c4aa053d5375674c37485463516fc40f557ba12ace83689ed9ec84d

SHA512
c78879fb5f646190ea1a70b15b55305cddf6ef4d203a6ec7d4f1f83b8481a3c8d338ba32fc7884cedebdcf0326eab8aec61ccc687b7f840d8f8031cd47503345

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d75cf33030abf03e639c9b56ccdecb8a

SHA1
071cdae237f0a158e716fc4f4b8c3323737e5424

SHA256
b7546f23e4be10da5b436781a930b4032fc81f80a02887c876253dc295acc1b1

SHA512
b5778ccecb232f84b1a4759558b723a109afcff56155d53a0c2d3e1bb0d743d3e88b8b2d6e97a4c057e7bc59ed171c0df58776ea11152f4b0d9b0cc417356130

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91d4f3be44309b1cc74028adbbf51275

SHA1
17b8366388adac4c0f3a1ec9390ef51029ecb1c4

SHA256
94ec28f485ece22aab33aa5feeba08efc1f184dbf67353a88f88771b16328366

SHA512
d03783e9bc8d4a3c0033bbecdd2de1440b221fd72014e9201c5d0d597e8f93f426db266e1971fec3ba59dd1e00889b73fae036df0dbe5d0db63174e0cd191fbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bd9cca91a0cd7e2046f0d61d48d3d14

SHA1
c837abe782832e33fb8cf459715b5401374c27c7

SHA256
368716fe0d063baf8a36fc32ba171120a1c7cc33b75dd0745f5d483c12d0e737

SHA512
906553c4eeb1b235bf374377e661d25dcdfc596b40bd667906d13798e27aa487fc498a24db35815b0f94474447fa6e0b80eb8de140fb0206a680d7f0923d9fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat

Filesize
246B

MD5
bfd8c8d3f45a72ada8fbce2762d73abd

SHA1
7e8c46a7c640d84cfed57725a66836ae8f5bda53

SHA256
df352ba4785d313da12d68f4d33363cb11b606f34800337bffa0a3b61156246f

SHA512
75bfe7317833bad479d579be02ea327998945ba969b6387fa1135531a118430f5788c16fa625f4b4102ee537e3a3ccea681ad66aced4e6aecc5f88ff96d597dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat

Filesize
246B

MD5
2e1aa4108e6f94bbeb045bbf2776eda9

SHA1
bda89ee2bbfba64fd8e11a95f35ea05a88d000d2

SHA256
ecc97dd81929e8e97a9da018cee627aaada4eb99aea5f39b81ba7fce4e715b65

SHA512
faa56a081570c675f6d7fbeb6b9005c2c350a4d47f9f7f3ddfb22313f7eca69acd29a6ff1721d6796cf8677365496e0fd32cbdca3373d8ad484446c3b98c0f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE4E5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\InhrPXXuGB.bat

Filesize
246B

MD5
0d17a4d128943a90b5412882e3de62a7

SHA1
5e36eb20297af193e9271769f926848b65b60f48

SHA256
7a2dcf3f4d3c6b30b9b7bd77296251c2ed114a93d35c5c4419999e6c87eca230

SHA512
dd5ba39fc82ae88011e690bb2168780fdc95cce48fd508e037c36d4a69c57a1b44c2e99a019783787fb0c5898d41e3bfaaa7219326127bf66a6d99a84ffeda1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rhkc0SdEF2.bat

Filesize
246B

MD5
34fc8c649684d640a19e61a6eb1cdb4e

SHA1
0d41d7375cb4469fd79c09825999f4b0bcab7795

SHA256
69a6ffac56bb11787c28263cd03f604d15642ccc63f937c8404ab7b0e8f278b9

SHA512
2042580cc654751670155b63b293ff6880ed7ba04aa228c86dee28de804772bdbd9add129b17176ae75f47dfdadac96df12c8b22a6c5bb5f4516c71b57c760ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE507.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat

Filesize
246B

MD5
6b131928727fd894b26a3bd19a7e175e

SHA1
ccb741ea844d54d5781479d8a3dfaa33b378eaf1

SHA256
d151724711470be475f499fce985b0f28fea436e1821ec385a92903a749b1a66

SHA512
b59f49367b6092a08ff90c69d73b778afca22460c3d132b037818874f9927274eef178f2dc88f371472166477ca7001e91f4466d045163c9e95f8674c8267334

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat

Filesize
246B

MD5
ab8447b621fa8a88a225d52b41f60e05

SHA1
20065138d035d4be172ebc7fc064c7e3ccf268c6

SHA256
b1fd9d8318ad52e4bd4e75f3d3bb01b243974ea563b3c273c4851ba4df036147

SHA512
8fb1c99983d4542a86bfd1a0b0025bc38e7e9d1b54add30ddade37bd427796a9e58c4f83c925e945747d47e2d0d85804f67f1ec999265c275cf591312ae4bcc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

Filesize
246B

MD5
92d156b464d23b4a283d6a957abd9d6d

SHA1
1d749693776d81106daa540e053ffc1c52a689d7

SHA256
2270c4b6702cb9b29a17c44f9e391b1a628584b96576585f22cc5dc0300f59be

SHA512
916b67aaab553b0ecd2e0b09063dc7590f3c73f5ac7d3ca7171106d115d723fcd72d91af99cbd0ac4b744a1a789684e37808f59209ef803b9a3fa867fba05e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

Filesize
246B

MD5
1bab6ae8529858c59eed618be671d9d0

SHA1
b92718549d171fc55770d4da231ca475df8f5b29

SHA256
424c95a686adcae8410a26aeaf8fdb019cb20f542db8c63d629d214eb93b0612

SHA512
bb0716168a44fa6f4c4dc54e7be0f01841280c4109a723b13be2a12485fa7ff81b664baf8a435066f1f3b892842d38a12925ccba4cb04650822149c78978f5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zDWALPrpmL.bat

Filesize
246B

MD5
c578d70e430dbd68e4d6270b843ddfd0

SHA1
2d1383bbc9c02d8ab707f57fa00d141592100001

SHA256
c31337e255159fee137badde1c4c74fe56a87350f2b434f864951b31e9b0cccb

SHA512
1d4d4db48065a8b8a96f0e00b90851da5d7611fd42afdb06663b014d220421f70395a26cb110f1e84f96b2ec55dcabcb440ce7eb1bb74105872db603335afcfc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0034e007bf9534dab1834ce8975d4743

SHA1
48035ea1897dad512c6645ea6a5dae982f397c6a

SHA256
675f19e32b6b4e56e3ebe682f63085cb327c737ebd29d68a07d4cc18ebc6b437

SHA512
7142a1fc18fc404f25fb8324f0c59afe5954e0127e0c6056954e24e8cb112f1db9a8f0d0ed7c6155f70a3448511f829f961c1de4f4e07bd8939d819c3c1451d0

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/280-179-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/1620-118-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/1620-119-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1652-53-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/1652-43-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/1932-59-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1932-32-0x00000000008E0000-0x00000000009F0000-memory.dmp

Filesize
1.1MB

Download
memory/2044-239-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2760-15-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2760-14-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2760-13-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/2760-16-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2760-17-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download