dcrat | 0b0fdb285e61103c4fc82c24277c1ba041d204150256248c1b0002a5464735c7

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0b0fdb285e61103c4fc82c24277c1ba041d204150256248c1b0002a5464735c7.exe
Size

1.3MB
MD5

c6c2c8290b7c003fcfddce78e1c27c22
SHA1

8ab155135c7e19ee219542314c4edb98aef5f14d
SHA256

0b0fdb285e61103c4fc82c24277c1ba041d204150256248c1b0002a5464735c7
SHA512

a16cc125b35cdccd1c736005358163ca2a0f43cc285d484c18a6ca3149154b2fdf306f57c6e2e2a8e49950843fadb833d36fd0819e13d014368d2e47affd454c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2744	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001925c-9.dat	dcrat
behavioral1/memory/2232-13-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/832-41-0x0000000000E30000-0x0000000000F40000-memory.dmp	dcrat
behavioral1/memory/1116-295-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/1956-415-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/3000-475-0x0000000000E70000-0x0000000000F80000-memory.dmp	dcrat
behavioral1/memory/1084-594-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/1792-654-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1932	powershell.exe
2360	powershell.exe
1252	powershell.exe
1244	powershell.exe
1692	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2232	DllCommonsvc.exe
832	services.exe
1548	services.exe
2176	services.exe
2892	services.exe
1116	services.exe
2108	services.exe
1956	services.exe
3000	services.exe
1292	services.exe
1084	services.exe
1792	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2796	cmd.exe
2796	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
17	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\b75386f1303e64	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0b0fdb285e61103c4fc82c24277c1ba041d204150256248c1b0002a5464735c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2728	schtasks.exe
2804	schtasks.exe
2784	schtasks.exe
1276	schtasks.exe
2900	schtasks.exe
2936	schtasks.exe
2844	schtasks.exe
2624	schtasks.exe
2200	schtasks.exe
2328	schtasks.exe
1464	schtasks.exe
2892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2232	DllCommonsvc.exe
1692	powershell.exe
1244	powershell.exe
1252	powershell.exe
2360	powershell.exe
1932	powershell.exe
832	services.exe
1548	services.exe
2176	services.exe
2892	services.exe
1116	services.exe
2108	services.exe
1956	services.exe
3000	services.exe
1292	services.exe
1084	services.exe
1792	services.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	DllCommonsvc.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	832	services.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1548	services.exe
Token: SeDebugPrivilege	2176	services.exe
Token: SeDebugPrivilege	2892	services.exe
Token: SeDebugPrivilege	1116	services.exe
Token: SeDebugPrivilege	2108	services.exe
Token: SeDebugPrivilege	1956	services.exe
Token: SeDebugPrivilege	3000	services.exe
Token: SeDebugPrivilege	1292	services.exe
Token: SeDebugPrivilege	1084	services.exe
Token: SeDebugPrivilege	1792	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2388	2556	JaffaCakes118_0b0fdb285e61103c4fc82c24277c1ba041d204150256248c1b0002a5464735c7.exe	30
PID 2556 wrote to memory of 2388	2556	JaffaCakes118_0b0fdb285e61103c4fc82c24277c1ba041d204150256248c1b0002a5464735c7.exe	30
PID 2556 wrote to memory of 2388	2556	JaffaCakes118_0b0fdb285e61103c4fc82c24277c1ba041d204150256248c1b0002a5464735c7.exe	30
PID 2556 wrote to memory of 2388	2556	JaffaCakes118_0b0fdb285e61103c4fc82c24277c1ba041d204150256248c1b0002a5464735c7.exe	30
PID 2388 wrote to memory of 2796	2388	WScript.exe	31
PID 2388 wrote to memory of 2796	2388	WScript.exe	31
PID 2388 wrote to memory of 2796	2388	WScript.exe	31
PID 2388 wrote to memory of 2796	2388	WScript.exe	31
PID 2796 wrote to memory of 2232	2796	cmd.exe	33
PID 2796 wrote to memory of 2232	2796	cmd.exe	33
PID 2796 wrote to memory of 2232	2796	cmd.exe	33
PID 2796 wrote to memory of 2232	2796	cmd.exe	33
PID 2232 wrote to memory of 1692	2232	DllCommonsvc.exe	47
PID 2232 wrote to memory of 1692	2232	DllCommonsvc.exe	47
PID 2232 wrote to memory of 1692	2232	DllCommonsvc.exe	47
PID 2232 wrote to memory of 1244	2232	DllCommonsvc.exe	48
PID 2232 wrote to memory of 1244	2232	DllCommonsvc.exe	48
PID 2232 wrote to memory of 1244	2232	DllCommonsvc.exe	48
PID 2232 wrote to memory of 1252	2232	DllCommonsvc.exe	49
PID 2232 wrote to memory of 1252	2232	DllCommonsvc.exe	49
PID 2232 wrote to memory of 1252	2232	DllCommonsvc.exe	49
PID 2232 wrote to memory of 1932	2232	DllCommonsvc.exe	51
PID 2232 wrote to memory of 1932	2232	DllCommonsvc.exe	51
PID 2232 wrote to memory of 1932	2232	DllCommonsvc.exe	51
PID 2232 wrote to memory of 2360	2232	DllCommonsvc.exe	52
PID 2232 wrote to memory of 2360	2232	DllCommonsvc.exe	52
PID 2232 wrote to memory of 2360	2232	DllCommonsvc.exe	52
PID 2232 wrote to memory of 832	2232	DllCommonsvc.exe	57
PID 2232 wrote to memory of 832	2232	DllCommonsvc.exe	57
PID 2232 wrote to memory of 832	2232	DllCommonsvc.exe	57
PID 832 wrote to memory of 2412	832	services.exe	59
PID 832 wrote to memory of 2412	832	services.exe	59
PID 832 wrote to memory of 2412	832	services.exe	59
PID 2412 wrote to memory of 1712	2412	cmd.exe	61
PID 2412 wrote to memory of 1712	2412	cmd.exe	61
PID 2412 wrote to memory of 1712	2412	cmd.exe	61
PID 2412 wrote to memory of 1548	2412	cmd.exe	62
PID 2412 wrote to memory of 1548	2412	cmd.exe	62
PID 2412 wrote to memory of 1548	2412	cmd.exe	62
PID 1548 wrote to memory of 2780	1548	services.exe	63
PID 1548 wrote to memory of 2780	1548	services.exe	63
PID 1548 wrote to memory of 2780	1548	services.exe	63
PID 2780 wrote to memory of 2804	2780	cmd.exe	65
PID 2780 wrote to memory of 2804	2780	cmd.exe	65
PID 2780 wrote to memory of 2804	2780	cmd.exe	65
PID 2780 wrote to memory of 2176	2780	cmd.exe	66
PID 2780 wrote to memory of 2176	2780	cmd.exe	66
PID 2780 wrote to memory of 2176	2780	cmd.exe	66
PID 2176 wrote to memory of 2912	2176	services.exe	67
PID 2176 wrote to memory of 2912	2176	services.exe	67
PID 2176 wrote to memory of 2912	2176	services.exe	67
PID 2912 wrote to memory of 1184	2912	cmd.exe	69
PID 2912 wrote to memory of 1184	2912	cmd.exe	69
PID 2912 wrote to memory of 1184	2912	cmd.exe	69
PID 2912 wrote to memory of 2892	2912	cmd.exe	70
PID 2912 wrote to memory of 2892	2912	cmd.exe	70
PID 2912 wrote to memory of 2892	2912	cmd.exe	70
PID 2892 wrote to memory of 2112	2892	services.exe	71
PID 2892 wrote to memory of 2112	2892	services.exe	71
PID 2892 wrote to memory of 2112	2892	services.exe	71
PID 2112 wrote to memory of 2472	2112	cmd.exe	73
PID 2112 wrote to memory of 2472	2112	cmd.exe	73
PID 2112 wrote to memory of 2472	2112	cmd.exe	73
PID 2112 wrote to memory of 1116	2112	cmd.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b0fdb285e61103c4fc82c24277c1ba041d204150256248c1b0002a5464735c7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b0fdb285e61103c4fc82c24277c1ba041d204150256248c1b0002a5464735c7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Program Files (x86)\MSBuild\Microsoft\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:832
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1712
        
        C:\Program Files (x86)\MSBuild\Microsoft\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\services.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2804
        
        C:\Program Files (x86)\MSBuild\Microsoft\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\services.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1184
        
        C:\Program Files (x86)\MSBuild\Microsoft\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\services.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2472
        
        C:\Program Files (x86)\MSBuild\Microsoft\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\services.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat"
        14⤵
        
        PID:2728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1276
        
        C:\Program Files (x86)\MSBuild\Microsoft\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\services.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat"
        16⤵
        
        PID:2964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1608
        
        C:\Program Files (x86)\MSBuild\Microsoft\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\services.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat"
        18⤵
        
        PID:2120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2988
        
        C:\Program Files (x86)\MSBuild\Microsoft\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\services.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
        20⤵
        
        PID:1668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3032
        
        C:\Program Files (x86)\MSBuild\Microsoft\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\services.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PeSwWR6joe.bat"
        22⤵
        
        PID:2136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1624
        
        C:\Program Files (x86)\MSBuild\Microsoft\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\services.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"
        24⤵
        
        PID:1352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2492
        
        C:\Program Files (x86)\MSBuild\Microsoft\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\services.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Links\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Links\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b428727dc0cdcaffdfdc935678c5b006

SHA1
0ec113976eaabe97bc39d4f8ba2a354f720da553

SHA256
15f4c38f553104d31e2f78ebca845157ed517f782ea6808d53b643fc987f5c05

SHA512
c1bafd6e8bce0abccdb6bfdc9da83dc2c8180a51cad5718c8f24a5379f559a8b91e18196768d920c4900f363bf891eb6b0f0b2121fa69991eedf19f1f8aef90b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7e37c79160443893f30215411c3eb03

SHA1
f3d6760ec585515055864d21283c35e8d26ac379

SHA256
a1c3ae1770afc42bba8409e2d4d6054be370c849db5d4a85e7b5fcdd5c8fac77

SHA512
cc24e199f9fb174d512a11964bd4b7c09f23c948c917607143698ccb2689ec67bf75c08f7d39eec4b94d943be22361dce15226f4279d471f33b08980c360e1e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40aeca9adbbb1da79eac17ba1f21da1d

SHA1
265e59dbced202d473073b71492a1e17a61baaf3

SHA256
85a254fe81969bd75491df6a76d14ad3034371db643c10e29ac7de07f811e87a

SHA512
93205ce65e71f83688234e1347421d6af67a1281c3791d5568e25a30418c36acda12d1c923493da3325135346628d6f560feb0d11a284c0f4de1ebcac24681fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc43de8cabfad0fc4825edfb15aa0a54

SHA1
0cdf6f0c6b0331cb3b6a991defbb2285ab924513

SHA256
95673dda861f0122707e9773f2a559ec8a41351fa005cdaa913385e0188d036f

SHA512
628e6662d770dfe7b6bda4570e6fd94e37e49905945376c51d5e8bc96996238e045c246889f009ff6ea58585ee5dae7eb477f6985051eaf1df36fb1f946e7a91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d83a9324834a2e1016223283f7f56e3e

SHA1
06cb85049ce5f7373e23e94d645b1428199f4684

SHA256
7771ed15510734699c65b34661410cb662dc112c8a3c8a09babecd419bd56519

SHA512
14005819cbcb2c92cb2484317d96e418e910c2650374e69faffd16e0d2e27751b41e219046a6d615a05e4421729d9fd2a97d2a7b76fa02c980dc593d99d77622

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee07362e5f06b33153d0a29bd46a0b8d

SHA1
0a9c9a1f4290849ee3eb78134b43926ac1035190

SHA256
d9133d2b238eb0cb78b093460ebffdfa84c49d93631d2d27148985dcd5225acf

SHA512
05e43a6ae6c73cae538dc70aef2bc9e83eaaa4f309d7a5b5dd3a1e85605afe6d5207a9e5496c24a9a06ccaf3e9c181f2f433f865abd2a2a1ec0d325d3db8fd5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01195a8a6b0cdbddee9ac50c86920719

SHA1
6cbe7f95e463e606f203f3e94500ecf3f79944cd

SHA256
cdd723d4ffa82cb93beb1bb946dae19703654467c5723280d0ababc40714b685

SHA512
e0d21292d67d8da00ee3deadffaa530aa5d50571175f17d6bbbe19ce86038593e4796ccdaf44970dda9cef2d856ff530b3db1344cf22e2dcf5ad2f4f5457fc48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c912abb99c21ef2af1be96dd866eed2d

SHA1
44b1e417da1c9391440b90ed46731307a02a9a0c

SHA256
c423e88604b5baf233752e6e61eae218aa5a31cd7f0e5ff44e15f5ffd1181c1c

SHA512
a035390f9e30bbaf0a48f583990332967461fb8fbdcb4e56d02212356efd7f991e70a38dcfa425b2dbf62f800a7326a6d03b092cb4523843d3518ee12859cbf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7272a792eb55594a3988dec5f5d09d40

SHA1
869f0719697db7311109a3cd0c85ef76c3edfa73

SHA256
19b8cec54e3028ed834d8c609f25d394677db91e513c12cfb891157e28f6f8ca

SHA512
30ea699c5145695a8dd3035c2285498d7b7c8523c9fe02104eb3210d27a760f6ec6223aa3361a2dba27f464fcf1645b2af594adedbf24c2c1fdf84a4dfb6b214

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat

Filesize
218B

MD5
d46867972035e179f78fa33cc2767f1c

SHA1
f968745600ad81389491f7af9b23a5e56f5f4f7a

SHA256
9aeee8bfae836888d20bf44dedc8e3c314ee4e990c501f2c604cdc6ff24a5669

SHA512
b42d8c9b23a82dff77d485349666cd4087bd0edfc6ea11478b47417196eb9959bda39266adcb00fb9f53bfe67f1a728530748391822a8de6414f536a20129298

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

Filesize
218B

MD5
924e3830e63e38bf3ba55b07df19f7c3

SHA1
bb0c27df76267bd4484d09019921466eca387280

SHA256
4678b996b2a0306726dd228a23fd720235f1a0ea161378cd4f4366b3a808c391

SHA512
78e24d1955b39d477e9f0cc166144efe554d2f26a454b2c11c64994d856630aa57e11ba63548aeeda1803853059aa758cbbac9fab738c8d37df7d61d3b320c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat

Filesize
218B

MD5
983b67b064de7a95e7a3231ea84a50b7

SHA1
3f9291cb9713818ac8b79e0e41a1d4a7683c6afd

SHA256
32651ceb86e5342cbd1cb67a8bb587816d33aaf59d8add9b206f644dbdb8b288

SHA512
b8022f66a0d3becc2e4ee04b6f399b53203e9927d81f02fb9f3b0a444d499d544f16e3110ae73884aecf168f08a01470debe7cf4ba27befb3b2a8bc1ea6cffe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD53B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat

Filesize
218B

MD5
26e678b94c5607f2e1e54d30e3df008d

SHA1
73f4dda8c144caaf783965d04250b802eb91ac61

SHA256
807016dcb9f47fbdfaeed36860f28ec717c651e70b6bc262e9af3ea578c16351

SHA512
206f14743538f64b28f4b649466519a1dbca6f44a42624ee17e487bda0c78d13322685eea7b709e5309aa55b020fc78d1afa8a5a7e9efe56a63914e58464213b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PeSwWR6joe.bat

Filesize
218B

MD5
afdae0eeda9afbad5a42faee63f9218e

SHA1
7b573eb15bc0aa20ac4adb39edb8c864e6a6d0c0

SHA256
5b58b36fb7c52a475eed8a79dcffa8337119e505ac544b2b6518012f5e960db8

SHA512
25a633e5bac41019a02dfb6d5f3c581a229ede099b13cab4e9d794d574c8735465f5099fc7df284d6f3ed6ee5ae11c385571a53c6889e0458563c2b3c1531e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat

Filesize
218B

MD5
f4984a4de38b785c9fcfb6378f77c4ac

SHA1
caa51051be96a64306d4a0f1caf90dda921409d0

SHA256
5917bf717b20a9ecb2d611e6645e2fb0bf1c7f1eb9d2ddf5640593004b8d6314

SHA512
4adfffaf2901cd31aa767f9e8cc58407c38de715556c327e2bd7d35f461040dca368aeaa66ccd6ea2b14bf221c2d78a5990e26bea6128ce91a679e145eec0a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD54E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat

Filesize
218B

MD5
789661399ee42cedc647c7ba8e582185

SHA1
f6c6976c0a420f67d171104b864832c8e765c342

SHA256
2182a1a00b5b229603c43b8236dd31fc0786832ea732109e18fe6cd37fcb0a1f

SHA512
ac9d0121781f8b6f48f02a74093614f8388cb307b3c26f19703a85c3510b45d898cc7f01c50ffec1359ba4aaf2634ddcbddda4fe69e52977b1cd72a9ec8d7a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat

Filesize
218B

MD5
09cf224f24c91133f89301820456a1f5

SHA1
9e3d400cf13310c975d3e54e15e6f6152d7acd89

SHA256
8236ea797d135de5acdcad3ad0cb4908a3a15868fe6157822a6b31d9d9a0f373

SHA512
428ab1b90ff064b082291b4ecb5b90f233e62ac3d146f55eabba427f6f390d76924f27a2a58a6e3671b70cd646b55708ff6ffc47fdc5f7964bdf5bcec06a0e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat

Filesize
218B

MD5
d5ec34455a47e1d89853d51c94bd7f01

SHA1
378faa996620b213e19098257c13c314f5fe154b

SHA256
996325c1beb4a16a739246d24af589da9c8add122083a48695b1d028f92e91ad

SHA512
2b238dd152b1e6162809ffa3708bdd8089cb9272e1bfa5b7d3c6a94b1098acd153532f107ec7148abfedaabfc0872657ad376e9ab547c3fd37d639b543426671

Download Submit
C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat

Filesize
218B

MD5
c6683c725f0fb4caf4f5e76f8426338f

SHA1
1e3eb7cdd18c1cd79f8906f3a6cc829f73b48d0f

SHA256
a2258269874437d6ebf66823a8493e9e0444d037b9c7b12cd846b4a63e81372c

SHA512
922fb9bd05d9c6bfd68b84e156c31c42157edea361cad6fd71c3fe49c75dc8f250857970fd73e16bb9091ab5c83251c7d9fd6dcf7e76b3cd4a3c6718a1e1309b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5fb94654d98d88812b8c05800c8956c5

SHA1
fb0fb59c23c6af2c54bbccc2fb665c954048b43e

SHA256
0d7e38b26f9e88d9745658b7857438f17898a366a75b9f37f63cdaefdfec294b

SHA512
88e02282f6aa884fe30467a2f87f4545bc54526bbb112ac218ac32b7e425e6be16dbf2d5cf36f86b20b0f413f1feb7bf84e94f9f961c960f4b5da062e9062e94

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/832-41-0x0000000000E30000-0x0000000000F40000-memory.dmp

Filesize
1.1MB

Download
memory/832-59-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/1084-594-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/1116-295-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/1116-296-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1692-42-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/1692-44-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/1792-654-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/1956-415-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/2232-13-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/2232-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2232-15-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2232-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2232-17-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/3000-475-0x0000000000E70000-0x0000000000F80000-memory.dmp

Filesize
1.1MB

Download