dcrat | 9c3dccb45aec8e8d93495b03db9b863514cac65f6b6ee88e6e84ccb433e60299

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/12/2024, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9c3dccb45aec8e8d93495b03db9b863514cac65f6b6ee88e6e84ccb433e60299.exe
Size

1.3MB
MD5

cf68be2b7c7473f4d41bfe93cf268b99
SHA1

e003bd7914cd5d9aff4303a6a50962da525b7bea
SHA256

9c3dccb45aec8e8d93495b03db9b863514cac65f6b6ee88e6e84ccb433e60299
SHA512

72f303433b9f3b53249c16238893ffdcb26cb7d0cffabf0feb8333e1d51e14831a43d1d4f432a60a0bc43bb93501c13114824617754c4ea78460e81429db04f6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2408	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2408	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2408	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2408	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2408	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2408	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2408	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2408	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2408	schtasks.exe	32

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016b86-9.dat	dcrat
behavioral1/memory/1460-13-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/2724-34-0x0000000001040000-0x0000000001150000-memory.dmp	dcrat
behavioral1/memory/1324-110-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/2804-170-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat
behavioral1/memory/2404-289-0x0000000001180000-0x0000000001290000-memory.dmp	dcrat
behavioral1/memory/2372-529-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2660	powershell.exe
2544	powershell.exe
2552	powershell.exe
2608	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1460	DllCommonsvc.exe
2724	winlogon.exe
1324	winlogon.exe
2804	winlogon.exe
2396	winlogon.exe
2404	winlogon.exe
2464	winlogon.exe
2664	winlogon.exe
1068	winlogon.exe
1804	winlogon.exe
2372	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2472	cmd.exe
2472	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
22	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\IMESC5\applets\System.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\IME\IMESC5\applets\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9c3dccb45aec8e8d93495b03db9b863514cac65f6b6ee88e6e84ccb433e60299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2624	schtasks.exe
2784	schtasks.exe
3008	schtasks.exe
2880	schtasks.exe
2588	schtasks.exe
2636	schtasks.exe
2708	schtasks.exe
2648	schtasks.exe
2656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1460	DllCommonsvc.exe
2552	powershell.exe
2608	powershell.exe
2660	powershell.exe
2544	powershell.exe
2724	winlogon.exe
1324	winlogon.exe
2804	winlogon.exe
2396	winlogon.exe
2404	winlogon.exe
2464	winlogon.exe
2664	winlogon.exe
1068	winlogon.exe
2372	winlogon.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	DllCommonsvc.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2724	winlogon.exe
Token: SeDebugPrivilege	1324	winlogon.exe
Token: SeDebugPrivilege	2804	winlogon.exe
Token: SeDebugPrivilege	2396	winlogon.exe
Token: SeDebugPrivilege	2404	winlogon.exe
Token: SeDebugPrivilege	2464	winlogon.exe
Token: SeDebugPrivilege	2664	winlogon.exe
Token: SeDebugPrivilege	1068	winlogon.exe
Token: SeDebugPrivilege	2372	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2188	2136	JaffaCakes118_9c3dccb45aec8e8d93495b03db9b863514cac65f6b6ee88e6e84ccb433e60299.exe	28
PID 2136 wrote to memory of 2188	2136	JaffaCakes118_9c3dccb45aec8e8d93495b03db9b863514cac65f6b6ee88e6e84ccb433e60299.exe	28
PID 2136 wrote to memory of 2188	2136	JaffaCakes118_9c3dccb45aec8e8d93495b03db9b863514cac65f6b6ee88e6e84ccb433e60299.exe	28
PID 2136 wrote to memory of 2188	2136	JaffaCakes118_9c3dccb45aec8e8d93495b03db9b863514cac65f6b6ee88e6e84ccb433e60299.exe	28
PID 2188 wrote to memory of 2472	2188	WScript.exe	29
PID 2188 wrote to memory of 2472	2188	WScript.exe	29
PID 2188 wrote to memory of 2472	2188	WScript.exe	29
PID 2188 wrote to memory of 2472	2188	WScript.exe	29
PID 2472 wrote to memory of 1460	2472	cmd.exe	31
PID 2472 wrote to memory of 1460	2472	cmd.exe	31
PID 2472 wrote to memory of 1460	2472	cmd.exe	31
PID 2472 wrote to memory of 1460	2472	cmd.exe	31
PID 1460 wrote to memory of 2660	1460	DllCommonsvc.exe	42
PID 1460 wrote to memory of 2660	1460	DllCommonsvc.exe	42
PID 1460 wrote to memory of 2660	1460	DllCommonsvc.exe	42
PID 1460 wrote to memory of 2544	1460	DllCommonsvc.exe	43
PID 1460 wrote to memory of 2544	1460	DllCommonsvc.exe	43
PID 1460 wrote to memory of 2544	1460	DllCommonsvc.exe	43
PID 1460 wrote to memory of 2608	1460	DllCommonsvc.exe	44
PID 1460 wrote to memory of 2608	1460	DllCommonsvc.exe	44
PID 1460 wrote to memory of 2608	1460	DllCommonsvc.exe	44
PID 1460 wrote to memory of 2552	1460	DllCommonsvc.exe	45
PID 1460 wrote to memory of 2552	1460	DllCommonsvc.exe	45
PID 1460 wrote to memory of 2552	1460	DllCommonsvc.exe	45
PID 1460 wrote to memory of 2724	1460	DllCommonsvc.exe	50
PID 1460 wrote to memory of 2724	1460	DllCommonsvc.exe	50
PID 1460 wrote to memory of 2724	1460	DllCommonsvc.exe	50
PID 2724 wrote to memory of 1212	2724	winlogon.exe	53
PID 2724 wrote to memory of 1212	2724	winlogon.exe	53
PID 2724 wrote to memory of 1212	2724	winlogon.exe	53
PID 1212 wrote to memory of 1100	1212	cmd.exe	55
PID 1212 wrote to memory of 1100	1212	cmd.exe	55
PID 1212 wrote to memory of 1100	1212	cmd.exe	55
PID 1212 wrote to memory of 1324	1212	cmd.exe	56
PID 1212 wrote to memory of 1324	1212	cmd.exe	56
PID 1212 wrote to memory of 1324	1212	cmd.exe	56
PID 1324 wrote to memory of 2680	1324	winlogon.exe	57
PID 1324 wrote to memory of 2680	1324	winlogon.exe	57
PID 1324 wrote to memory of 2680	1324	winlogon.exe	57
PID 2680 wrote to memory of 2900	2680	cmd.exe	59
PID 2680 wrote to memory of 2900	2680	cmd.exe	59
PID 2680 wrote to memory of 2900	2680	cmd.exe	59
PID 2680 wrote to memory of 2804	2680	cmd.exe	60
PID 2680 wrote to memory of 2804	2680	cmd.exe	60
PID 2680 wrote to memory of 2804	2680	cmd.exe	60
PID 2804 wrote to memory of 2492	2804	winlogon.exe	61
PID 2804 wrote to memory of 2492	2804	winlogon.exe	61
PID 2804 wrote to memory of 2492	2804	winlogon.exe	61
PID 2492 wrote to memory of 1148	2492	cmd.exe	63
PID 2492 wrote to memory of 1148	2492	cmd.exe	63
PID 2492 wrote to memory of 1148	2492	cmd.exe	63
PID 2492 wrote to memory of 2396	2492	cmd.exe	64
PID 2492 wrote to memory of 2396	2492	cmd.exe	64
PID 2492 wrote to memory of 2396	2492	cmd.exe	64
PID 2396 wrote to memory of 1352	2396	winlogon.exe	65
PID 2396 wrote to memory of 1352	2396	winlogon.exe	65
PID 2396 wrote to memory of 1352	2396	winlogon.exe	65
PID 1352 wrote to memory of 288	1352	cmd.exe	67
PID 1352 wrote to memory of 288	1352	cmd.exe	67
PID 1352 wrote to memory of 288	1352	cmd.exe	67
PID 1352 wrote to memory of 2404	1352	cmd.exe	68
PID 1352 wrote to memory of 2404	1352	cmd.exe	68
PID 1352 wrote to memory of 2404	1352	cmd.exe	68
PID 2404 wrote to memory of 2576	2404	winlogon.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c3dccb45aec8e8d93495b03db9b863514cac65f6b6ee88e6e84ccb433e60299.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c3dccb45aec8e8d93495b03db9b863514cac65f6b6ee88e6e84ccb433e60299.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\IME\IMESC5\applets\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1100
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWs9jrlB8v.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2900
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIQ15LoDrx.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1148
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:288
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
        14⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2948
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"
        16⤵
        
        PID:2936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1772
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
        18⤵
        
        PID:2092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:956
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat"
        20⤵
        
        PID:1456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1768
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        21⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"
        22⤵
        
        PID:2816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1660
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"
        24⤵
        
        PID:3020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\IME\IMESC5\applets\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SysWOW64\IME\IMESC5\applets\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\SysWOW64\IME\IMESC5\applets\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6133f99e80a761351a24ab4d692b5e5

SHA1
1ae8c70373a8b91a82f32a4d9d3826eeadcfe707

SHA256
4b633eecc0b9ddd5bf3c297c1166de4058b6d7925d898d72d9c0bbd664454b3b

SHA512
4c54e486b50e058263d794efb6b0e1be114138f7884f9290550475c4333c42d3277cf652e85389963f1fb251897d39964635fa81b39f585ec81765dc2672bc07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d6d75e6368525726affe8b23ae9b61f

SHA1
ec7d596653d9222d85ef960cf88d6ec88cb56ba0

SHA256
c27ef8c434f11c9494c3b76a2858a1d45228ac5dca7f2dd6b78729c4ee0e45cb

SHA512
29f4f3d0852cce26e86861ad9d6694de1d9a18f0531119840f76ad18dd0c6b5f8cc4bf8634e5580a0c60093fa895c2145217535ceb5309c535a16ca999969c44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d5880e862289482c8e4fa4f372a30f8

SHA1
b1ec4027049a03309ca671b10be771da7f0fe776

SHA256
974502166802cf33f9cc5f16e6a998418c754ae9920207290c9fc65dd83f75b1

SHA512
df6b566fa36a5c93f6d2c35af5d06f5fb84f994b6bce53c0be27feaac297f8bf98cde3fa9d50e27e1b3d4cd611385baf14e5b626fb59f70506908382fc816b9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
883ccd80c5b0b6117b83b7a231180be6

SHA1
53e22fd0f82a5521633bc5ed326c7925b9410e94

SHA256
946a56a5118550d3c51e061dc88bbbd88d1490e5b7a98c800f608d0bbed7f32a

SHA512
79beccefcbd752519fd0cf5534ba4fc66480c246127656a482bc6ed9c084f14376b6e88d12757559b6ad9eeff9edd419eba5aa1f35e7106c443e9217e63c896d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08373716aed930a2f1ef07c7b42d0a4d

SHA1
99e71144a2451e00d6495b263e3637896d9264b6

SHA256
d694a1d3ed6ba4be1ed71e26fd813e59610802d12d3dce84265549d5c2815b68

SHA512
71af64fa8fa58d4763620ed332ed8bc937802c6bd69b8cf35335356bf33b9ee2c423a10249616d5c6a1ba6d5b7fad9fae906ee1c4ceb69e5d30f58a53ab0f7b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7af930e56deb593f3b4a2ac7867ea34a

SHA1
4c0b99147f918be088d0a53f8098c35145f562ac

SHA256
44f7f561694ae2f648b97b28d4b18975129a207e93981e7e6b5389dbf6182b0f

SHA512
5e60ecac5b54fbe192b99a6f7366a0519371dc1c86cc7713d258effe94c774ba64d68c9e6fc9da934793d335112d6e2a802574d3d5515925dca780e1fc2ef02b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
798289c06be83aaac6eb8d62ac9a44e1

SHA1
abeab9035cb8d4fc465bdcb162ec7c2a2f67610f

SHA256
b3fd99956a4943aaf9b36d01f1e3211cdd7929488124c3c873d76cdee2aaabb8

SHA512
d1f7dd444ca9d78fd84fc979b3f5a75f4cb1e7b3a9d5cfd9df6dc4340a17ab00abfebdc26f154d050af86572a7c470564fda1165ef3b520cf7feb78c2ec8b720

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2711084ba206babbbc83492e7ae802d

SHA1
6d97bb693eb4d3e5b8e86bdfac338c779c476db9

SHA256
8681fdc27c27ad6ac4d7ac02837bd9a69d9adba61bdc0d8251ac38c6a50c87a6

SHA512
f35753b0d481641cd348806a6a8665738b389848083cb6adc9237df7f23d45ab730a1cd81253ddc5eac6e356729e1a98b986a5de0d838e4ca4a8e224582f7fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat

Filesize
253B

MD5
4f6937f8728365be750b8851c57f6822

SHA1
6935854debaa3485bec994bbf6a048109f9a0964

SHA256
a2f97db7c95784b4b22962d4ae41fd5af582421eaafb834425e601a2c76a41fc

SHA512
9d67dc5d3f7a6bf10d233c508b8fb7ae5f5ab73db818df82926b31daa4475f77d78fdca4dbdf635604cfd70e6d5d759aaaaa904b0cb55b21a605518a287c221e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEB3B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat

Filesize
253B

MD5
306181bea16b7eb1c9d66565aa908bf0

SHA1
3a76f4f5c11090784964574fa255ff37de7e4a76

SHA256
1d9aafe1ce8331e7b1fe0588d5ed5fe517a04ab4ac2a07f219763337405e4aac

SHA512
e2a2c89b2937e642c3d0865d8ad664fbb1e7f5b800d5de9fdcef2620bb526d0ed7f1f70cb95d9966fca208a620d8f1090ea93c6e6ae11af177b99189fa573958

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat

Filesize
253B

MD5
cd2860b469bf6344bf99dcb1c508cf71

SHA1
516193e48df0ca6ceeb92de92ff99b97b2705c30

SHA256
1fca411376e2594532a40255cd646c935b36a94b0445c16e47b96ee818e4d861

SHA512
10318f8919ce07bf20074c6371df6ab649c031f674836c8c82b3d5b4392c573f2d3748cc13ec2e1c0ba02fad50e18443100d65ffbb5aa84e868ecc644c1d15cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat

Filesize
253B

MD5
964d75e04e74896cf0724768f1d7f222

SHA1
f3925053c876ea5ee585f578e98ff63d01c94a64

SHA256
db814fb09675ff1970b645b33e864d09ea4c4248865df1d66286b7cc7cad86f6

SHA512
af6c9778cdbaf0261b3b6c2a6026da52fc36a5d08a68b60f7ffc3c8166fb6cfeb6c9e226781e45190db65d1b216970f31ff1ed57aeb2f7e96dfddeb31b2b607b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEB5D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIQ15LoDrx.bat

Filesize
253B

MD5
4e73652bf71bd56d30d2eb13934e5914

SHA1
22187cf6c9066c55c73138c968571b84d14d9ff1

SHA256
3fbaf50c95a5b9e9d31ada25f73f53a4872d0e96a418228bb6c460481bcafdaa

SHA512
c3496d21c4c62edf3786149005f22291e0c19443ef2d950d1a57542b2347e7c960486a6ef55c988ddb4f9bbd69573937cb25ff8e29c89616817762dd4a8b83e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat

Filesize
253B

MD5
c33e75709a0dea98e7a93c4e6ac56c83

SHA1
cd1780b03c43816c3980d94722646c08871508e1

SHA256
75c9b59a83d10d130d66b8da5ed3b211065b64d3dfc714d82896f35fb318887a

SHA512
373ff206b88f1493b62d5f9f95e9476063d8b5937a116fb7762bc489d1afd0fd556e2201854e253def239370a370befce2fad5ca9ee4b776848272be510fdbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat

Filesize
253B

MD5
95d0eda547f698eae9ccc9f1f2a2ae47

SHA1
f94e2eda01fe2111a5a8a918abb77cdab8f07cdf

SHA256
cc59c32071601b76a0e65e1c7f1bea6424f8be3e694217d2cfcef732e1c11147

SHA512
25b2b16a39f30a03cf46f31b7ea16e4e88bdbb409cb31e6726ab935c6c20fd1ec25195b507711ebf36d27c7bf16d9f69ed1d8e7f41246d0fba52661840c08808

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat

Filesize
253B

MD5
5cbd0b6a5fd965f66ad56a632d6597d3

SHA1
c6dde706090002a809ef8739c13bd5e26c81245f

SHA256
a61e6a2cf9d385a05eecc6a4b7f49cb71fe677b2e6f42ef79b68da5f1ecaffeb

SHA512
b0b807774d0915966581c2c691d0ac2ef9f398bcb8080e589a7959db852b9954114b8128014fd0ab9c9dbe36acf268d936b4bcd44d7e078ce2cfd448f470ddd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWs9jrlB8v.bat

Filesize
253B

MD5
a70fcf43ef9f4168e5c898d363f1d410

SHA1
9c4342a5ac314dfb68408d5f275b18adc0909cbd

SHA256
e36a7e42773c88a6a3631b82a3a21bee563c3d04ab24824e74219510317504d1

SHA512
ffdb5a3ff46aed9c7194522e62409f8ea7e7beafe940492b17dc71e4ce716ad06dcf62303d6d68dc8ad6dcdc4eb3cc65a7f958db30e9d5e6c854b8a275b07854

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6d97499604d11e063f7fe69114e2fb86

SHA1
f79484039421ca1eb6659884da74ea9c035db7ef

SHA256
ab4b1a5ad151740f3c2213b79adbf5cbab689a1a52e3736a0667f4912b25c27c

SHA512
8310e93b08dafdf6a0fd5fa85fb895e23680dc6e4ffc2697b1e88952bf3daa6daf357ea3922946f2605712d899424ba8f06afb25a1ac1f8478caff11e9f2ccf9

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1324-110-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/1460-17-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/1460-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1460-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/1460-15-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/1460-13-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/2372-529-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/2404-289-0x0000000001180000-0x0000000001290000-memory.dmp

Filesize
1.1MB

Download
memory/2552-47-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/2552-46-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2724-34-0x0000000001040000-0x0000000001150000-memory.dmp

Filesize
1.1MB

Download
memory/2804-170-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download