dcrat | 65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a.exe
Size

1.5MB
MD5

b8fd8ab8d6bffd83d24ec8c669958653
SHA1

7cf5979b3d3aa0a10d595f9a9db286b689a2d167
SHA256

65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a
SHA512

b258de30aebe40dd80112011827e23c569c776e90c79fb4d00ac25760c4ce9344d6f5104d9f79d78ea8884fb53b25ced0a12f1df5d4a232057686422611afb4a
SSDEEP

24576:U2G/nvxW3Ww0t6kS6gR4zPK3r0Y2bpq5vbf4w8IzRII4Wa6gSqJ8S:UbA306DRcIruWf7RII2vS+r

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	3872	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	3872	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	3872	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	3872	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	3872	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	3872	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	3872	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	3872	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	3872	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0008000000023c9f-10.dat	dcrat
behavioral2/memory/1664-13-0x0000000000B50000-0x0000000000C86000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	serverperf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 12 IoCs

pid	Process
1664	serverperf.exe
1624	upfc.exe
4036	upfc.exe
644	upfc.exe
4944	upfc.exe
224	upfc.exe
4560	upfc.exe
2012	upfc.exe
2924	upfc.exe
1776	upfc.exe
3208	upfc.exe
1844	upfc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
51	pastebin.com
52	pastebin.com
53	pastebin.com
37	pastebin.com
38	pastebin.com
43	pastebin.com
50	pastebin.com
20	pastebin.com
21	pastebin.com
36	pastebin.com
42	pastebin.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\ModifiableWindowsApps\cmd.exe	serverperf.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe	serverperf.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ea1d8f6d871115	serverperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	serverperf.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	upfc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4728	schtasks.exe
4328	schtasks.exe
2764	schtasks.exe
3628	schtasks.exe
3580	schtasks.exe
3416	schtasks.exe
3908	schtasks.exe
4908	schtasks.exe
2736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1664	serverperf.exe
1664	serverperf.exe
1664	serverperf.exe
1664	serverperf.exe
1664	serverperf.exe
1664	serverperf.exe
1664	serverperf.exe
1664	serverperf.exe
1664	serverperf.exe
1664	serverperf.exe
1664	serverperf.exe
1664	serverperf.exe
1664	serverperf.exe
1624	upfc.exe
4036	upfc.exe
644	upfc.exe
4944	upfc.exe
224	upfc.exe
4560	upfc.exe
2012	upfc.exe
2924	upfc.exe
1776	upfc.exe
3208	upfc.exe
1844	upfc.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	serverperf.exe
Token: SeDebugPrivilege	1624	upfc.exe
Token: SeDebugPrivilege	4036	upfc.exe
Token: SeDebugPrivilege	644	upfc.exe
Token: SeDebugPrivilege	4944	upfc.exe
Token: SeDebugPrivilege	224	upfc.exe
Token: SeDebugPrivilege	4560	upfc.exe
Token: SeDebugPrivilege	2012	upfc.exe
Token: SeDebugPrivilege	2924	upfc.exe
Token: SeDebugPrivilege	1776	upfc.exe
Token: SeDebugPrivilege	3208	upfc.exe
Token: SeDebugPrivilege	1844	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 4760	1584	65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a.exe	83
PID 1584 wrote to memory of 4760	1584	65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a.exe	83
PID 1584 wrote to memory of 4760	1584	65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a.exe	83
PID 4760 wrote to memory of 2104	4760	WScript.exe	85
PID 4760 wrote to memory of 2104	4760	WScript.exe	85
PID 4760 wrote to memory of 2104	4760	WScript.exe	85
PID 2104 wrote to memory of 1664	2104	cmd.exe	87
PID 2104 wrote to memory of 1664	2104	cmd.exe	87
PID 1664 wrote to memory of 4808	1664	serverperf.exe	99
PID 1664 wrote to memory of 4808	1664	serverperf.exe	99
PID 4808 wrote to memory of 2556	4808	cmd.exe	101
PID 4808 wrote to memory of 2556	4808	cmd.exe	101
PID 4808 wrote to memory of 1624	4808	cmd.exe	108
PID 4808 wrote to memory of 1624	4808	cmd.exe	108
PID 1624 wrote to memory of 4900	1624	upfc.exe	118
PID 1624 wrote to memory of 4900	1624	upfc.exe	118
PID 4900 wrote to memory of 4044	4900	cmd.exe	120
PID 4900 wrote to memory of 4044	4900	cmd.exe	120
PID 4900 wrote to memory of 4036	4900	cmd.exe	122
PID 4900 wrote to memory of 4036	4900	cmd.exe	122
PID 4036 wrote to memory of 3412	4036	upfc.exe	129
PID 4036 wrote to memory of 3412	4036	upfc.exe	129
PID 3412 wrote to memory of 3372	3412	cmd.exe	131
PID 3412 wrote to memory of 3372	3412	cmd.exe	131
PID 3412 wrote to memory of 644	3412	cmd.exe	133
PID 3412 wrote to memory of 644	3412	cmd.exe	133
PID 644 wrote to memory of 4452	644	upfc.exe	137
PID 644 wrote to memory of 4452	644	upfc.exe	137
PID 4452 wrote to memory of 3336	4452	cmd.exe	139
PID 4452 wrote to memory of 3336	4452	cmd.exe	139
PID 4452 wrote to memory of 4944	4452	cmd.exe	141
PID 4452 wrote to memory of 4944	4452	cmd.exe	141
PID 4944 wrote to memory of 3280	4944	upfc.exe	144
PID 4944 wrote to memory of 3280	4944	upfc.exe	144
PID 3280 wrote to memory of 3740	3280	cmd.exe	146
PID 3280 wrote to memory of 3740	3280	cmd.exe	146
PID 3280 wrote to memory of 224	3280	cmd.exe	149
PID 3280 wrote to memory of 224	3280	cmd.exe	149
PID 224 wrote to memory of 4828	224	upfc.exe	152
PID 224 wrote to memory of 4828	224	upfc.exe	152
PID 4828 wrote to memory of 2304	4828	cmd.exe	154
PID 4828 wrote to memory of 2304	4828	cmd.exe	154
PID 4828 wrote to memory of 4560	4828	cmd.exe	156
PID 4828 wrote to memory of 4560	4828	cmd.exe	156
PID 4560 wrote to memory of 4028	4560	upfc.exe	160
PID 4560 wrote to memory of 4028	4560	upfc.exe	160
PID 4028 wrote to memory of 3636	4028	cmd.exe	162
PID 4028 wrote to memory of 3636	4028	cmd.exe	162
PID 4028 wrote to memory of 2012	4028	cmd.exe	164
PID 4028 wrote to memory of 2012	4028	cmd.exe	164
PID 2012 wrote to memory of 4140	2012	upfc.exe	168
PID 2012 wrote to memory of 4140	2012	upfc.exe	168
PID 4140 wrote to memory of 1356	4140	cmd.exe	170
PID 4140 wrote to memory of 1356	4140	cmd.exe	170
PID 4140 wrote to memory of 2924	4140	cmd.exe	172
PID 4140 wrote to memory of 2924	4140	cmd.exe	172
PID 2924 wrote to memory of 2224	2924	upfc.exe	175
PID 2924 wrote to memory of 2224	2924	upfc.exe	175
PID 2224 wrote to memory of 4520	2224	cmd.exe	177
PID 2224 wrote to memory of 4520	2224	cmd.exe	177
PID 2224 wrote to memory of 1776	2224	cmd.exe	179
PID 2224 wrote to memory of 1776	2224	cmd.exe	179
PID 1776 wrote to memory of 4848	1776	upfc.exe	182
PID 1776 wrote to memory of 4848	1776	upfc.exe	182

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a.exe
"C:\Users\Admin\AppData\Local\Temp\65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\refhostperf\YDUzd2DburnkxzGba.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\refhostperf\24yvIrFqc9yigx6x0kwB7b7gqXz7Pn.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\refhostperf\serverperf.exe
      "C:\refhostperf\serverperf.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Hk7QPHCE3Z.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4808
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2556
      - C:\refhostperf\upfc.exe
        
        "C:\refhostperf\upfc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4044
        
        C:\refhostperf\upfc.exe
        
        "C:\refhostperf\upfc.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3372
        
        C:\refhostperf\upfc.exe
        
        "C:\refhostperf\upfc.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3336
        
        C:\refhostperf\upfc.exe
        
        "C:\refhostperf\upfc.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3740
        
        C:\refhostperf\upfc.exe
        
        "C:\refhostperf\upfc.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2304
        
        C:\refhostperf\upfc.exe
        
        "C:\refhostperf\upfc.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3636
        
        C:\refhostperf\upfc.exe
        
        "C:\refhostperf\upfc.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1356
        
        C:\refhostperf\upfc.exe
        
        "C:\refhostperf\upfc.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4520
        
        C:\refhostperf\upfc.exe
        
        "C:\refhostperf\upfc.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
        23⤵
        
        PID:4848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4248
        
        C:\refhostperf\upfc.exe
        
        "C:\refhostperf\upfc.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"
        25⤵
        
        PID:1984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1416
        
        C:\refhostperf\upfc.exe
        
        "C:\refhostperf\upfc.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\refhostperf\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\refhostperf\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\refhostperf\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

Filesize
188B

MD5
90dd6b09cf47c7375f88fea13c94d319

SHA1
5b471fd265786b0ad1e1706bd06ca0fc90765fca

SHA256
1ef5bb0ea9ff2c13e900e59609e1d0d1a1f76e41c65f60b76697e495dfe0c6aa

SHA512
0dfc1ff06394ef58683e41a90f636ced9ee817ff6364c2fe8ae52b7f7441fdcbd354a2ad9888aebb89f7e682c469fd43238f296865009b7af2370b04969b51b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat

Filesize
188B

MD5
f2f71de9105d36363b69e576ee636a7f

SHA1
beba33f3cffe390c5dc5803ac4f6d9efd0b68b63

SHA256
34bae4fae269657d8aaf6d99a4724c2abbd7df175e34feabfc3c8f512e922237

SHA512
97e14521cb3b93447c6a72c2020b980200ac709b2afd273a4fcea70f00ac9f00b71babc87eb18f206932b0fed752eab4a162375590b9889a83276a39d6804cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hk7QPHCE3Z.bat

Filesize
188B

MD5
6c8ed14198ef6d51cd2363bbac67264d

SHA1
88d8d98de7ae8f2795427ea656535ef0b9c01d1a

SHA256
d91b516c2bb0c38132fc6bcc14fb95365fd3c69dcb75d6278874656f112f6ab6

SHA512
1355abf18483d5af24d15696e64ef0d72e6e4c666356f94baab01c236cf7a7f303d4dd200c8963e9d5f6e02fe757bedeead56c184bbcaff76133194ce15eed7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat

Filesize
188B

MD5
a1248058bb612f47de88728b508e5c7f

SHA1
2bfb97239fac2fad2c57be05a2554e24a8a8c128

SHA256
0327334a0c5e17904c179e023369aacfe0216f8fa6ea6e49ca4d0b1f9fbb4a85

SHA512
8f26ca6dd81c7499e8c9867bb036dec7b84ddde620752bafd55a02c980f0f4bb691e5645591ed267806a08f2580360b12f043f7634afc0924b534d421c429bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat

Filesize
188B

MD5
5ae8f35bf47564cda4b1239312731d2d

SHA1
da84b76c3d95dbd7bbe5ac5d84a90afa78afd930

SHA256
525e44064dbc2411422c2ca95807cb4b0f5b3218f046ef2ee589111151349f97

SHA512
1cf64c6eab167c30ada7c372c340d425306a6786ebc3dcc4bb5971afa03524691363db30765b607124a02eed5b7cd5d6058255a321b987b62e258006b947ce6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat

Filesize
188B

MD5
a5b2c34ae789361dbe1301cdaa8f117b

SHA1
d70dc76fd32e50e1a3aebc8bb0b4ffc699a9578c

SHA256
240f24ca297a09b12ee09d3718c76ed9cf62ceb530e9d0d2c323f82754171237

SHA512
8b8c880ff124d04199ca8ce220e3403ec8312e3cdb29440541408c39d896b9ae383e4768372537bcf38c88e19c6596bd564e679e08f952dd17657b5f95e6c045

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat

Filesize
188B

MD5
e638361fcd4c5d3b93437abf8cf8d3d6

SHA1
895f97ec98fb1654e3136e1622305991955db9ea

SHA256
74847fb6d43cded31ce1b63639462f5e7d0d50e55c5dc6f3c5e5e10da8de94ff

SHA512
1eaca74678ccc6ace7df183ba0d67031982b8a28b83740acbfbec2396b4294f3608df3a076421a1f3f1a0cf1aca347eaa9495c4e0bc10c777c3b53836697d5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat

Filesize
188B

MD5
2745402f4e86d556a9365bd2fc2b2f91

SHA1
da1a46837837055375c98dabee436796cfdb1c9e

SHA256
d9a555983a01720ec47d6c6a302114bc9e07642ddda618e68a4897870a837e5a

SHA512
5c7f286b5271dd08114428a68c9685b966978e18d24b1b8054f4a59eca937a4f71c760fb2da1ce72a5b143d564d7016afbbd92a73924f7290bffad0205fbd11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat

Filesize
188B

MD5
b6a10c30d29cee6e9c89c176834fe1ec

SHA1
7255738555d426004662f8f191c09b5c0051a1eb

SHA256
cf8b74268df9e040d6276e497091e800b7b7d9329782239509c35744dda950e4

SHA512
b915655154bd9c34e5318ecd560610b96fcec08b7d00b324e18e9680ba81e7bf2a6b997b519ec6c8f5bdfe25784b0d68e616be771ca83906e48a901ebfff26e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat

Filesize
188B

MD5
a10f796d2f53b2d8cab8dc7f17e54590

SHA1
6b92dde0ec1685e1252d9269618e7b2d84b620b5

SHA256
1169df9f9c45dfadce822b5bb0686f5602c4779e581032c131e14c64973ed969

SHA512
cc31fd6626b68883c7d22054cf1a54071dc7c338bc7416cd9ce3881f278f84bcbcb0a2bd1fa0eb5457f3570842269580f6323df0c4d6caaf77ad6f666586f076

Download Submit
C:\refhostperf\24yvIrFqc9yigx6x0kwB7b7gqXz7Pn.bat

Filesize
31B

MD5
659397b18711665774947ed6189e91ae

SHA1
73006ef2a02a72132f180e873324e8a6e4c593df

SHA256
a939eb9c97b5aad7a4aa9cc522e93a81399fffc03b7536f603175a90d3fc6130

SHA512
f68315f1f2aad292176dc1f845da4fa4acb59bedf4f446130edc73481bf6bcc2e765258fbc558b1b3b3a08590e25e6937e9046adf4f00eb2afbb172646298c30

Download Submit
C:\refhostperf\YDUzd2DburnkxzGba.vbe

Filesize
218B

MD5
693da7c1e4c7e39bb88041ca03bbf61e

SHA1
87ff5e77258e4ff5833a04ce4168d287510d32d6

SHA256
3ea997020623cbd40f68cff156f5ede16b0a4c2418b07ee5dacf64770a7fff99

SHA512
f64a9f10099e9cc009160ead27a6c6420a78a7265ffeb754fc3819f418bc02ccea0be2c3b24dd9849b90a7423e850ae4fb5253958ccd5cc92867e094508da837

Download Submit
C:\refhostperf\serverperf.exe

Filesize
1.2MB

MD5
7fec3eebd710313f7b35254d792228fc

SHA1
e55a429782c6f78e6fc8c80d6fb71a85ce1d01aa

SHA256
3d32ef71bff87e2ac881484cea6b82bd52090a7252c8719f11fb73bb8f63a405

SHA512
83932d7ac29af18c3a0f1424d2cd3e2a1810e908c828377f5c0d6e72240820c3778378c9c3f0c7b86ca94a8265d9c7c0e2b9460de288f07b62c98cd89d699af4

Download Submit
memory/1664-13-0x0000000000B50000-0x0000000000C86000-memory.dmp

Filesize
1.2MB

Download
memory/1664-14-0x0000000001510000-0x000000000152C000-memory.dmp

Filesize
112KB

Download
memory/1664-12-0x00007FFB89533000-0x00007FFB89535000-memory.dmp

Filesize
8KB

Download
memory/1664-16-0x0000000001530000-0x0000000001546000-memory.dmp

Filesize
88KB

Download
memory/1664-15-0x0000000002F70000-0x0000000002FC0000-memory.dmp

Filesize
320KB

Download
memory/1664-17-0x0000000001450000-0x000000000145E000-memory.dmp

Filesize
56KB

Download