dcrat | 09bdb3282e1927dcb848126823280b066827c5dadd17ee6d445922440889d8f2

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/01/2025, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NursultanAlphaCrack.bat.exe
Size

2.7MB
MD5

df15d1f8f7cc71bb1889895b367c7d2c
SHA1

4a9d087d105976a1f7a1c7444a25b5e0a8ac0622
SHA256

09bdb3282e1927dcb848126823280b066827c5dadd17ee6d445922440889d8f2
SHA512

3c5215abd2ca1cee15ae3592eea15cebec2ce0127221c96634ad07ea53cf9fa397bfecd229a56b38c879f2fe6dadfc8bd58ac6541bcfc6eba65017d4b3694e4f
SSDEEP

49152:IBJVZP6vgp9kHCayPPLHCLXbX4pKXDys7yqmHji4Rnh:y7oYp9kiHPbCfX4rsu3GQh

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2504	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2504	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2504	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2504	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2504	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2504	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2504	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2504	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2504	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2504	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2504	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2504	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	2504	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2504	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2504	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2504	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2504	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2504	schtasks.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2148	powershell.exe
2472	powershell.exe
1072	powershell.exe
2684	powershell.exe
2128	powershell.exe
2152	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2136	BlockcontainerWin.exe
1764	smss.exe
2832	smss.exe
1448	smss.exe
608	smss.exe
1696	smss.exe
2868	smss.exe
348	smss.exe
2024	smss.exe
1568	smss.exe
2264	smss.exe
2848	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2304	cmd.exe
2304	cmd.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\cmm\smss.exe	BlockcontainerWin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\smss.exe	BlockcontainerWin.exe
File created	C:\Program Files\Java\jre7\lib\cmm\69ddcba757bf72	BlockcontainerWin.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\services.exe	BlockcontainerWin.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\c5b4cb5e9653cc	BlockcontainerWin.exe
File created	C:\Windows\Registration\CRMLog\System.exe	BlockcontainerWin.exe
File created	C:\Windows\Registration\CRMLog\27d1bcfc3c54e0	BlockcontainerWin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NursultanAlphaCrack.bat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1364	PING.EXE
2812	PING.EXE
1072	PING.EXE
1524	PING.EXE
2056	PING.EXE
2076	PING.EXE

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
2812	PING.EXE
1072	PING.EXE
1524	PING.EXE
2056	PING.EXE
2076	PING.EXE
1364	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2876	schtasks.exe
2608	schtasks.exe
2792	schtasks.exe
2020	schtasks.exe
2308	schtasks.exe
1632	schtasks.exe
348	schtasks.exe
2172	schtasks.exe
2780	schtasks.exe
2096	schtasks.exe
2700	schtasks.exe
1344	schtasks.exe
1320	schtasks.exe
464	schtasks.exe
396	schtasks.exe
2216	schtasks.exe
2840	schtasks.exe
636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe
2136	BlockcontainerWin.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	BlockcontainerWin.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1764	smss.exe
Token: SeDebugPrivilege	2832	smss.exe
Token: SeDebugPrivilege	1448	smss.exe
Token: SeDebugPrivilege	608	smss.exe
Token: SeDebugPrivilege	1696	smss.exe
Token: SeDebugPrivilege	2868	smss.exe
Token: SeDebugPrivilege	348	smss.exe
Token: SeDebugPrivilege	2024	smss.exe
Token: SeDebugPrivilege	1568	smss.exe
Token: SeDebugPrivilege	2264	smss.exe
Token: SeDebugPrivilege	2848	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 1764	2672	NursultanAlphaCrack.bat.exe	30
PID 2672 wrote to memory of 1764	2672	NursultanAlphaCrack.bat.exe	30
PID 2672 wrote to memory of 1764	2672	NursultanAlphaCrack.bat.exe	30
PID 2672 wrote to memory of 1764	2672	NursultanAlphaCrack.bat.exe	30
PID 1764 wrote to memory of 2304	1764	WScript.exe	31
PID 1764 wrote to memory of 2304	1764	WScript.exe	31
PID 1764 wrote to memory of 2304	1764	WScript.exe	31
PID 1764 wrote to memory of 2304	1764	WScript.exe	31
PID 2304 wrote to memory of 2136	2304	cmd.exe	33
PID 2304 wrote to memory of 2136	2304	cmd.exe	33
PID 2304 wrote to memory of 2136	2304	cmd.exe	33
PID 2304 wrote to memory of 2136	2304	cmd.exe	33
PID 2136 wrote to memory of 2152	2136	BlockcontainerWin.exe	53
PID 2136 wrote to memory of 2152	2136	BlockcontainerWin.exe	53
PID 2136 wrote to memory of 2152	2136	BlockcontainerWin.exe	53
PID 2136 wrote to memory of 2684	2136	BlockcontainerWin.exe	54
PID 2136 wrote to memory of 2684	2136	BlockcontainerWin.exe	54
PID 2136 wrote to memory of 2684	2136	BlockcontainerWin.exe	54
PID 2136 wrote to memory of 2472	2136	BlockcontainerWin.exe	55
PID 2136 wrote to memory of 2472	2136	BlockcontainerWin.exe	55
PID 2136 wrote to memory of 2472	2136	BlockcontainerWin.exe	55
PID 2136 wrote to memory of 2148	2136	BlockcontainerWin.exe	56
PID 2136 wrote to memory of 2148	2136	BlockcontainerWin.exe	56
PID 2136 wrote to memory of 2148	2136	BlockcontainerWin.exe	56
PID 2136 wrote to memory of 1072	2136	BlockcontainerWin.exe	57
PID 2136 wrote to memory of 1072	2136	BlockcontainerWin.exe	57
PID 2136 wrote to memory of 1072	2136	BlockcontainerWin.exe	57
PID 2136 wrote to memory of 2128	2136	BlockcontainerWin.exe	58
PID 2136 wrote to memory of 2128	2136	BlockcontainerWin.exe	58
PID 2136 wrote to memory of 2128	2136	BlockcontainerWin.exe	58
PID 2136 wrote to memory of 912	2136	BlockcontainerWin.exe	65
PID 2136 wrote to memory of 912	2136	BlockcontainerWin.exe	65
PID 2136 wrote to memory of 912	2136	BlockcontainerWin.exe	65
PID 912 wrote to memory of 2212	912	cmd.exe	67
PID 912 wrote to memory of 2212	912	cmd.exe	67
PID 912 wrote to memory of 2212	912	cmd.exe	67
PID 912 wrote to memory of 2056	912	cmd.exe	68
PID 912 wrote to memory of 2056	912	cmd.exe	68
PID 912 wrote to memory of 2056	912	cmd.exe	68
PID 912 wrote to memory of 1764	912	cmd.exe	71
PID 912 wrote to memory of 1764	912	cmd.exe	71
PID 912 wrote to memory of 1764	912	cmd.exe	71
PID 1764 wrote to memory of 676	1764	smss.exe	72
PID 1764 wrote to memory of 676	1764	smss.exe	72
PID 1764 wrote to memory of 676	1764	smss.exe	72
PID 676 wrote to memory of 2900	676	cmd.exe	74
PID 676 wrote to memory of 2900	676	cmd.exe	74
PID 676 wrote to memory of 2900	676	cmd.exe	74
PID 676 wrote to memory of 264	676	cmd.exe	75
PID 676 wrote to memory of 264	676	cmd.exe	75
PID 676 wrote to memory of 264	676	cmd.exe	75
PID 676 wrote to memory of 2832	676	cmd.exe	76
PID 676 wrote to memory of 2832	676	cmd.exe	76
PID 676 wrote to memory of 2832	676	cmd.exe	76
PID 2832 wrote to memory of 2944	2832	smss.exe	77
PID 2832 wrote to memory of 2944	2832	smss.exe	77
PID 2832 wrote to memory of 2944	2832	smss.exe	77
PID 2944 wrote to memory of 2300	2944	cmd.exe	79
PID 2944 wrote to memory of 2300	2944	cmd.exe	79
PID 2944 wrote to memory of 2300	2944	cmd.exe	79
PID 2944 wrote to memory of 2076	2944	cmd.exe	80
PID 2944 wrote to memory of 2076	2944	cmd.exe	80
PID 2944 wrote to memory of 2076	2944	cmd.exe	80
PID 2944 wrote to memory of 1448	2944	cmd.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.bat.exe
"C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.bat.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\portsurrogateFontCrt\unyQgcnbrXR6kUk3LNilotfJnp9OLZPJv809nYh2EMxHRw3.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\portsurrogateFontCrt\mhHwHj5jfnxhi.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\portsurrogateFontCrt\BlockcontainerWin.exe
      "C:\portsurrogateFontCrt/BlockcontainerWin.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\BlockcontainerWin.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\lib\cmm\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portsurrogateFontCrt\BlockcontainerWin.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4cvZpf4J4N.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:912
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2212
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2056
      - C:\Program Files\Java\jre7\lib\cmm\smss.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zYh8fPsglb.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:264
        
        C:\Program Files\Java\jre7\lib\cmm\smss.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1LArpmQ7xZ.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2076
        
        C:\Program Files\Java\jre7\lib\cmm\smss.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mESeKRNGrE.bat"
        11⤵
        
        PID:2304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1364
        
        C:\Program Files\Java\jre7\lib\cmm\smss.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h8EtIycUgV.bat"
        13⤵
        
        PID:1756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1072
        
        C:\Program Files\Java\jre7\lib\cmm\smss.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XSURxompSY.bat"
        15⤵
        
        PID:2352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2680
        
        C:\Program Files\Java\jre7\lib\cmm\smss.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\smss.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0RyEHAiYPp.bat"
        17⤵
        
        PID:2608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2812
        
        C:\Program Files\Java\jre7\lib\cmm\smss.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\smss.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cq054WUQlS.bat"
        19⤵
        
        PID:2944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2652
        
        C:\Program Files\Java\jre7\lib\cmm\smss.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\smss.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u6uLkwxv3A.bat"
        21⤵
        
        PID:2272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2004
        
        C:\Program Files\Java\jre7\lib\cmm\smss.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\smss.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4XCyKdTKaY.bat"
        23⤵
        
        PID:2388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1072
        
        C:\Program Files\Java\jre7\lib\cmm\smss.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\smss.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1fnMmvhPbk.bat"
        25⤵
        
        PID:2540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1524
        
        C:\Program Files\Java\jre7\lib\cmm\smss.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\smss.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bgR6NVhjy4.bat"
        27⤵
        
        PID:1628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\CRMLog\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Registration\CRMLog\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockcontainerWinB" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\BlockcontainerWin.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockcontainerWin" /sc ONLOGON /tr "'C:\MSOCache\All Users\BlockcontainerWin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockcontainerWinB" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\BlockcontainerWin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\lib\cmm\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\cmm\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lib\cmm\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockcontainerWinB" /sc MINUTE /mo 13 /tr "'C:\portsurrogateFontCrt\BlockcontainerWin.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockcontainerWin" /sc ONLOGON /tr "'C:\portsurrogateFontCrt\BlockcontainerWin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockcontainerWinB" /sc MINUTE /mo 7 /tr "'C:\portsurrogateFontCrt\BlockcontainerWin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0RyEHAiYPp.bat

Filesize
171B

MD5
f2ac1f22a57a9e0b8e714c9f60957b42

SHA1
3e900e6dc59c1e391930e66a6658746421ea56aa

SHA256
c056b7da01cc8a9923b50776a4acc6f05c819802acebfb464a0a702371f3f946

SHA512
849a845af1bf9b91e278d9f02f07d95a40bc523df32e01982c3b7d8accb9b5e4f55eb7b357014337088f05644f68954c87f9fbd6891b2c413616c649f79d2c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1LArpmQ7xZ.bat

Filesize
171B

MD5
43d195e54124a01355559f94a4077e9b

SHA1
1179a499cdc70a5c403d2f117d64ba05bd961802

SHA256
f64c5f4032eebe67b403afef5add50a2e8698e3a403be6ecec0c3b60335d4888

SHA512
b445986995744a276917e3a21e57cf08a0618f6f301006bf41eecbb14278870bbc7887b37da2e8e45dea86ce499899f426181e7ea15cfa512980ce7562aac669

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fnMmvhPbk.bat

Filesize
171B

MD5
81ed034323d1c71e6cde1925e4024fea

SHA1
38a3a6450f07781fa8546ffb6b8bd2312f61b7ad

SHA256
1b84a4e6c8b666ab16a3d57ea5e5a55bee6c854dfbc24554a0f6c80fb73e9bdf

SHA512
58ec90a3281a38c5ad2225abf520a965b813295190ad2b6dbab1c988849543645d386cf0bd06869509f5c0292bc3a8fdc7e043c8736c7461e33815bc76352d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\4XCyKdTKaY.bat

Filesize
171B

MD5
cb7a7611f506ed7155a33d1ffd99cead

SHA1
57b796f4c1dc47cdc1fecfac38357bd28e4bb1dd

SHA256
8b6dd4b8bd2a4176a2ca3cd272fccf282fe50c302607ce2ae093802eb0281b64

SHA512
6a0cfdba1c6be918b157608c29ca78a24d5fb66cc784df6d7cb00de6f30da71a4cb9ecb90a2f781ccaff0fd103c4a511288eb518d11bcf92d0c07d36db3430c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4cvZpf4J4N.bat

Filesize
171B

MD5
a0fcaa73380f1c03429aef7ad88d651b

SHA1
8e2bdf1e0d53a3201ff4ecf63c216023379caf3d

SHA256
7c7fd0a1d87c838016dd567e2d3e5d7f98b22f0d3095d306ed790d82c8d0912e

SHA512
dba0c59630881d0dbc28023796a15068ce7da5a22ec0a448585c509dc0b4540a7c2919842371b9056c9311afaa2c78779df19ad5cec3087ed356f047de2d4a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cq054WUQlS.bat

Filesize
219B

MD5
566ca79e8e34ec55edaf8771973e14b0

SHA1
35b2e6088b66cd2ed64e60548bb05b327c39e116

SHA256
39bb7b50640a3832578371eeab39d9768bf9d9d91791ebdffbecf9f82d0cada1

SHA512
eb722e73fc5fe82fbfc0a732b5ca09312642278a1ba0a2fd7a2ca6a8279548704726795e0590536f3856df63c2b2801cc53ea8c0ce0588aeb1e43f2172f43ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XSURxompSY.bat

Filesize
219B

MD5
9cd69b18fa60b4c6c597ac19422a1a79

SHA1
f1467a9dcd6ac0941400ae601027df0b2066620b

SHA256
5d59f51f8235ccbfa2014ead0ee7d6b8637f9f1c5cb5a68e17e8bbc1c68f896b

SHA512
a90d0a3e4565516639ab81f0a5b5d0c2078c219723ecf1127e9b405248357d8cbe048b269ac6091ae15f6d47da1a11b16651d1a8fc3e59b75e56a82a40367cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgR6NVhjy4.bat

Filesize
219B

MD5
80735bfbfb339c04d5a0a76c9aa5b6db

SHA1
1696c3eefa0fa005d6b8e344b495143a98709aab

SHA256
9e12e3e9ea503fa36642f20f2de49acc9c333be25bc49417cc8f3c46181a3bb2

SHA512
26bff8ec53192225eafeb26d630f096b309c521861a622d38d5e4e619f9e22662d89e95cec2e0bb25c346eb08b7019dc93ed8e6b5d9097018a373aab2b3cfad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8EtIycUgV.bat

Filesize
219B

MD5
97a0e745bce088b5a6ac6bcb11e0b2e2

SHA1
bac9ef9375537cffe3db58adf0e14cce4c08945e

SHA256
fd4b06725b67543f5ab10440fb99243ad26281294c2c646f1fde322e689ac51e

SHA512
f7320821c9a077d923cf118a33cd5fb0d9cb1789dd1cdc01cacb3d11fe0c43b8a74c919ada002ca2114dc1253e609d2aa0ac2fa7dca1b7d8732b2a699a38ccdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mESeKRNGrE.bat

Filesize
171B

MD5
36372c3800686acc39e0086fd211b37b

SHA1
e195d73f963e16bc2a7a7aac64082527b6320826

SHA256
391566fb5f50ab5a276c620dbfd47213534f904990622e84d162ee0465c8eb61

SHA512
418446944c2516e6febea6693dc050c6f83db5bf16e18cb377e3d642e05e94dbb0081fccdfc7b040608a51f81b7a0c41f8b8d48989cf37384154ff6052f4bdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\u6uLkwxv3A.bat

Filesize
219B

MD5
b6f218b57aed0624cc7e8a43f5553bd0

SHA1
88371ca5b8ea05096df790aa75c5e5b447681fbe

SHA256
4ea2a8fd0090efbcbe96c0a27227aeeec3c45bbf1abc4375ad2010031390466d

SHA512
adc47413656dc9befaec4cd829d79e3f860e438e31953acec2400a8931aae6c895abd6f74389f25df055819b2c82d8fda56d85637832ac01584b3a9825d5f508

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYh8fPsglb.bat

Filesize
219B

MD5
af271bf8c2680973aa6412390837fa26

SHA1
9bd28124dcb5bc2470d3eb885c17bfab1a8adf52

SHA256
1b942625127c6db414e5be2f9aa4bc61e35abe396afac8cdb82becce866f801f

SHA512
06c07a9a920b8b66861c2e6d1422314bfae597100fa3adaddc36a61d6de0b8e58665b5b12c079e5de279fa635ab7fd15b3f2cedeadf3367854cfdb51e8adbd4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ab08b491d26a40d3dbed45bf8198a695

SHA1
4ddb88fd471b84dbb1e2c78662d95c51a854b5bd

SHA256
0b66a861bd1df7d1366ba49dc3bf5146efef4fc49dd0c98ca09cc6dbe4df6ede

SHA512
31de768bd6a8d4adcfe953d6c776d9fc07d02b58b617d5a038ff22a12462d75740828e4c563026c385603a1e288150cdcf7bdc93a966c24e0aa454c563e8337b

Download Submit
C:\portsurrogateFontCrt\mhHwHj5jfnxhi.bat

Filesize
85B

MD5
2f3c3a6c3a477313d6ab3d03f90be8c2

SHA1
1afe24a9f578c49b35c34855441455ebe4f04369

SHA256
ecff07d881b76f45aa8142eb1cb8a1e21f8f1f51217968cc623aa7ff4dfb4aee

SHA512
fe223a07eb4b7c8799ecdaf4e149f8d3f902648bddaa55efa28095db2320ff796dd017b3059cba6282e0e085c7b30aa2a4202105e48c7da6c40b19484c3c2d8f

Download Submit
C:\portsurrogateFontCrt\unyQgcnbrXR6kUk3LNilotfJnp9OLZPJv809nYh2EMxHRw3.vbe

Filesize
211B

MD5
0b67bf20e24eac268c690e05e9e59711

SHA1
2768696c3fff8aade04325ead3ad4366e9393084

SHA256
88907a441f365c8d0ec4f523f0f38f97434528ca151b928cf8f1c29db80afe8a

SHA512
64d956b71dc25615b8deea4ce5d8dc3f2b79e7ca6dfa289fb5c73f3fe63e14698a739ddcbb3d257569342d6afe543aa76837f30499405097b356cdaa17b05fcd

Download Submit
\portsurrogateFontCrt\BlockcontainerWin.exe

Filesize
2.4MB

MD5
b3f6318c958712d0c78b5a969ee2efd1

SHA1
abf4cf8782f366a10df36ff706afeaffd07df514

SHA256
e2d2a557cf97f4d81a7d476d3fb5e43405f6e79fe266032dd3d8650d6b81d846

SHA512
67f987ca27548c3ef21e7c27990653e1443b0a761262ef2351bf1fd670903e7652e1a215a206b2fc197dba33a661e762f410ab63b1605a2571c1872c75c78912

Download Submit
memory/1448-114-0x0000000000FA0000-0x0000000001214000-memory.dmp

Filesize
2.5MB

Download
memory/1568-207-0x0000000000CD0000-0x0000000000F44000-memory.dmp

Filesize
2.5MB

Download
memory/1764-81-0x0000000000D00000-0x0000000000F74000-memory.dmp

Filesize
2.5MB

Download
memory/2024-191-0x00000000002F0000-0x0000000000564000-memory.dmp

Filesize
2.5MB

Download
memory/2136-15-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/2136-13-0x00000000013A0000-0x0000000001614000-memory.dmp

Filesize
2.5MB

Download
memory/2136-27-0x0000000000C90000-0x0000000000CA8000-memory.dmp

Filesize
96KB

Download
memory/2136-23-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2136-19-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2136-17-0x0000000000A90000-0x0000000000AAC000-memory.dmp

Filesize
112KB

Download
memory/2136-25-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/2136-29-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2136-21-0x0000000000AB0000-0x0000000000AC8000-memory.dmp

Filesize
96KB

Download
memory/2136-31-0x000000001AA70000-0x000000001AABE000-memory.dmp

Filesize
312KB

Download
memory/2472-57-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2472-58-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2832-97-0x0000000000070000-0x00000000002E4000-memory.dmp

Filesize
2.5MB

Download
memory/2848-239-0x00000000011D0000-0x0000000001444000-memory.dmp

Filesize
2.5MB

Download