dcrat | 41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
Size

2.3MB
MD5

1e83ded2729ce777053c604e7d667c38
SHA1

e4de4580f9e80703961c6df8b3dc687d6ff16cda
SHA256

41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309
SHA512

6c032fee11131744a6234b9011e700faa12aaa194afc8d32f1206d61bbe397b7b4f9f278192e32883379e0ecb178b1aedf426285745c23a127e9db2495867ad1
SSDEEP

49152:P581k6pWQwY9zhWLCGUdeuGMvLq0jvYQxkm:P58C6pgTEO0jvYQR

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 12 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
972	schtasks.exe
2136	schtasks.exe
4648	schtasks.exe
3820	schtasks.exe
2224	schtasks.exe
1296	schtasks.exe
4960	schtasks.exe
2596	schtasks.exe
2016	schtasks.exe
4536	schtasks.exe
5012	schtasks.exe
1852	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2708	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	2708	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	2708	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2708	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2708	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2708	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2708	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2708	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	2708	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2708	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	2708	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	2708	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1724-1-0x0000000000AD0000-0x0000000000D20000-memory.dmp	dcrat
behavioral2/files/0x0008000000023bdb-29.dat	dcrat

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe

Executes dropped EXE 13 IoCs

pid	Process
4568	dwm.exe
4936	dwm.exe
3568	dwm.exe
4064	dwm.exe
4704	dwm.exe
2676	dwm.exe
4648	dwm.exe
2804	dwm.exe
3948	dwm.exe
2228	dwm.exe
4260	dwm.exe
3472	dwm.exe
2748	dwm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
44	pastebin.com
54	pastebin.com
55	pastebin.com
16	pastebin.com
17	pastebin.com
51	pastebin.com
52	pastebin.com
38	pastebin.com
46	pastebin.com
40	pastebin.com
45	pastebin.com
53	pastebin.com
24	pastebin.com
39	pastebin.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\dwm.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Windows Photo Viewer\6cb0b6c459d5d3	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Windows Sidebar\sysmon.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File opened for modification	C:\Program Files\Windows Sidebar\sysmon.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Windows Sidebar\121e5b5079f7c0	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dwm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3820	schtasks.exe
2596	schtasks.exe
4536	schtasks.exe
972	schtasks.exe
2136	schtasks.exe
1852	schtasks.exe
2224	schtasks.exe
4648	schtasks.exe
4960	schtasks.exe
5012	schtasks.exe
2016	schtasks.exe
1296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1724	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4624	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4568	dwm.exe
4936	dwm.exe
3568	dwm.exe
4064	dwm.exe
4704	dwm.exe
2676	dwm.exe
4648	dwm.exe
2804	dwm.exe
3948	dwm.exe
2228	dwm.exe
4260	dwm.exe
3472	dwm.exe
2748	dwm.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
Token: SeDebugPrivilege	4624	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
Token: SeDebugPrivilege	4568	dwm.exe
Token: SeDebugPrivilege	4936	dwm.exe
Token: SeDebugPrivilege	3568	dwm.exe
Token: SeDebugPrivilege	4064	dwm.exe
Token: SeDebugPrivilege	4704	dwm.exe
Token: SeDebugPrivilege	2676	dwm.exe
Token: SeDebugPrivilege	4648	dwm.exe
Token: SeDebugPrivilege	2804	dwm.exe
Token: SeDebugPrivilege	3948	dwm.exe
Token: SeDebugPrivilege	2228	dwm.exe
Token: SeDebugPrivilege	4260	dwm.exe
Token: SeDebugPrivilege	3472	dwm.exe
Token: SeDebugPrivilege	2748	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 456	1724	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	90
PID 1724 wrote to memory of 456	1724	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	90
PID 456 wrote to memory of 3016	456	cmd.exe	92
PID 456 wrote to memory of 3016	456	cmd.exe	92
PID 456 wrote to memory of 4624	456	cmd.exe	94
PID 456 wrote to memory of 4624	456	cmd.exe	94
PID 4624 wrote to memory of 4568	4624	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	101
PID 4624 wrote to memory of 4568	4624	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	101
PID 4568 wrote to memory of 4440	4568	dwm.exe	109
PID 4568 wrote to memory of 4440	4568	dwm.exe	109
PID 4440 wrote to memory of 964	4440	cmd.exe	112
PID 4440 wrote to memory of 964	4440	cmd.exe	112
PID 4440 wrote to memory of 4936	4440	cmd.exe	118
PID 4440 wrote to memory of 4936	4440	cmd.exe	118
PID 4936 wrote to memory of 996	4936	dwm.exe	122
PID 4936 wrote to memory of 996	4936	dwm.exe	122
PID 996 wrote to memory of 2084	996	cmd.exe	124
PID 996 wrote to memory of 2084	996	cmd.exe	124
PID 996 wrote to memory of 3568	996	cmd.exe	128
PID 996 wrote to memory of 3568	996	cmd.exe	128
PID 3568 wrote to memory of 4356	3568	dwm.exe	132
PID 3568 wrote to memory of 4356	3568	dwm.exe	132
PID 4356 wrote to memory of 5020	4356	cmd.exe	134
PID 4356 wrote to memory of 5020	4356	cmd.exe	134
PID 4356 wrote to memory of 4064	4356	cmd.exe	136
PID 4356 wrote to memory of 4064	4356	cmd.exe	136
PID 4064 wrote to memory of 2212	4064	dwm.exe	140
PID 4064 wrote to memory of 2212	4064	dwm.exe	140
PID 2212 wrote to memory of 3212	2212	cmd.exe	142
PID 2212 wrote to memory of 3212	2212	cmd.exe	142
PID 2212 wrote to memory of 4704	2212	cmd.exe	144
PID 2212 wrote to memory of 4704	2212	cmd.exe	144
PID 4704 wrote to memory of 2204	4704	dwm.exe	147
PID 4704 wrote to memory of 2204	4704	dwm.exe	147
PID 2204 wrote to memory of 4812	2204	cmd.exe	149
PID 2204 wrote to memory of 4812	2204	cmd.exe	149
PID 2204 wrote to memory of 2676	2204	cmd.exe	152
PID 2204 wrote to memory of 2676	2204	cmd.exe	152
PID 2676 wrote to memory of 996	2676	dwm.exe	155
PID 2676 wrote to memory of 996	2676	dwm.exe	155
PID 996 wrote to memory of 1464	996	cmd.exe	157
PID 996 wrote to memory of 1464	996	cmd.exe	157
PID 996 wrote to memory of 4648	996	cmd.exe	159
PID 996 wrote to memory of 4648	996	cmd.exe	159
PID 4648 wrote to memory of 3568	4648	dwm.exe	162
PID 4648 wrote to memory of 3568	4648	dwm.exe	162
PID 3568 wrote to memory of 3280	3568	cmd.exe	164
PID 3568 wrote to memory of 3280	3568	cmd.exe	164
PID 3568 wrote to memory of 2804	3568	cmd.exe	166
PID 3568 wrote to memory of 2804	3568	cmd.exe	166
PID 2804 wrote to memory of 4500	2804	dwm.exe	170
PID 2804 wrote to memory of 4500	2804	dwm.exe	170
PID 4500 wrote to memory of 4424	4500	cmd.exe	172
PID 4500 wrote to memory of 4424	4500	cmd.exe	172
PID 4500 wrote to memory of 3948	4500	cmd.exe	174
PID 4500 wrote to memory of 3948	4500	cmd.exe	174
PID 3948 wrote to memory of 1504	3948	dwm.exe	177
PID 3948 wrote to memory of 1504	3948	dwm.exe	177
PID 1504 wrote to memory of 2040	1504	cmd.exe	179
PID 1504 wrote to memory of 2040	1504	cmd.exe	179
PID 1504 wrote to memory of 2228	1504	cmd.exe	181
PID 1504 wrote to memory of 2228	1504	cmd.exe	181
PID 2228 wrote to memory of 5056	2228	dwm.exe	184
PID 2228 wrote to memory of 5056	2228	dwm.exe	184

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
"C:\Users\Admin\AppData\Local\Temp\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GU7tWfSH3L.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3016
- - C:\Users\Admin\AppData\Local\Temp\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
    "C:\Users\Admin\AppData\Local\Temp\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Program Files\Windows Photo Viewer\dwm.exe
      "C:\Program Files\Windows Photo Viewer\dwm.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4440
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:964
      - C:\Program Files\Windows Photo Viewer\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\dwm.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2084
        
        C:\Program Files\Windows Photo Viewer\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\dwm.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:5020
        
        C:\Program Files\Windows Photo Viewer\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\dwm.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3212
        
        C:\Program Files\Windows Photo Viewer\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\dwm.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4812
        
        C:\Program Files\Windows Photo Viewer\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\dwm.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1464
        
        C:\Program Files\Windows Photo Viewer\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\dwm.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3280
        
        C:\Program Files\Windows Photo Viewer\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\dwm.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4424
        
        C:\Program Files\Windows Photo Viewer\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\dwm.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2040
        
        C:\Program Files\Windows Photo Viewer\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\dwm.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat"
        23⤵
        
        PID:5056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1480
        
        C:\Program Files\Windows Photo Viewer\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\dwm.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat"
        25⤵
        
        PID:4264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4800
        
        C:\Program Files\Windows Photo Viewer\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\dwm.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"
        27⤵
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1376
        
        C:\Program Files\Windows Photo Viewer\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\dwm.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"
        29⤵
        
        PID:4760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Start Menu\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Photo Viewer\dwm.exe

Filesize
2.3MB

MD5
1e83ded2729ce777053c604e7d667c38

SHA1
e4de4580f9e80703961c6df8b3dc687d6ff16cda

SHA256
41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309

SHA512
6c032fee11131744a6234b9011e700faa12aaa194afc8d32f1206d61bbe397b7b4f9f278192e32883379e0ecb178b1aedf426285745c23a127e9db2495867ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat

Filesize
210B

MD5
640cb92bf9eb4fa048983cac05c165e1

SHA1
505209df6d77e9df722dcf0bb50898d706882c23

SHA256
44dc0eb559aa5559e6022c294aaa7bab4f005a81486dccd5081e6000df15ddd2

SHA512
9c9766ef373a391844d59cba0a718b79f218ca189806e6302403acfc6ec3122ba6079d1473d7fdfd731c2b04f34f1076c8308fc0601e978d4fe3759a927c28da

Download Submit
C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat

Filesize
210B

MD5
73a91300fd22406e407e709a951b618e

SHA1
1dbedfd41801d489660fe1e899b41cb0ec31a40a

SHA256
58b469a3ad6d102a2a344870406195555b2fde4377a6496c34ef3a7ba7d362f8

SHA512
1c9a9ccf831c6567bbf939125f9d3eb205ff256911dee027fe61707f0f31434531d088012a59ce7990aa23d3c099755af43902058ee35cd01c84eaa0460eceec

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat

Filesize
210B

MD5
1e0b541124a774f28ecc5fa1f2159ba6

SHA1
1b35ed8e739c859237c876c44f6c5a7002c1375c

SHA256
12c9ecde3d6b685a08a4dc6bc808588b540073980c9f8da89bcff0d0e536a20b

SHA512
c86048504a17a90c200567483dbdfee7bca722a9980720bdcdbe0994cd8f954e7681c155f8c90050886dc454c556599932202553581975233fba7ff35da74863

Download Submit
C:\Users\Admin\AppData\Local\Temp\GU7tWfSH3L.bat

Filesize
267B

MD5
e83d7371f2a71f3cbdd1791e14deba09

SHA1
2dc2dfff0469f2d398a98b06c2301335263950a0

SHA256
2bcc27b40e0fb44fb920c3f24bbe7bb738eb9a075d12e712431699b0ae42f80b

SHA512
71adac91d57317495aaa19aea14ab649a16390e9e99026aaa0d47af5e6ffdde9272bc981e3b3e63b8d2cb13b3b64b58a16ea56960902f312c31fe86eaeb655e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat

Filesize
210B

MD5
c3f12bca60515f9f21526b40f9a3c2bc

SHA1
0105205767e5de27f5c14b90b0db4a9fdc4de850

SHA256
7556f20dc1eec68793c0e63663b0d9a8a8f10ca563701a5d6fce24544c12069b

SHA512
94830ac1fd9331ad48c2476dede9d0c13fa5b18bd4df9d038d2f1a1f28d5af71cc84de341191dcb9fc208c7f1b6d359a9a270a8026790038628f24d78fff0368

Download Submit
C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat

Filesize
210B

MD5
2b63c5d89b87efc5030dee88de92e70c

SHA1
16b5837f6a678ae913dd652e355a9f929a4cdb3e

SHA256
d615d9dcd52276833d87ab3acbf09273def6f675c67aabc5dbdb0cc03cab1143

SHA512
df788002abdbfc991bcbaeeafa1fc9ceadda255e57a45565ee3eb69dd42e2d8133389fd8bc3430cdf71e3bc9085185f1976de1f21750bde3dfe049dadb673869

Download Submit
C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat

Filesize
210B

MD5
5e26ff0d3113ff047a63e21dc7f7484f

SHA1
e2cecb90417abcac057289d634b500a89a48fb39

SHA256
d324b3eba2a94dac876df6ac066915807fde8332563e894aef40ff6cbab2f95c

SHA512
6e31d68586b826046d4a53e49bb1722d3d33e89aec410e8ac701de9828b643f4e5b1f9fc9076c1ec4ac7f829a22e82fa254c4d6233193bfe3c6bd7c0ae36b9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat

Filesize
210B

MD5
e91afe77810ac6e39bfefd0c1db266b7

SHA1
d7bb9f5a3edddf9dbbc4432bc00cc771c1d7f93e

SHA256
9fed824a57ac70fae9a81a90d7806c9c5d63d14414d6ff617f72a4f4590c811b

SHA512
770d97d21c3477734c18a9ce1562847701bae08faef432d4c8ed3dfa04a5897f0afa9c71b194b116879351df83aa37b413773969f50da3f48dc0bf8476eb4f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat

Filesize
210B

MD5
a588215a8e2582b423072b4366c76f69

SHA1
e2c176030a9064df18ed050128d6d72ddb3651d2

SHA256
1006b1962b6c7e09e19a7f2dd168c96e7e19f9c757e45bb842d1f97f651cc07b

SHA512
cf7fb64781a4a9a10e2c38d91a731b4ef7c483b5a9fa97568365d47106fd75fed983a6488944999d0a4b252229a1e4240660a5c165efe55a810da871e8fd0fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat

Filesize
210B

MD5
e8f37cc10caaae46b5c5ef2687cd4a9a

SHA1
991127181cc74b6d14d906854c44af2d31353b88

SHA256
e8efcaef65e50a4af48b1f1ea6efeb6dcb980909311f7afb1c1bc92b9305d5ff

SHA512
59a37b57ad798fcd62b40efa188413ef5fd041661324ebcdb1dd7c6558d8c8d28f25101f535ade6675f12b1b4b2767f3a64d93a12f641707d71335e0a78ad433

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat

Filesize
210B

MD5
6d05c52f482b4acee655152edb0efa64

SHA1
aa149ec0d69075486ed915f648feb0cb5908025f

SHA256
6ddf55e296905da6a2bff51cc1d8789574531306ad326fb2e9d6272c13fe2d5f

SHA512
d588bc8cf76ac6cc7fbfbf8657b1457d3ba20afe92e30b42734851ab377fd8940f1de902f7b8a4bcbda669840b52839158045f9697c56fbea680c6e7f86345e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat

Filesize
210B

MD5
070492c88c83c16ba506389b7f393837

SHA1
ae2be52ee728beb2f87e8d8b5e0c189e63e23100

SHA256
cf8d72bceff5fae8f347fde18b62db3248fb2fe5d84e4d50d1cdecbfc672e0b0

SHA512
facdaa272958060030bbc74d9093957470215afd26f570223dcf235e3efb50697c36fdea87bf947f684b3425580642de8cb56df996c4827d27f90f2b4b8b244f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat

Filesize
210B

MD5
5a12bff738bfca93f96fb15d86ebdbf9

SHA1
79301c1e4689c67cba90cbe7ab1ee3858788d123

SHA256
106231103a34c3d4d21847d652e46951966684a556d92d61cbd33d9de8902bcc

SHA512
784b6b58ef2d2cdb1c4744641d06dd2249390afb6b3dc2e4835a0e67c15e63b3b985555b62ccd74169be0e3fc4ba495bec6ed5e8244f3b913ea90adbf0778653

Download Submit
memory/1724-6-0x0000000002EA0000-0x0000000002EF6000-memory.dmp

Filesize
344KB

Download
memory/1724-20-0x00007FFF769F0000-0x00007FFF774B1000-memory.dmp

Filesize
10.8MB

Download
memory/1724-9-0x000000001BF40000-0x000000001BF4E000-memory.dmp

Filesize
56KB

Download
memory/1724-4-0x000000001BED0000-0x000000001BF20000-memory.dmp

Filesize
320KB

Download
memory/1724-7-0x0000000002E80000-0x0000000002E92000-memory.dmp

Filesize
72KB

Download
memory/1724-3-0x00000000015F0000-0x000000000160C000-memory.dmp

Filesize
112KB

Download
memory/1724-5-0x0000000002E50000-0x0000000002E66000-memory.dmp

Filesize
88KB

Download
memory/1724-1-0x0000000000AD0000-0x0000000000D20000-memory.dmp

Filesize
2.3MB

Download
memory/1724-8-0x000000001C7E0000-0x000000001CD08000-memory.dmp

Filesize
5.2MB

Download
memory/1724-2-0x00007FFF769F0000-0x00007FFF774B1000-memory.dmp

Filesize
10.8MB

Download
memory/1724-10-0x000000001BF50000-0x000000001BF58000-memory.dmp

Filesize
32KB

Download
memory/1724-0-0x00007FFF769F3000-0x00007FFF769F5000-memory.dmp

Filesize
8KB

Download
memory/2228-117-0x000000001C730000-0x000000001C89A000-memory.dmp

Filesize
1.4MB

Download
memory/2676-86-0x000000001BE60000-0x000000001BF62000-memory.dmp

Filesize
1.0MB

Download
memory/2748-140-0x000000001C5B0000-0x000000001C71A000-memory.dmp

Filesize
1.4MB

Download
memory/2748-135-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/2804-97-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/2804-96-0x000000001B100000-0x000000001B156000-memory.dmp

Filesize
344KB

Download
memory/2804-102-0x000000001B920000-0x000000001BA22000-memory.dmp

Filesize
1.0MB

Download
memory/3472-132-0x000000001D020000-0x000000001D1C9000-memory.dmp

Filesize
1.7MB

Download
memory/3568-56-0x000000001AEB0000-0x000000001AF06000-memory.dmp

Filesize
344KB

Download
memory/3568-61-0x000000001B6E0000-0x000000001B7E2000-memory.dmp

Filesize
1.0MB

Download
memory/3948-110-0x000000001C780000-0x000000001C8EA000-memory.dmp

Filesize
1.4MB

Download
memory/3948-105-0x0000000000F90000-0x0000000000FA2000-memory.dmp

Filesize
72KB

Download
memory/4064-65-0x00000000012A0000-0x00000000012B2000-memory.dmp

Filesize
72KB

Download
memory/4064-70-0x000000001BEF0000-0x000000001BFF2000-memory.dmp

Filesize
1.0MB

Download
memory/4064-64-0x0000000002CF0000-0x0000000002D46000-memory.dmp

Filesize
344KB

Download
memory/4260-125-0x000000001C340000-0x000000001C4AA000-memory.dmp

Filesize
1.4MB

Download
memory/4260-120-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/4568-44-0x000000001C330000-0x000000001C432000-memory.dmp

Filesize
1.0MB

Download
memory/4624-24-0x000000001C0F0000-0x000000001C102000-memory.dmp

Filesize
72KB

Download
memory/4624-23-0x000000001C050000-0x000000001C0A6000-memory.dmp

Filesize
344KB

Download
memory/4648-93-0x000000001BAF0000-0x000000001BBF2000-memory.dmp

Filesize
1.0MB

Download
memory/4704-73-0x00000000030D0000-0x0000000003126000-memory.dmp

Filesize
344KB

Download
memory/4704-79-0x000000001C2F0000-0x000000001C3F2000-memory.dmp

Filesize
1.0MB

Download
memory/4704-74-0x0000000003070000-0x0000000003082000-memory.dmp

Filesize
72KB

Download
memory/4936-53-0x000000001CEC0000-0x000000001CF61000-memory.dmp

Filesize
644KB

Download
memory/4936-48-0x0000000002E70000-0x0000000002E82000-memory.dmp

Filesize
72KB

Download