dcrat | 2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
Size

1008KB
MD5

579e5cbaf7b4ad7e0e0f2f991d072a6b
SHA1

338cb0a75e4d1d84e5cb3dcf11faa9c764d48e00
SHA256

2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f
SHA512

6a9cebaefe5ec375f9a932445fdc5b77945a46ac25c09fd8b3bc57c4b0b4d453eb5fffe70effdcabf0d46da63c73003aa109e342d648eef06c85d05e7b8dae92
SSDEEP

12288:7EC9yggsC9b/ySBhfEWO+QxckmsPnvKhxauZUYf9LT+wqR/Zk:7EnjsC9b/yofEWcHms6nZFlLT+Z/Zk

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2696	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2368-1-0x0000000000190000-0x0000000000294000-memory.dmp	dcrat
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe	dcrat
behavioral1/memory/2040-29-0x0000000001390000-0x0000000001494000-memory.dmp	dcrat

Executes dropped EXE 11 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid process

2040 winlogon.exe
1072 winlogon.exe
2924 winlogon.exe
1860 winlogon.exe
2440 winlogon.exe
1416 winlogon.exe
1536 winlogon.exe
980 winlogon.exe
2920 winlogon.exe
1568 winlogon.exe
2336 winlogon.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service
T1102

Processes:

flow ioc

11 pastebin.com
19 pastebin.com
23 pastebin.com
5 pastebin.com
7 pastebin.com
13 pastebin.com
15 pastebin.com
17 pastebin.com
21 pastebin.com
4 pastebin.com
9 pastebin.com

pid	process
2040	winlogon.exe
1072	winlogon.exe
2924	winlogon.exe
1860	winlogon.exe
2440	winlogon.exe
1416	winlogon.exe
1536	winlogon.exe
980	winlogon.exe
2920	winlogon.exe
1568	winlogon.exe
2336	winlogon.exe

flow	ioc
11	pastebin.com
19	pastebin.com
23	pastebin.com
5	pastebin.com
7	pastebin.com
13	pastebin.com
15	pastebin.com
17	pastebin.com
21	pastebin.com
4	pastebin.com
9	pastebin.com

Drops file in Program Files directory 4 IoCs

Processes:

2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\spoolsv.exe	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Program Files\Windows Media Player\f3b6ecef712a24	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\69ddcba757bf72	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe

Drops file in Windows directory 2 IoCs

Processes:

2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe

description	ioc	process
File created	C:\Windows\Media\Delta\smss.exe	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
File created	C:\Windows\Media\Delta\69ddcba757bf72	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2688	schtasks.exe
2724	schtasks.exe
2188	schtasks.exe
2808	schtasks.exe
660	schtasks.exe
2616	schtasks.exe
2356	schtasks.exe
2764	schtasks.exe
1236	schtasks.exe
1232	schtasks.exe
2668	schtasks.exe
672	schtasks.exe
2684	schtasks.exe
1048	schtasks.exe
2600	schtasks.exe
2832	schtasks.exe
2844	schtasks.exe
1512	schtasks.exe
2204	schtasks.exe
1664	schtasks.exe
2476	schtasks.exe
2720	schtasks.exe
2532	schtasks.exe
2516	schtasks.exe
620	schtasks.exe
2916	schtasks.exe
2492	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid	process
2368	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
2368	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
2368	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
2040	winlogon.exe
1072	winlogon.exe
2924	winlogon.exe
1860	winlogon.exe
2440	winlogon.exe
1416	winlogon.exe
1536	winlogon.exe
980	winlogon.exe
2920	winlogon.exe
1568	winlogon.exe
2336	winlogon.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2368	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
Token: SeDebugPrivilege	2040	winlogon.exe
Token: SeDebugPrivilege	1072	winlogon.exe
Token: SeDebugPrivilege	2924	winlogon.exe
Token: SeDebugPrivilege	1860	winlogon.exe
Token: SeDebugPrivilege	2440	winlogon.exe
Token: SeDebugPrivilege	1416	winlogon.exe
Token: SeDebugPrivilege	1536	winlogon.exe
Token: SeDebugPrivilege	980	winlogon.exe
Token: SeDebugPrivilege	2920	winlogon.exe
Token: SeDebugPrivilege	1568	winlogon.exe
Token: SeDebugPrivilege	2336	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exewinlogon.execmd.exewinlogon.execmd.exewinlogon.execmd.exewinlogon.execmd.exewinlogon.execmd.exewinlogon.execmd.exewinlogon.execmd.exe

description	pid	process	target process
PID 2368 wrote to memory of 2040	2368	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe	winlogon.exe
PID 2368 wrote to memory of 2040	2368	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe	winlogon.exe
PID 2368 wrote to memory of 2040	2368	2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe	winlogon.exe
PID 2040 wrote to memory of 1956	2040	winlogon.exe	cmd.exe
PID 2040 wrote to memory of 1956	2040	winlogon.exe	cmd.exe
PID 2040 wrote to memory of 1956	2040	winlogon.exe	cmd.exe
PID 1956 wrote to memory of 2920	1956	cmd.exe	w32tm.exe
PID 1956 wrote to memory of 2920	1956	cmd.exe	w32tm.exe
PID 1956 wrote to memory of 2920	1956	cmd.exe	w32tm.exe
PID 1956 wrote to memory of 1072	1956	cmd.exe	winlogon.exe
PID 1956 wrote to memory of 1072	1956	cmd.exe	winlogon.exe
PID 1956 wrote to memory of 1072	1956	cmd.exe	winlogon.exe
PID 1072 wrote to memory of 1972	1072	winlogon.exe	cmd.exe
PID 1072 wrote to memory of 1972	1072	winlogon.exe	cmd.exe
PID 1072 wrote to memory of 1972	1072	winlogon.exe	cmd.exe
PID 1972 wrote to memory of 1568	1972	cmd.exe	w32tm.exe
PID 1972 wrote to memory of 1568	1972	cmd.exe	w32tm.exe
PID 1972 wrote to memory of 1568	1972	cmd.exe	w32tm.exe
PID 1972 wrote to memory of 2924	1972	cmd.exe	winlogon.exe
PID 1972 wrote to memory of 2924	1972	cmd.exe	winlogon.exe
PID 1972 wrote to memory of 2924	1972	cmd.exe	winlogon.exe
PID 2924 wrote to memory of 2392	2924	winlogon.exe	cmd.exe
PID 2924 wrote to memory of 2392	2924	winlogon.exe	cmd.exe
PID 2924 wrote to memory of 2392	2924	winlogon.exe	cmd.exe
PID 2392 wrote to memory of 1840	2392	cmd.exe	w32tm.exe
PID 2392 wrote to memory of 1840	2392	cmd.exe	w32tm.exe
PID 2392 wrote to memory of 1840	2392	cmd.exe	w32tm.exe
PID 2392 wrote to memory of 1860	2392	cmd.exe	winlogon.exe
PID 2392 wrote to memory of 1860	2392	cmd.exe	winlogon.exe
PID 2392 wrote to memory of 1860	2392	cmd.exe	winlogon.exe
PID 1860 wrote to memory of 2512	1860	winlogon.exe	cmd.exe
PID 1860 wrote to memory of 2512	1860	winlogon.exe	cmd.exe
PID 1860 wrote to memory of 2512	1860	winlogon.exe	cmd.exe
PID 2512 wrote to memory of 3004	2512	cmd.exe	w32tm.exe
PID 2512 wrote to memory of 3004	2512	cmd.exe	w32tm.exe
PID 2512 wrote to memory of 3004	2512	cmd.exe	w32tm.exe
PID 2512 wrote to memory of 2440	2512	cmd.exe	winlogon.exe
PID 2512 wrote to memory of 2440	2512	cmd.exe	winlogon.exe
PID 2512 wrote to memory of 2440	2512	cmd.exe	winlogon.exe
PID 2440 wrote to memory of 1528	2440	winlogon.exe	cmd.exe
PID 2440 wrote to memory of 1528	2440	winlogon.exe	cmd.exe
PID 2440 wrote to memory of 1528	2440	winlogon.exe	cmd.exe
PID 1528 wrote to memory of 1828	1528	cmd.exe	w32tm.exe
PID 1528 wrote to memory of 1828	1528	cmd.exe	w32tm.exe
PID 1528 wrote to memory of 1828	1528	cmd.exe	w32tm.exe
PID 1528 wrote to memory of 1416	1528	cmd.exe	winlogon.exe
PID 1528 wrote to memory of 1416	1528	cmd.exe	winlogon.exe
PID 1528 wrote to memory of 1416	1528	cmd.exe	winlogon.exe
PID 1416 wrote to memory of 2576	1416	winlogon.exe	cmd.exe
PID 1416 wrote to memory of 2576	1416	winlogon.exe	cmd.exe
PID 1416 wrote to memory of 2576	1416	winlogon.exe	cmd.exe
PID 2576 wrote to memory of 2476	2576	cmd.exe	w32tm.exe
PID 2576 wrote to memory of 2476	2576	cmd.exe	w32tm.exe
PID 2576 wrote to memory of 2476	2576	cmd.exe	w32tm.exe
PID 2576 wrote to memory of 1536	2576	cmd.exe	winlogon.exe
PID 2576 wrote to memory of 1536	2576	cmd.exe	winlogon.exe
PID 2576 wrote to memory of 1536	2576	cmd.exe	winlogon.exe
PID 1536 wrote to memory of 1512	1536	winlogon.exe	cmd.exe
PID 1536 wrote to memory of 1512	1536	winlogon.exe	cmd.exe
PID 1536 wrote to memory of 1512	1536	winlogon.exe	cmd.exe
PID 1512 wrote to memory of 2676	1512	cmd.exe	w32tm.exe
PID 1512 wrote to memory of 2676	1512	cmd.exe	w32tm.exe
PID 1512 wrote to memory of 2676	1512	cmd.exe	w32tm.exe
PID 1512 wrote to memory of 980	1512	cmd.exe	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe
"C:\Users\Admin\AppData\Local\Temp\2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe
"C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:2920

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe
"C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:1568

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe
"C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:1840

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe
"C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:3004

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe
"C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe"
10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat"
11⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:1828

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe
"C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe"
12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"
13⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:2476

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe
"C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe"
14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
15⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:2676

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe
"C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe"
16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat"
17⤵
PID:2252

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:2172

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe
"C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe"
18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"
19⤵
PID:1176

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:1460

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe
"C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe"
20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat"
21⤵
PID:2176

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:2924

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe
"C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe"
22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Delta\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Media\Delta\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Media\Delta\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe
Filesize
1008KB

MD5
579e5cbaf7b4ad7e0e0f2f991d072a6b

SHA1
338cb0a75e4d1d84e5cb3dcf11faa9c764d48e00

SHA256
2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f

SHA512
6a9cebaefe5ec375f9a932445fdc5b77945a46ac25c09fd8b3bc57c4b0b4d453eb5fffe70effdcabf0d46da63c73003aa109e342d648eef06c85d05e7b8dae92

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat
Filesize
226B

MD5
5cda9752c29b45d464356c7906651fe6

SHA1
d4e40bce6adda8997a3dce33f8640928f21f1909

SHA256
a901df5b2da122600e28753e3be7bd66dd30d9102f5234a30ee83f44e0b7679c

SHA512
857f96acda50fbd49f4dd18755e9aa8ec67af30198d60dc9e261864bd4aeee8c5ec37d72390cf6a87445da0fc50cf89f961a888c64ce8dc77a3deef7762886a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat
Filesize
226B

MD5
6ad4d382644ef7046f6482d3a3a36c84

SHA1
bc94aa151714ea54ff47c6c4ffca58eb710f4835

SHA256
7842e90f3bc7e23569ea3a456163666ad2b243f66fc04cf715e73cd466e7d33e

SHA512
ca4a8a042b6733911798fd0df5cc4ca5830ef55ed659db2ab03684eb2365863bbbb636072f3016d77fbb918488f97ce46921d19d852f9044fc90bce1e71c24b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat
Filesize
226B

MD5
a80c02b872c3ac48c5bfccff318e233a

SHA1
b910f0848258c8d189f83fb53c2f9d961da204f4

SHA256
bb16a927666e642d0d5b63f5a6277522e102396d8b82969f7f5074cc68791612

SHA512
fd3595bbef1a25af386b9c8b3aa1ff1ded6634470d91d244cdf596bdd7a149ecc90ba3cd1a2ec2ebf7243d64deda1099a6c3e4d355f3e16143d2b1a446841964

Download Submit
C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat
Filesize
226B

MD5
31351f02e07c0d632d7b1e687727a1b9

SHA1
6128183e4ddb3b121bb6e16a7fcab447c6786320

SHA256
6cd46c64b90aeb86d088da30ccd4527105e5701b9a478be15883fefa0ab46775

SHA512
d308026464ffc24ac206f577cec82a0d70331a0823a6f791fb77245e5153bdf937253cc5b0a8fb0fd1b812c510182350df08ae5c8b26f6e56711681be82a19fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat
Filesize
226B

MD5
43e9eb0ca68d24d7127dcca1ea5c4d2d

SHA1
d0da656020a5ad3a9e37224b52c80505feb755e6

SHA256
b3b110e63538c05ebd9a40509fe79a2cbee602ca71ac86492a5d4852521c7783

SHA512
86e8823167d7f7e33340e8e930411ae0ea4e52bc03c04177ef2fbf404ec0d8044e2ba825cf08af272495e72ec17a508b490288e86935b76b4d3567c11c9ced70

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat
Filesize
226B

MD5
5adffd2646b51924eada016c99c34ff6

SHA1
537fe4234bd0b78bf42bd6934bc1689f6ce5b6d3

SHA256
5ba47afca4f54efd3f1e58c5f7365f4efbe47437823b785030f239e150ce7f5c

SHA512
9f3e88769aa807866b81e26886ff176de9b5700ea5a8295889bee2390752b034aaaf54d732f41b3c853791eb261ef72b4cef1d45977da12d6adb04652721ef42

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat
Filesize
226B

MD5
ef2b1d8f94d32bc3f70c6c10d08f575d

SHA1
64c5bd103fb173397a6a20195f0f1e59924fec4c

SHA256
e7eba132bac79885434602b9da73b6c59c7ba7ea8780d92cb58741449a720591

SHA512
a15a18c76d49a0ccfa3c328b5b1a9c4d04c9b4e605afb383410fbf46b77440d478ce1661cdf76e2fcb8394ac1e5d9251864005298c428257c1ecc2ff3d327486

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat
Filesize
226B

MD5
3457d66093b2a2e73617f0e6971d2689

SHA1
0f7b8e8ccd6fad5cdec431326eb9a71f823b62c2

SHA256
28ef8442323a8dd85b45dd85260018866f64d4a03d4c6b4229e68f8e33f31834

SHA512
3c2b639bc1755f748e3ad9e3de86928658056b0d70998c417c050eb4dfd9254189c85fedb7f0c03ee43f0068bfaa118788e23e7699f3c3de513746782d1fd253

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat
Filesize
226B

MD5
007d7f6da11bef8ffd23d1e1b16e14a7

SHA1
b0770eba9409bfe863fc83905ade51d48a35d2de

SHA256
9cd379db4c4eedca061e62aa82693cdd9880c974216c775a0fb18af36c037105

SHA512
1961c35297aa8091ad10180aa4f907c72cedb739e39a507689ee730df5ff3f78f9e5fcff9a73b34a06750c152d829dd255dc62f3a5f63a86d81fe85bec019f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat
Filesize
226B

MD5
570a88a669ed0a1668260d5c11e1d57e

SHA1
e4a696c4363c7af52581c7faca4dce693fce398a

SHA256
ffad9a23d981eef04b48d0f0ce67b41dade525a2e97a06fb0a58064464fb69fb

SHA512
ed42bf4d3c295c92ec932dfcb3349c94c4372a8598434f408a4404c26a6313de93766f5a7352b3a82cf5cac914cd43056b28d8ef8acc1a26fafa7b667ed11494

Download Submit
memory/2040-29-0x0000000001390000-0x0000000001494000-memory.dmp

Filesize
1.0MB

Download
memory/2368-30-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2368-0-0x000007FEF5C43000-0x000007FEF5C44000-memory.dmp

Filesize
4KB

Download
memory/2368-4-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/2368-3-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/2368-2-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2368-1-0x0000000000190000-0x0000000000294000-memory.dmp

Filesize
1.0MB

Download