dcrat | 97c8635aef0b54cb0aeba6ee7ddb112826f2a5665ecc3de8d7eaa4899d0642d9

Analysis

max time kernel
144s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_97c8635aef0b54cb0aeba6ee7ddb112826f2a5665ecc3de8d7eaa4899d0642d9.exe
Size

1.3MB
MD5

5d4abea2392fa61e242065866941638e
SHA1

8fd7cd6548a48debd3ad277080cdadbdaca6d7c4
SHA256

97c8635aef0b54cb0aeba6ee7ddb112826f2a5665ecc3de8d7eaa4899d0642d9
SHA512

fd6dc80ebfe58cfaadd076c1371f67b02734a7901ccd099e157402def42a0f73fe5b1b1f627de45b90d843f978801fefcdd58479143c3a8485b9514ee8cd6cfa
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2692	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2692	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2692	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2692	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2692	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2692	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2692	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2692	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2692	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2692	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2692	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2692	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2692	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2692	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2692	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000186c8-9.dat	dcrat
behavioral1/memory/2988-13-0x0000000000300000-0x0000000000410000-memory.dmp	dcrat
behavioral1/memory/1780-45-0x0000000000D50000-0x0000000000E60000-memory.dmp	dcrat
behavioral1/memory/2776-124-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/528-185-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/856-246-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/264-544-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/2788-604-0x0000000000F60000-0x0000000001070000-memory.dmp	dcrat
behavioral1/memory/884-664-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1928	powershell.exe
2272	powershell.exe
1648	powershell.exe
2112	powershell.exe
536	powershell.exe
2460	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2988	DllCommonsvc.exe
1780	System.exe
2776	System.exe
528	System.exe
856	System.exe
1644	System.exe
2908	System.exe
2020	System.exe
2500	System.exe
264	System.exe
2788	System.exe
884	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2536	cmd.exe
2536	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
31	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
21	raw.githubusercontent.com
24	raw.githubusercontent.com
28	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\fr-FR\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\fr-FR\42af1c969fbb7b	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\spoolsv.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_97c8635aef0b54cb0aeba6ee7ddb112826f2a5665ecc3de8d7eaa4899d0642d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2804	schtasks.exe
1708	schtasks.exe
2568	schtasks.exe
2372	schtasks.exe
2292	schtasks.exe
1560	schtasks.exe
2148	schtasks.exe
2576	schtasks.exe
2900	schtasks.exe
2640	schtasks.exe
1296	schtasks.exe
2044	schtasks.exe
1632	schtasks.exe
1352	schtasks.exe
2000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2988	DllCommonsvc.exe
2112	powershell.exe
1648	powershell.exe
2460	powershell.exe
1928	powershell.exe
536	powershell.exe
2272	powershell.exe
1780	System.exe
2776	System.exe
528	System.exe
856	System.exe
1644	System.exe
2908	System.exe
2020	System.exe
2500	System.exe
264	System.exe
2788	System.exe
884	System.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	DllCommonsvc.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1780	System.exe
Token: SeDebugPrivilege	2776	System.exe
Token: SeDebugPrivilege	528	System.exe
Token: SeDebugPrivilege	856	System.exe
Token: SeDebugPrivilege	1644	System.exe
Token: SeDebugPrivilege	2908	System.exe
Token: SeDebugPrivilege	2020	System.exe
Token: SeDebugPrivilege	2500	System.exe
Token: SeDebugPrivilege	264	System.exe
Token: SeDebugPrivilege	2788	System.exe
Token: SeDebugPrivilege	884	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2388	2520	JaffaCakes118_97c8635aef0b54cb0aeba6ee7ddb112826f2a5665ecc3de8d7eaa4899d0642d9.exe	30
PID 2520 wrote to memory of 2388	2520	JaffaCakes118_97c8635aef0b54cb0aeba6ee7ddb112826f2a5665ecc3de8d7eaa4899d0642d9.exe	30
PID 2520 wrote to memory of 2388	2520	JaffaCakes118_97c8635aef0b54cb0aeba6ee7ddb112826f2a5665ecc3de8d7eaa4899d0642d9.exe	30
PID 2520 wrote to memory of 2388	2520	JaffaCakes118_97c8635aef0b54cb0aeba6ee7ddb112826f2a5665ecc3de8d7eaa4899d0642d9.exe	30
PID 2388 wrote to memory of 2536	2388	WScript.exe	31
PID 2388 wrote to memory of 2536	2388	WScript.exe	31
PID 2388 wrote to memory of 2536	2388	WScript.exe	31
PID 2388 wrote to memory of 2536	2388	WScript.exe	31
PID 2536 wrote to memory of 2988	2536	cmd.exe	33
PID 2536 wrote to memory of 2988	2536	cmd.exe	33
PID 2536 wrote to memory of 2988	2536	cmd.exe	33
PID 2536 wrote to memory of 2988	2536	cmd.exe	33
PID 2988 wrote to memory of 1928	2988	DllCommonsvc.exe	50
PID 2988 wrote to memory of 1928	2988	DllCommonsvc.exe	50
PID 2988 wrote to memory of 1928	2988	DllCommonsvc.exe	50
PID 2988 wrote to memory of 2272	2988	DllCommonsvc.exe	51
PID 2988 wrote to memory of 2272	2988	DllCommonsvc.exe	51
PID 2988 wrote to memory of 2272	2988	DllCommonsvc.exe	51
PID 2988 wrote to memory of 2460	2988	DllCommonsvc.exe	52
PID 2988 wrote to memory of 2460	2988	DllCommonsvc.exe	52
PID 2988 wrote to memory of 2460	2988	DllCommonsvc.exe	52
PID 2988 wrote to memory of 1648	2988	DllCommonsvc.exe	53
PID 2988 wrote to memory of 1648	2988	DllCommonsvc.exe	53
PID 2988 wrote to memory of 1648	2988	DllCommonsvc.exe	53
PID 2988 wrote to memory of 2112	2988	DllCommonsvc.exe	55
PID 2988 wrote to memory of 2112	2988	DllCommonsvc.exe	55
PID 2988 wrote to memory of 2112	2988	DllCommonsvc.exe	55
PID 2988 wrote to memory of 536	2988	DllCommonsvc.exe	56
PID 2988 wrote to memory of 536	2988	DllCommonsvc.exe	56
PID 2988 wrote to memory of 536	2988	DllCommonsvc.exe	56
PID 2988 wrote to memory of 1780	2988	DllCommonsvc.exe	62
PID 2988 wrote to memory of 1780	2988	DllCommonsvc.exe	62
PID 2988 wrote to memory of 1780	2988	DllCommonsvc.exe	62
PID 1780 wrote to memory of 2516	1780	System.exe	64
PID 1780 wrote to memory of 2516	1780	System.exe	64
PID 1780 wrote to memory of 2516	1780	System.exe	64
PID 2516 wrote to memory of 2388	2516	cmd.exe	66
PID 2516 wrote to memory of 2388	2516	cmd.exe	66
PID 2516 wrote to memory of 2388	2516	cmd.exe	66
PID 2516 wrote to memory of 2776	2516	cmd.exe	67
PID 2516 wrote to memory of 2776	2516	cmd.exe	67
PID 2516 wrote to memory of 2776	2516	cmd.exe	67
PID 2776 wrote to memory of 2960	2776	System.exe	68
PID 2776 wrote to memory of 2960	2776	System.exe	68
PID 2776 wrote to memory of 2960	2776	System.exe	68
PID 2960 wrote to memory of 560	2960	cmd.exe	70
PID 2960 wrote to memory of 560	2960	cmd.exe	70
PID 2960 wrote to memory of 560	2960	cmd.exe	70
PID 2960 wrote to memory of 528	2960	cmd.exe	71
PID 2960 wrote to memory of 528	2960	cmd.exe	71
PID 2960 wrote to memory of 528	2960	cmd.exe	71
PID 528 wrote to memory of 2972	528	System.exe	72
PID 528 wrote to memory of 2972	528	System.exe	72
PID 528 wrote to memory of 2972	528	System.exe	72
PID 2972 wrote to memory of 1472	2972	cmd.exe	74
PID 2972 wrote to memory of 1472	2972	cmd.exe	74
PID 2972 wrote to memory of 1472	2972	cmd.exe	74
PID 2972 wrote to memory of 856	2972	cmd.exe	75
PID 2972 wrote to memory of 856	2972	cmd.exe	75
PID 2972 wrote to memory of 856	2972	cmd.exe	75
PID 856 wrote to memory of 1812	856	System.exe	76
PID 856 wrote to memory of 1812	856	System.exe	76
PID 856 wrote to memory of 1812	856	System.exe	76
PID 1812 wrote to memory of 2936	1812	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97c8635aef0b54cb0aeba6ee7ddb112826f2a5665ecc3de8d7eaa4899d0642d9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97c8635aef0b54cb0aeba6ee7ddb112826f2a5665ecc3de8d7eaa4899d0642d9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Updater6\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Users\All Users\Adobe\Updater6\System.exe
        
        "C:\Users\All Users\Adobe\Updater6\System.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2388
        
        C:\Users\All Users\Adobe\Updater6\System.exe
        
        "C:\Users\All Users\Adobe\Updater6\System.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LW19r029AS.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:560
        
        C:\Users\All Users\Adobe\Updater6\System.exe
        
        "C:\Users\All Users\Adobe\Updater6\System.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1472
        
        C:\Users\All Users\Adobe\Updater6\System.exe
        
        "C:\Users\All Users\Adobe\Updater6\System.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kwOVarqRTQ.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2936
        
        C:\Users\All Users\Adobe\Updater6\System.exe
        
        "C:\Users\All Users\Adobe\Updater6\System.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat"
        14⤵
        
        PID:2572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2184
        
        C:\Users\All Users\Adobe\Updater6\System.exe
        
        "C:\Users\All Users\Adobe\Updater6\System.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat"
        16⤵
        
        PID:1248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2012
        
        C:\Users\All Users\Adobe\Updater6\System.exe
        
        "C:\Users\All Users\Adobe\Updater6\System.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kwOVarqRTQ.bat"
        18⤵
        
        PID:1720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2368
        
        C:\Users\All Users\Adobe\Updater6\System.exe
        
        "C:\Users\All Users\Adobe\Updater6\System.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"
        20⤵
        
        PID:1284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2192
        
        C:\Users\All Users\Adobe\Updater6\System.exe
        
        "C:\Users\All Users\Adobe\Updater6\System.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"
        22⤵
        
        PID:2384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1904
        
        C:\Users\All Users\Adobe\Updater6\System.exe
        
        "C:\Users\All Users\Adobe\Updater6\System.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat"
        24⤵
        
        PID:572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2956
        
        C:\Users\All Users\Adobe\Updater6\System.exe
        
        "C:\Users\All Users\Adobe\Updater6\System.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\fr-FR\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Updater6\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Updater6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6475d205bac3210160060323b2693862

SHA1
9bc0cdcdb65785af4006ae05812db34e7ad083c0

SHA256
c0438bc93ea7622e2413f5db9cfc5ac3742de57db84642ff42d9cc5f50799a1d

SHA512
b0dbf6e794013bef1ec0e9cfe1c7ee5fd66c901b09288988b8f2f701270fac220438352ec97eb75af9040b99287e38ab0bcc128cfe2cc8ee0c6e5170b32d83d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b16b33ca5998d0b65aa030586fb3bea

SHA1
de60e2fdc3221bc8693dbf1ecaa526e311538821

SHA256
c9b4a99406bf72b0b94d737e4f4992f34be6dc97eab88d5e706328fd5d652558

SHA512
3c9d9edcdb6f4ab1080a1619abd3d7ffe5bdca0c7f37293c92f64e5050c7d72b7d7d8fb47166dc66cf9066c05e0bd1e0cff6fd07638875de1093c3f2718c0d08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13cacb069edd5feaf132cc4b88b189cb

SHA1
8672a2cae55358add472f0f4dc796a88666704b9

SHA256
72997f3927c33661fa88dbdc88e4b94c723b22f133c1b4930e86f04b823c38f8

SHA512
ea3f5628de5376cabdd78921c053b1b44f3cbc1a570788c471d91c0e251cb6d31269592b01560b605bc979edd42fff38f6a531b0e88b2580032ff885c0f29ce7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
390931395d3ddba3803b8a4a6172070d

SHA1
0976da0b1b9c175ce254ce01f287b6ba27f79742

SHA256
ee2bcb681ef06fa307eee83b741daba5c7f05338fec8aa0bdb239be213470af3

SHA512
851f733d02881d9cfea231b076bd9d852c048d96ffae2cd11a7d9ee7f2c32a4fba6bf5022feee6f496f2bf45eb9bd9b14a6c1548479ef80aa5a156a87afb872f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac2ed7e53bc85ecdadf7300e15fd6944

SHA1
bcba325c97b524f88a35b20de6406c972770178b

SHA256
c3bdde4744dc6885bb278bcad832172460f1b9af6b7b72d744ee01e9b561bfc9

SHA512
8a17d2dd631572378a71e68302986696166f0b9216047e0f1776876779dfe90e76ad70173d0e5faf2e647456d202eb594386399f0b43eeb0d353022d51378297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ab63e1cce72f043e90c2480f78adad6

SHA1
126908784b951be8e63012d17865b48d12309fcd

SHA256
8376092c2e932567494599befab5fad775ee0c60f974138289ef2058a12eaf11

SHA512
0e943857d1176c04361fcc326e81017f170a1f12868a9d73f3a1cdb72ffd9320fc5436805ab21784697164a218656726ae552ec3b7b3290e41b355707736640b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92b2f9d669a7914258d45e23fd7d5f5a

SHA1
bd278e33016647ba1ff7271c2c6a584813f31b0c

SHA256
7780fe851da9a652be791b47ca22988aa94f4bd71b39ec1567a3c7ed2f132183

SHA512
d831cfbbaaa2f5769ddfcaad214cc60852923de41076f45d1a0d3d696974265ada55cb96a00db6dcf893bddb21845c55e3a85202adf879ba1bbe1dbc58d08ad4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
312a554bd47b35b45caba826fa11777d

SHA1
52917e187a5d21c205485f18fb4cdd1d7973f23b

SHA256
1e74ee8870c8e28631059d3096ed8ead11e169361d4e5a2e0833631639c96fc0

SHA512
853613f991db583bb9c72191c920d7ebecfc982073e9bfaf49fd20e98f9b5340b77837b437912b4cbd447bfd1b5dfdafe09a751cf00deac9a2fa2e74bb053c9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9586c544fae2ee9e9a98e4388dfef0a6

SHA1
6ae8cd3c98f4704f1ce209f21429f3703e061913

SHA256
b4e40204780c59638a6bc065ff44e550d103b2ae53bcf173b498ca826459edf1

SHA512
cf1fd9aabd2b7c525510781bbbba392dcf1075403a1a2c8fbe52eb6c8e6ef88056028e787c4b46b360fdba2ea141674b3c1c2d8b1d7c4248cacbe9e497897e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat

Filesize
209B

MD5
d46b65429dd1a0e86bbbcf17fbec23a1

SHA1
031845d52d9c7cae3a178cff07145bbe0bacf276

SHA256
0af4204b95b77f659acedbbb71a0da9ec4dc02aa375fc4bf13b059f3ef55b967

SHA512
06fef614c0874e0729d5fdb6a4f004d2f7cd0c2c8dfc5566a3dc4f8a1999504f9abcf976d5994f2b9fefd581ca659751e0268318d94e722f74b8ff6c6b27dc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabECC1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat

Filesize
209B

MD5
f07aa2afb89cb16e2a1e3dfd26736885

SHA1
17cb6181728f033cfe5b99b6bad4ad3f0cc65699

SHA256
8f9be7df63de0cfd670d7459e60d1fb3531ac83517a3b1965bf5df21837e4239

SHA512
0694f2b4a84bb86493bef1cef9a9a5f08f2854735ea521f3b704055da37d763a5a3457da0591e442eeb2d5509b2232fd59f97ffc9ec5b24bc50a2cc22696320d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat

Filesize
209B

MD5
011908d8074903563a8093525e4602e8

SHA1
66951f37001e1398b79a2ddcab784539dffff303

SHA256
b20f51ff532bbef2f7104a253217d43beb609d4f662bec8c074a55a06993075a

SHA512
08130ac3c6d875bd8d8b016872cd737392a94fa39216da0a6421e8abac1870b98dcd6dcf51cedc12995aab33093c91fa4d168a1269cd2effe55ff9396458d2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\LW19r029AS.bat

Filesize
209B

MD5
5c143a657c2537b772abf1cbb890fb04

SHA1
48a2b23ef240f4079bad3a477ba86820381a929d

SHA256
7f9fabf8fc9c050f3019ff129bd2cb59344e517003f1ce97990763aa82f05f29

SHA512
50bf649b5bbe8e2f0e21a35c663f9f2097a6aa873f62334db8c050dea8048d81c32b11bd9191f42c3e3a0974aff4228cfadef665b18290a917bb35a003b5e05f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarECD4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat

Filesize
209B

MD5
f4c8872b7b3c289acddc8b7d59e4970d

SHA1
b9907f00c17a910ea76de1354f8b60731cc822fc

SHA256
051a8fac3255be02e96b40cea8be1b034955810305823c483550d65043cc7f76

SHA512
39eefec881fbcae02deb5fc89c561ceff74bd22b34ff64c048d8ca863073535803b500de1b7ed4d2f9500ce8f2e84483edb07e250617d257720d05c0d99d576f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwOVarqRTQ.bat

Filesize
209B

MD5
c56970a965cd0032705d809cb56cf8c5

SHA1
baab8625b56455cdb29aac3742ef0547642f052e

SHA256
89ce6829f6f02d5fd5e7bf77ca5530690d024d113e1cf9ec01886ce4ad9994ef

SHA512
dbdb02837097724aa7fd7b0754621ea1c1fbcdc04f0b8b5e382d46bfde21cccba22ad985aba65457d566b26a849fdd8c0dc8dcd9c2e3f98f08bf8047f5fa1dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat

Filesize
209B

MD5
e0666fd1be354f52a925faa80378156b

SHA1
9817bd7e484e9aec383db26e0bf6f924f851cccf

SHA256
6eefb5f81650b928fe50fdabeeb80f7eda93a7d648ea6f36ded8370ed3c6d869

SHA512
768653f0c9ad444f3532691ebcdb0bef33a969d2c464a775c3196437fb9ff80e90cd01b79bfff26737b02405d0ee4c87d253d08cc0a7788c5f6882fe613c1011

Download Submit
C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat

Filesize
209B

MD5
522b701644473f4b4760cf7ac57e9a5e

SHA1
276660fb3c9fd61408fbf3ac3c8ecbff557be606

SHA256
1ee1ecab19ca9ecb5016445bb9cf9f6b06dac5fa564771015930fca5e6590394

SHA512
5c4b3a6af6dae16c092b99f0fd2b4da4a4f1b0d96c7ccca1c1334ded510e8e7139e9fc6138b536bdb51164bcc69b6fdb65fe71d46a940a779f877d9148e9f21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat

Filesize
209B

MD5
24953cb49751659c8fb9331a309b8fae

SHA1
ab1f88db3d3d886eafa457b69e02fc835b591cfa

SHA256
c6f2b46f1b6beaa16508862f2077c55ae5a66a5488a8cd6bd49f81442e68a6fd

SHA512
99c1cf9cfa2601c10a85e3e60e046f9b75dd2a7c8ee088a42022b3e45c91ad56e961a300754e68d92b239bc7538e7b99eb091f9f78a09583bb8e39da79978cf3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
da12dd813f59bf2e35e03b00e5462673

SHA1
324162a9c76c96358a32a37c2ebc4d9e1a3b02a6

SHA256
ba7c0c7b21eb80047b4d99d52da12b7664ab3a17ce828fe564c264dbb9710cba

SHA512
3873ee6dc825df9397d6970ac11ca6613f59e844a58cf011ab2d6845f9046c0b8ab5c272067534be47e2731cf2e9cd8000afc1d36781107929e4524831c6f90b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/264-544-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/528-185-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/528-186-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/856-246-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/856-247-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/884-664-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/884-665-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/1780-45-0x0000000000D50000-0x0000000000E60000-memory.dmp

Filesize
1.1MB

Download
memory/2020-425-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2112-50-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2460-55-0x00000000026D0000-0x00000000026D8000-memory.dmp

Filesize
32KB

Download
memory/2776-124-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/2776-125-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2788-604-0x0000000000F60000-0x0000000001070000-memory.dmp

Filesize
1.1MB

Download
memory/2988-14-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2988-13-0x0000000000300000-0x0000000000410000-memory.dmp

Filesize
1.1MB

Download
memory/2988-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2988-16-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2988-17-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download