dcrat | 94700851d8c519c75cb52eb0ffc26efca405b55c9279ef9d9f4990560709b1e7

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_94700851d8c519c75cb52eb0ffc26efca405b55c9279ef9d9f4990560709b1e7.exe
Size

1.3MB
MD5

bd8c96528fa7b5d748b16aa3b899e9ec
SHA1

f77446f2a179b337da7d0f0daa46e0e90552e833
SHA256

94700851d8c519c75cb52eb0ffc26efca405b55c9279ef9d9f4990560709b1e7
SHA512

f8c22caeb4b276fa3fc1e7fa64e788976a739d5df671ecadedb8574f3a0dd4c4ad707498896fb5935d18043107ac2213da6d62035764c3e39a34ac07070dabdc
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2616	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000017079-9.dat	dcrat
behavioral1/memory/2668-13-0x0000000000AC0000-0x0000000000BD0000-memory.dmp	dcrat
behavioral1/memory/2188-34-0x0000000000B20000-0x0000000000C30000-memory.dmp	dcrat
behavioral1/memory/2684-124-0x0000000000DB0000-0x0000000000EC0000-memory.dmp	dcrat
behavioral1/memory/1728-243-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/2136-362-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/1868-422-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/328-482-0x00000000011B0000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/2916-542-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/1940-661-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1760	powershell.exe
1820	powershell.exe
1708	powershell.exe
2652	powershell.exe
896	powershell.exe
596	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2668	DllCommonsvc.exe
2188	wininit.exe
2684	wininit.exe
2168	wininit.exe
1728	wininit.exe
1440	wininit.exe
2136	wininit.exe
1868	wininit.exe
328	wininit.exe
2916	wininit.exe
2328	wininit.exe
1940	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2756	cmd.exe
2756	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
12	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\b75386f1303e64	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Registration\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Registration\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\Tasks\wininit.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Tasks\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\56085415360792	DllCommonsvc.exe
File created	C:\Windows\de-DE\smss.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_94700851d8c519c75cb52eb0ffc26efca405b55c9279ef9d9f4990560709b1e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2044	schtasks.exe
2860	schtasks.exe
2204	schtasks.exe
2420	schtasks.exe
2148	schtasks.exe
2284	schtasks.exe
2196	schtasks.exe
576	schtasks.exe
2772	schtasks.exe
620	schtasks.exe
1688	schtasks.exe
3020	schtasks.exe
1628	schtasks.exe
2076	schtasks.exe
1484	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2668	DllCommonsvc.exe
896	powershell.exe
1820	powershell.exe
2652	powershell.exe
596	powershell.exe
1708	powershell.exe
1760	powershell.exe
2188	wininit.exe
2684	wininit.exe
2168	wininit.exe
1728	wininit.exe
1440	wininit.exe
2136	wininit.exe
1868	wininit.exe
328	wininit.exe
2916	wininit.exe
2328	wininit.exe
1940	wininit.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	DllCommonsvc.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	2188	wininit.exe
Token: SeDebugPrivilege	2684	wininit.exe
Token: SeDebugPrivilege	2168	wininit.exe
Token: SeDebugPrivilege	1728	wininit.exe
Token: SeDebugPrivilege	1440	wininit.exe
Token: SeDebugPrivilege	2136	wininit.exe
Token: SeDebugPrivilege	1868	wininit.exe
Token: SeDebugPrivilege	328	wininit.exe
Token: SeDebugPrivilege	2916	wininit.exe
Token: SeDebugPrivilege	2328	wininit.exe
Token: SeDebugPrivilege	1940	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2660	2212	JaffaCakes118_94700851d8c519c75cb52eb0ffc26efca405b55c9279ef9d9f4990560709b1e7.exe	30
PID 2212 wrote to memory of 2660	2212	JaffaCakes118_94700851d8c519c75cb52eb0ffc26efca405b55c9279ef9d9f4990560709b1e7.exe	30
PID 2212 wrote to memory of 2660	2212	JaffaCakes118_94700851d8c519c75cb52eb0ffc26efca405b55c9279ef9d9f4990560709b1e7.exe	30
PID 2212 wrote to memory of 2660	2212	JaffaCakes118_94700851d8c519c75cb52eb0ffc26efca405b55c9279ef9d9f4990560709b1e7.exe	30
PID 2660 wrote to memory of 2756	2660	WScript.exe	31
PID 2660 wrote to memory of 2756	2660	WScript.exe	31
PID 2660 wrote to memory of 2756	2660	WScript.exe	31
PID 2660 wrote to memory of 2756	2660	WScript.exe	31
PID 2756 wrote to memory of 2668	2756	cmd.exe	33
PID 2756 wrote to memory of 2668	2756	cmd.exe	33
PID 2756 wrote to memory of 2668	2756	cmd.exe	33
PID 2756 wrote to memory of 2668	2756	cmd.exe	33
PID 2668 wrote to memory of 2652	2668	DllCommonsvc.exe	50
PID 2668 wrote to memory of 2652	2668	DllCommonsvc.exe	50
PID 2668 wrote to memory of 2652	2668	DllCommonsvc.exe	50
PID 2668 wrote to memory of 896	2668	DllCommonsvc.exe	51
PID 2668 wrote to memory of 896	2668	DllCommonsvc.exe	51
PID 2668 wrote to memory of 896	2668	DllCommonsvc.exe	51
PID 2668 wrote to memory of 1708	2668	DllCommonsvc.exe	52
PID 2668 wrote to memory of 1708	2668	DllCommonsvc.exe	52
PID 2668 wrote to memory of 1708	2668	DllCommonsvc.exe	52
PID 2668 wrote to memory of 1820	2668	DllCommonsvc.exe	53
PID 2668 wrote to memory of 1820	2668	DllCommonsvc.exe	53
PID 2668 wrote to memory of 1820	2668	DllCommonsvc.exe	53
PID 2668 wrote to memory of 1760	2668	DllCommonsvc.exe	54
PID 2668 wrote to memory of 1760	2668	DllCommonsvc.exe	54
PID 2668 wrote to memory of 1760	2668	DllCommonsvc.exe	54
PID 2668 wrote to memory of 596	2668	DllCommonsvc.exe	55
PID 2668 wrote to memory of 596	2668	DllCommonsvc.exe	55
PID 2668 wrote to memory of 596	2668	DllCommonsvc.exe	55
PID 2668 wrote to memory of 2188	2668	DllCommonsvc.exe	62
PID 2668 wrote to memory of 2188	2668	DllCommonsvc.exe	62
PID 2668 wrote to memory of 2188	2668	DllCommonsvc.exe	62
PID 2188 wrote to memory of 1596	2188	wininit.exe	63
PID 2188 wrote to memory of 1596	2188	wininit.exe	63
PID 2188 wrote to memory of 1596	2188	wininit.exe	63
PID 1596 wrote to memory of 2820	1596	cmd.exe	65
PID 1596 wrote to memory of 2820	1596	cmd.exe	65
PID 1596 wrote to memory of 2820	1596	cmd.exe	65
PID 1596 wrote to memory of 2684	1596	cmd.exe	66
PID 1596 wrote to memory of 2684	1596	cmd.exe	66
PID 1596 wrote to memory of 2684	1596	cmd.exe	66
PID 2684 wrote to memory of 2688	2684	wininit.exe	67
PID 2684 wrote to memory of 2688	2684	wininit.exe	67
PID 2684 wrote to memory of 2688	2684	wininit.exe	67
PID 2688 wrote to memory of 2744	2688	cmd.exe	69
PID 2688 wrote to memory of 2744	2688	cmd.exe	69
PID 2688 wrote to memory of 2744	2688	cmd.exe	69
PID 2688 wrote to memory of 2168	2688	cmd.exe	70
PID 2688 wrote to memory of 2168	2688	cmd.exe	70
PID 2688 wrote to memory of 2168	2688	cmd.exe	70
PID 2168 wrote to memory of 1972	2168	wininit.exe	71
PID 2168 wrote to memory of 1972	2168	wininit.exe	71
PID 2168 wrote to memory of 1972	2168	wininit.exe	71
PID 1972 wrote to memory of 2036	1972	cmd.exe	73
PID 1972 wrote to memory of 2036	1972	cmd.exe	73
PID 1972 wrote to memory of 2036	1972	cmd.exe	73
PID 1972 wrote to memory of 1728	1972	cmd.exe	74
PID 1972 wrote to memory of 1728	1972	cmd.exe	74
PID 1972 wrote to memory of 1728	1972	cmd.exe	74
PID 1728 wrote to memory of 2700	1728	wininit.exe	75
PID 1728 wrote to memory of 2700	1728	wininit.exe	75
PID 1728 wrote to memory of 2700	1728	wininit.exe	75
PID 2700 wrote to memory of 664	2700	cmd.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94700851d8c519c75cb52eb0ffc26efca405b55c9279ef9d9f4990560709b1e7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94700851d8c519c75cb52eb0ffc26efca405b55c9279ef9d9f4990560709b1e7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
    - - C:\Windows\Tasks\wininit.exe
        
        "C:\Windows\Tasks\wininit.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2820
        
        C:\Windows\Tasks\wininit.exe
        
        "C:\Windows\Tasks\wininit.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2744
        
        C:\Windows\Tasks\wininit.exe
        
        "C:\Windows\Tasks\wininit.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2036
        
        C:\Windows\Tasks\wininit.exe
        
        "C:\Windows\Tasks\wininit.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:664
        
        C:\Windows\Tasks\wininit.exe
        
        "C:\Windows\Tasks\wininit.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"
        14⤵
        
        PID:1076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2872
        
        C:\Windows\Tasks\wininit.exe
        
        "C:\Windows\Tasks\wininit.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat"
        16⤵
        
        PID:988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1028
        
        C:\Windows\Tasks\wininit.exe
        
        "C:\Windows\Tasks\wininit.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat"
        18⤵
        
        PID:2028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2484
        
        C:\Windows\Tasks\wininit.exe
        
        "C:\Windows\Tasks\wininit.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat"
        20⤵
        
        PID:1096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1648
        
        C:\Windows\Tasks\wininit.exe
        
        "C:\Windows\Tasks\wininit.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"
        22⤵
        
        PID:1732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1644
        
        C:\Windows\Tasks\wininit.exe
        
        "C:\Windows\Tasks\wininit.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"
        24⤵
        
        PID:2408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2944
        
        C:\Windows\Tasks\wininit.exe
        
        "C:\Windows\Tasks\wininit.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Tasks\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Registration\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05cb1dd317f9b099841e1542ed1aac11

SHA1
0593e228225b2cd21f301538b3df67ffad5eecde

SHA256
bef6b8685035b4a62e32e95cc82ea9033b261da99d1ae64d4bcecb046d63d6d1

SHA512
bbb4c00b1039466cc9dd69c012afbec2ec20b520f7ffa58099744c3ee61e3ab6f94f935c2dd9ad8eef7fd248367dce3c6885bade4e19e8bc1bbb7a9303ad4e21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31766e9a6b5e72afa3b897baf547e8f3

SHA1
8f3653a5068079f923d9fe4e45217398908e1177

SHA256
b97e36f06c9157491a44c5c5a3a9bbd9207ca2f24a93d999047ac0388a61a066

SHA512
dbb774415b0a5f61973f6f04015cb4e755b09d1645cd2d429168599a77bc4d6b61719522af376f5417612d32bc7ab8ebeb529b310d11d88082f581e6864eea40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6923dd386da4c832410cabad3b1c8a20

SHA1
7199c4b2c836782b6c8f5055a173a039e4a822e9

SHA256
2a9ab0ae2fde5e2a141f644f15f9d4db550a16792e2451c847053fb64400ed95

SHA512
2b6bd260a43b4b0822dd896204ad973c0706afbf183cca6332410281b840601ec106b328fde923b9bc2fd0a6c323f51d99d89d4c59d5995d6650ba1f855efec3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
913b63013340c5f51639e20192d08f5f

SHA1
bfff45d8351d58b452f98b15ab3f40e76d7879d7

SHA256
d5ecc72c44e8327947118c53189b3c716145f9611709851fd62cb60a1b8dea7f

SHA512
a90aaa1073cf089d26240435a4ae3b7e40c19fa1e3d560183127f2f97eb76ec2006b79c715b6f3cf8de6dc200dd17a46bbec71915356e86e09b017faa476cf70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a01e1441e5b22c053cf5d568d50eff42

SHA1
480c15c37985c38e537ab4151b5a9ce128c88c64

SHA256
8afce7facaab9e77b7978c9da779085fe85ec469279e069feb4a138989f822ff

SHA512
53fdd5ee992a9c165723b47838f158b85a537de280f80b1075ac006223a7bbd0694ed20f47f8853f264340e1d8636d9762707f5f3a27b9712b92a2243f635220

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5879a0bda48ef7c817f213117e14b3dc

SHA1
1c25776d1f3ae82957089bc3dc34b962e09ff94f

SHA256
393415db65fffa5eecfa56d1f7785278a46ed4adbf8d7e44b98c7797cc5b160f

SHA512
f73b8e8c3f974d84d02f9f8f680b40c35ec40322afc5a146c1381288f3fd8c96820c02c49d8235279d944d49f85448396f8d2e35595b584fc08785b75d4a8c9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b044cc128dfbc8cfab67d0714aafdd38

SHA1
e01c43b53088379e9d81bf7828743773dc7c3dec

SHA256
ba4662da57af88a6d7693c28e079761a73b69d0e3dc5018016012dce4983d427

SHA512
30e4b2274fb6843c147ed8850b2ba9791cf3717f9adbcf51a282030bf450e849d3630726421a50ed22d2b638a68e42f4a29b2e4fe640b36e85a3052865acb640

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1aa47b80901171cb7b70ed15af829996

SHA1
90529ab6add88d2c96075c9340867f2177c84394

SHA256
b92db9a4a18d6e2ec31ffd8f3478956ad7d81b6843926665afea798f07f4ea38

SHA512
5a8b0d50ad126b4969535d08e08d7be34c874d4c0ed72f4bb20c535adb20e9645e76969b9fdbdffaaf573888fe096733e708cd15999abc2feec1882aeaef7bf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3fb88fb3ac5626b8457872a25a146b2

SHA1
9120c69bfe6f5376762452a4d7e5cac7d60c1f9e

SHA256
12f6d4dfd48ff6d76709dfa8c63e1d654ea180297176e852ff881da975a224f6

SHA512
3663ae0251d3d675f746dcefcb48d50489035ef4879da530e316e41d3a1deabc07807814f5fbe377aa292b74598c597c301cdd0355185b8fd2cd9b79e2a429a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat

Filesize
193B

MD5
cc5a65b5cf9907a10f29b79b95a685b2

SHA1
6a85395c14979bc9fbd0390d6ab86b482f63ac22

SHA256
29ca8183b58ba192ec12dbdbbc3d668334da094b2a2ce28902c50d9d64f62bf8

SHA512
1821b108bac669c6ac7f29824db39864c8d63ee175bda88e0ac44a30edad618d179c341c3a1ad30f0159c99987768a6ff0ddd8e17f95eb4e43357d4c32050482

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1EF8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat

Filesize
193B

MD5
29c6693cfb9c62510e1cbdcc1616854e

SHA1
ef6fd6a391dc3ebae7d9c9b5cbaebda965d87993

SHA256
a830e308dabd1a4ccb6c7eb132bcf1694dc67457b94612d817eec158e4419bb7

SHA512
b208ef5dc798ebb751fbd0242a8892036386f82a1faf76ea52ed4a3d3e28918989f076ec50c8ac34225664cc31f28545bd924439322d5974358823595a8f52ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat

Filesize
193B

MD5
3f4ff134b1b5f0585da096df8435050a

SHA1
1b00fa8a14920fe9a3acc5a1230c69ba5d4ea667

SHA256
2603e857356eee7249833aaab5cc085bbc35f172fe4cc00e96c6492e84c9157f

SHA512
bd9596032ddd6c9c6866d7eb659acc8db99638be4f5e56d4cf3622b34d043b2434bf9a0f52e5d7a033f3e087272a981eee2f4bf7310b38dc3e18a28bc61c56da

Download Submit
C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat

Filesize
193B

MD5
8bfba0e9349fc6951d197c9ea2878323

SHA1
2c3ceeb2fa4d37a3146ffa927c339ca3e13958bf

SHA256
918d0aa660777317941eacf0c8500744caea927042afb09917ed926728d77465

SHA512
cbf4144bc09891e75ca9e80de41ec6262d3a56a53bb5426875056947bf42f7d5cb81172320317f56889753e8de4331c6c89c9de0e46194adea134987ec0f2a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat

Filesize
193B

MD5
1cb47b4fb2aa56ccd8836706ea66a116

SHA1
2334026fbd04ef421ff5a71658f475e3fd96e1eb

SHA256
2c3b94ac6484678aad25dfded88029884b0688fb7e9e101e7623284d2628b40f

SHA512
654549639856d46103f7e50c42f8b2c5ce4fcf7f0a39fd65892eda9ad9b62172b8511f18297026329be465cfdb6218a4ef92fb125776af297b59c44cc326590c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1F0A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat

Filesize
193B

MD5
5552a259caf7214b58c547dc4f4fc171

SHA1
b930cbffb831cc90ead2685b90641703eed02eb8

SHA256
8238ca69d96694596950b72af5bb9618c59481f427f3171da7f1ef8db6451644

SHA512
d19ed8c4c358b9b7b41405657f448712099084301df042362fcea59b8118c8ca489f3c5845604c9903d5b7aa6da81922ac9a5b78138da0eae4c392f21e8b9834

Download Submit
C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat

Filesize
193B

MD5
26aa9034c85ba92f384724c8214d3f78

SHA1
9b3460d4380ad142642136f5d5a0159e68920127

SHA256
9b8148551103a3086bb948fb2ca459dbae2e580dbfa9edbfef4fd3157584ac3a

SHA512
d855aef507d5695dd17ce860c876bf12c4ffb410a4494827f0de105208daf594c8858365bbf35f153ab0d3f315925dbb346b63a13297baad0d9394ad9fd3cafd

Download Submit
C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat

Filesize
193B

MD5
2badc97940a0c4b0609914b74b45bd09

SHA1
0a7e1d18829b4fa848926feb7f89b07f2f0282cf

SHA256
d1f99c415753a7786856c4ed4a900a3a7b77e17a96bf0e76231ae5b275fdd7ec

SHA512
1df7106e1b6c888644a1eda53a367d1be25780b96668aa49f14daf2df20645a84e628b6dfd1f8566cb5aaace45900cb8672a0935f821fd10d92ac98dc3187d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat

Filesize
193B

MD5
cfc057315cc75de3c9ce6653b5277802

SHA1
584f93a5dd58a0dd787a7cbcfc07f7e0fa92f389

SHA256
8b042d3a27c687d5421aba3ceadd4abf22ccba8e6ff351a55d8b994b61001a9c

SHA512
8760acb3a0a40d8ee12b1098463438240a5f41ca03ad225bb5f904181b30778950bb485433d905cf82c2216cc6dc7e73931266c843987abfff2533127a4ce3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat

Filesize
193B

MD5
06ea3b341c6d8cdff08625f7ed24f84c

SHA1
afa15dfa23c1bd76c92f133d728349f0fa241abf

SHA256
5be7330191d3fdf396f534b684c354d3720cfec198ad1789de943713ca6a7742

SHA512
25c69605cfa457908863987d01f39342ec49727b4ea1aa3c8bfaa757ef0412bdad92d3c6ac67264aa101acddeb91b0a2d6cdfcf1e543ab68edd4a9957fa8c7f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
08595fbe89da4a82631c7b928e5f461d

SHA1
c4e0b704b5059123ec2a07d8a99add2921b0ad4f

SHA256
4777c62930cd2ba6f6295763686727b7d4872bf894bdea08af4425293b1721fe

SHA512
4a8250ae84b42a45247ba106074308ed09d618504c36f59587775608386fd0364b76e21a4ed258dfe1e22f86801b6633f7bb61f43cda894bbdaf64e3dafe7fc3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/328-482-0x00000000011B0000-0x00000000012C0000-memory.dmp

Filesize
1.1MB

Download
memory/1728-243-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/1760-65-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1820-54-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/1868-422-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/1940-661-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/2136-362-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/2188-34-0x0000000000B20000-0x0000000000C30000-memory.dmp

Filesize
1.1MB

Download
memory/2668-17-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2668-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2668-15-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2668-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2668-13-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

Filesize
1.1MB

Download
memory/2684-124-0x0000000000DB0000-0x0000000000EC0000-memory.dmp

Filesize
1.1MB

Download
memory/2916-542-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download