dcrat | 63b338de002ec636605c738ed541e8f6c8dd770efc6f8898382c798595bc2610

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_63b338de002ec636605c738ed541e8f6c8dd770efc6f8898382c798595bc2610.exe
Size

1.3MB
MD5

5c29557a1952e8393e5fdad56b319da1
SHA1

283b8a886cc9e9d27b87f4b819e02565a1f4b546
SHA256

63b338de002ec636605c738ed541e8f6c8dd770efc6f8898382c798595bc2610
SHA512

7228f6b458e7dd1367cf5170f99cb4cb50b4ffcbb0fab62e4c026899f19d9755cef0c55e3aa7697521b61f92b783d0d12c247de2edd2ac7b51d09659ecf68a5a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2916	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000186fd-12.dat	dcrat
behavioral1/memory/2960-13-0x0000000001170000-0x0000000001280000-memory.dmp	dcrat
behavioral1/memory/1936-36-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/memory/2084-309-0x00000000010A0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/1964-487-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/2804-547-0x0000000000F10000-0x0000000001020000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2016	powershell.exe
1808	powershell.exe
2680	powershell.exe
1500	powershell.exe
2516	powershell.exe
1968	powershell.exe
1416	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2960	DllCommonsvc.exe
1936	OSPPSVC.exe
1668	OSPPSVC.exe
2068	OSPPSVC.exe
2364	OSPPSVC.exe
2084	OSPPSVC.exe
560	OSPPSVC.exe
1468	OSPPSVC.exe
1964	OSPPSVC.exe
2804	OSPPSVC.exe
1616	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
264	cmd.exe
264	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\en-US\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\6203df4a6bafc7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63b338de002ec636605c738ed541e8f6c8dd770efc6f8898382c798595bc2610.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2404	schtasks.exe
3020	schtasks.exe
2944	schtasks.exe
2800	schtasks.exe
2664	schtasks.exe
2616	schtasks.exe
2988	schtasks.exe
2832	schtasks.exe
2888	schtasks.exe
2684	schtasks.exe
2028	schtasks.exe
1508	schtasks.exe
1640	schtasks.exe
576	schtasks.exe
2872	schtasks.exe
2804	schtasks.exe
1420	schtasks.exe
680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2960	DllCommonsvc.exe
1808	powershell.exe
2516	powershell.exe
1968	powershell.exe
2680	powershell.exe
1500	powershell.exe
2016	powershell.exe
1416	powershell.exe
1936	OSPPSVC.exe
1668	OSPPSVC.exe
2068	OSPPSVC.exe
2364	OSPPSVC.exe
2084	OSPPSVC.exe
560	OSPPSVC.exe
1468	OSPPSVC.exe
1964	OSPPSVC.exe
2804	OSPPSVC.exe
1616	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	DllCommonsvc.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	1936	OSPPSVC.exe
Token: SeDebugPrivilege	1668	OSPPSVC.exe
Token: SeDebugPrivilege	2068	OSPPSVC.exe
Token: SeDebugPrivilege	2364	OSPPSVC.exe
Token: SeDebugPrivilege	2084	OSPPSVC.exe
Token: SeDebugPrivilege	560	OSPPSVC.exe
Token: SeDebugPrivilege	1468	OSPPSVC.exe
Token: SeDebugPrivilege	1964	OSPPSVC.exe
Token: SeDebugPrivilege	2804	OSPPSVC.exe
Token: SeDebugPrivilege	1616	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2328	2440	JaffaCakes118_63b338de002ec636605c738ed541e8f6c8dd770efc6f8898382c798595bc2610.exe	30
PID 2440 wrote to memory of 2328	2440	JaffaCakes118_63b338de002ec636605c738ed541e8f6c8dd770efc6f8898382c798595bc2610.exe	30
PID 2440 wrote to memory of 2328	2440	JaffaCakes118_63b338de002ec636605c738ed541e8f6c8dd770efc6f8898382c798595bc2610.exe	30
PID 2440 wrote to memory of 2328	2440	JaffaCakes118_63b338de002ec636605c738ed541e8f6c8dd770efc6f8898382c798595bc2610.exe	30
PID 2328 wrote to memory of 264	2328	WScript.exe	31
PID 2328 wrote to memory of 264	2328	WScript.exe	31
PID 2328 wrote to memory of 264	2328	WScript.exe	31
PID 2328 wrote to memory of 264	2328	WScript.exe	31
PID 264 wrote to memory of 2960	264	cmd.exe	33
PID 264 wrote to memory of 2960	264	cmd.exe	33
PID 264 wrote to memory of 2960	264	cmd.exe	33
PID 264 wrote to memory of 2960	264	cmd.exe	33
PID 2960 wrote to memory of 1808	2960	DllCommonsvc.exe	53
PID 2960 wrote to memory of 1808	2960	DllCommonsvc.exe	53
PID 2960 wrote to memory of 1808	2960	DllCommonsvc.exe	53
PID 2960 wrote to memory of 2680	2960	DllCommonsvc.exe	54
PID 2960 wrote to memory of 2680	2960	DllCommonsvc.exe	54
PID 2960 wrote to memory of 2680	2960	DllCommonsvc.exe	54
PID 2960 wrote to memory of 1500	2960	DllCommonsvc.exe	55
PID 2960 wrote to memory of 1500	2960	DllCommonsvc.exe	55
PID 2960 wrote to memory of 1500	2960	DllCommonsvc.exe	55
PID 2960 wrote to memory of 2516	2960	DllCommonsvc.exe	56
PID 2960 wrote to memory of 2516	2960	DllCommonsvc.exe	56
PID 2960 wrote to memory of 2516	2960	DllCommonsvc.exe	56
PID 2960 wrote to memory of 1968	2960	DllCommonsvc.exe	57
PID 2960 wrote to memory of 1968	2960	DllCommonsvc.exe	57
PID 2960 wrote to memory of 1968	2960	DllCommonsvc.exe	57
PID 2960 wrote to memory of 1416	2960	DllCommonsvc.exe	58
PID 2960 wrote to memory of 1416	2960	DllCommonsvc.exe	58
PID 2960 wrote to memory of 1416	2960	DllCommonsvc.exe	58
PID 2960 wrote to memory of 2016	2960	DllCommonsvc.exe	59
PID 2960 wrote to memory of 2016	2960	DllCommonsvc.exe	59
PID 2960 wrote to memory of 2016	2960	DllCommonsvc.exe	59
PID 2960 wrote to memory of 1936	2960	DllCommonsvc.exe	68
PID 2960 wrote to memory of 1936	2960	DllCommonsvc.exe	68
PID 2960 wrote to memory of 1936	2960	DllCommonsvc.exe	68
PID 1936 wrote to memory of 2304	1936	OSPPSVC.exe	69
PID 1936 wrote to memory of 2304	1936	OSPPSVC.exe	69
PID 1936 wrote to memory of 2304	1936	OSPPSVC.exe	69
PID 2304 wrote to memory of 1108	2304	cmd.exe	71
PID 2304 wrote to memory of 1108	2304	cmd.exe	71
PID 2304 wrote to memory of 1108	2304	cmd.exe	71
PID 2304 wrote to memory of 1668	2304	cmd.exe	72
PID 2304 wrote to memory of 1668	2304	cmd.exe	72
PID 2304 wrote to memory of 1668	2304	cmd.exe	72
PID 1668 wrote to memory of 1528	1668	OSPPSVC.exe	73
PID 1668 wrote to memory of 1528	1668	OSPPSVC.exe	73
PID 1668 wrote to memory of 1528	1668	OSPPSVC.exe	73
PID 1528 wrote to memory of 2728	1528	cmd.exe	75
PID 1528 wrote to memory of 2728	1528	cmd.exe	75
PID 1528 wrote to memory of 2728	1528	cmd.exe	75
PID 1528 wrote to memory of 2068	1528	cmd.exe	76
PID 1528 wrote to memory of 2068	1528	cmd.exe	76
PID 1528 wrote to memory of 2068	1528	cmd.exe	76
PID 2068 wrote to memory of 1864	2068	OSPPSVC.exe	77
PID 2068 wrote to memory of 1864	2068	OSPPSVC.exe	77
PID 2068 wrote to memory of 1864	2068	OSPPSVC.exe	77
PID 1864 wrote to memory of 316	1864	cmd.exe	79
PID 1864 wrote to memory of 316	1864	cmd.exe	79
PID 1864 wrote to memory of 316	1864	cmd.exe	79
PID 1864 wrote to memory of 2364	1864	cmd.exe	80
PID 1864 wrote to memory of 2364	1864	cmd.exe	80
PID 1864 wrote to memory of 2364	1864	cmd.exe	80
PID 2364 wrote to memory of 3044	2364	OSPPSVC.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63b338de002ec636605c738ed541e8f6c8dd770efc6f8898382c798595bc2610.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63b338de002ec636605c738ed541e8f6c8dd770efc6f8898382c798595bc2610.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
    - - C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe
        
        "C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1108
        
        C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe
        
        "C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2728
        
        C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe
        
        "C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:316
        
        C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe
        
        "C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
        12⤵
        
        PID:3044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2928
        
        C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe
        
        "C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"
        14⤵
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:836
        
        C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe
        
        "C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"
        16⤵
        
        PID:1556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2100
        
        C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe
        
        "C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat"
        18⤵
        
        PID:2788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2264
        
        C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe
        
        "C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"
        20⤵
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3068
        
        C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe
        
        "C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat"
        22⤵
        
        PID:2188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2436
        
        C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe
        
        "C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\SendTo\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\SendTo\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea3c79b0f502896016952141fd062ca6

SHA1
3ebb977473697995932444c4e648d127c1b46375

SHA256
e37147333c3e0a7a61468cefdb92f8bef3c05d46dcbdc04d6009ce06a71e8a59

SHA512
1e08f05de98ca27135b92ec81980905769d8fe5b11892da5c7bee9d7ce3645d7ea7171f7c597ddb9a5e555820ab52e8fc9a9bd4cdef8993415f9f7a167778399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb98db98185006baccb21a820dd1c042

SHA1
b0cf991cd661797c562e91a27e422548268a7334

SHA256
e09aed17d44fa55b0e60e98012a788a16cdf7726e3d2c64bb66bc438a740f429

SHA512
cb1e441875dd496ab6008c2d755e588523b9c48a550834e8c433942cf2a8c413a4151552bac5e13c38791d6e0d0f5cd46e87d8d95de5c7c33ec715d352e61e17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb0147410b6928bb230d1f65cc4dfbf3

SHA1
5835de24e0154caf7f48cf542598b9c00ecd9dc7

SHA256
e1b60d84adf897d3dc82215ca8e0a2d4a0796be2a3d81d7e60d5cd9f64d607ba

SHA512
9018b0372ba47afc65d514a3a80080bbe6fc3822eb458ebb11fdf5e00f4771cc4045b25eecf838c9e51fc823e847465cc33b6c41a660adcdd28eccdbb2a97362

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83c488a287ea37a03c6fffc15f6e0453

SHA1
e8f3bd17525b916c1d937f16d98448ad5f5751d9

SHA256
2d75fb6b48ce02ca75e15f3f47f92c0e0b7f2090bf2acc62123a194eaf7a8e72

SHA512
74a9ae8c444acf36f2a7183f7613e8eb5ce2c1f97c8a9628dd47ef3ce07e0f30e6d922fcd091f057c2e55d18a36536e904dab6daf15cd45247cf1644037292b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e39b8fa15b448848bea1f4f858d62001

SHA1
8f596e93c0825eb79cae08bf05b4b28d533e2cf5

SHA256
b5da399de11330b013450368c2373d353752f2e1ad6b737027044d4fc57cfbfa

SHA512
67df3918938ba3e37a69bd94b5e31acda1f8fee257e557671a3ef7d0f4bcb9139f61e40343e8baced7997803c26e750639a320bc40d2463088457e7d983e497e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e361b9ca8fa6c58b4115a9e2516cb17

SHA1
037fd9ef756bf2f6a498228fe5fc9ffe1d572b0f

SHA256
1ef8f1b7ff0c0b0953616d9b4a0bff02d323fff5be3f964544d0907f0f4d59e4

SHA512
cb411c835259ff6875667080f03eb0474007ee5d8b843344e86477987211ba8d4c6c7a28ed83030497ea50ebe3b54fc406a1cde94d939df497de3610a591f363

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87cfc8b3ff75d03dd0aab99f091378df

SHA1
b68fc27f59782a55ab577621c94bdc5bda0262c4

SHA256
c281bfaf1afda2949d25f54d2dfe1ee18f7e952faaac799e4d47e5fd75391fe9

SHA512
06d68cfa159b970a67f8227ee45573b3cb31a7b9c893924c7cad122b6daf08e714f78514079f705b0f7ff6de04ed81624fae05ccaf2e454981a19bf6f98e052c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b84c55ca1c4af1880754b8063e38575

SHA1
587accfb7596b4ba44e99ec529f207ea23e00d4b

SHA256
5ef13c425636645b7ed9f417da73ad854966c53fc9fd881a847f7ec5cad1867a

SHA512
6070b843d91d6220ad52d30acea71957de0b093cd9976cb057ef1c99cde0dad9e0040063686eef5b37a934c7122a2ff75ba90130f8723b5a479e849d8e36f090

Download Submit
C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat

Filesize
215B

MD5
b265ca497e4b7879a8559ce94cce533e

SHA1
7c293fef48b8d717e4546fa53254dd19a171425f

SHA256
265e8b7de7fc6172184fe811e78ce39d08857475f9c3d58eaf812b2a5cd59b24

SHA512
5ab27862743f846c2d9c3316b9ec40737ebedce944af99f8b759140ef9bdccf3be64c1039eaf3bba1a0641b9c69bb18842d1ff45f10fdd5ad214c91dede29586

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF836.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat

Filesize
215B

MD5
8a30c517c9edecb8cbd800aefd7bf1a2

SHA1
2eb8b6316e557d959dbda28504e6cbc52eb5dcb4

SHA256
9ce234b6ea92ebf343effb5b9901d074c061e73281eacb74a7e10d2f97b150b7

SHA512
44abaa4d08a6b6f8a142dd554ad0aac0eb3d53768cb3caccecde594130e892a4f1d58dbddc3358572cb6d32ed77ca62fad6c292a6816929dd511171115feeea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat

Filesize
215B

MD5
491457c698bea35e65d165fca21cede5

SHA1
30e73bcca7a1d77b784270c5e93ad5c1030d8e60

SHA256
0bdbd991dbf7613189c2cf86ac7b99a2789b423000ab9421129edd7053600826

SHA512
1f74ce2dba5fc1bb2e8c9401d19b4feb21b9910d6a68e4ec9c22ba4c84c8117715f6af7c4db456953026098b17a7a0863a58678b9e6ebb97766b4d187cfbb0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat

Filesize
215B

MD5
4855bf9c5778f9fc4a9d5e20149478ed

SHA1
d37381127cd4c3ac4500328bb10e7efb87dea540

SHA256
1aed421a6f905d90dd1694d0fafe2934913763fb399b953d1dae374cfd8eae5a

SHA512
c9c3c5e142ad66779c247bd6768a164c2ad6eb7bf6f3c249d90f1a90fad3bb2960a70c420a70633347a3869ad7813fca695156782f63d7cfa601eba8238f1b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF849.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

Filesize
215B

MD5
058f286c3d7f968050a7554ace058751

SHA1
3d25da3a1332d453176e5ef428de9aea1f2a2dcd

SHA256
cfa703b61924c4f592d9074136a5e2e536ecd22512824508a246bd7fd99a3a11

SHA512
176695a9fdcaada50e3c9763f69a7bb5d07e6c7ef98e22654d6f3dd64b38494fa34477d651396c29a781ebce9f699f4eeed2f75c104421f63323b22b6bc29050

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat

Filesize
215B

MD5
ba5ab675d68bb7dc675f03a8f51ccf4e

SHA1
20ebc87e816362fab058ab0223152a6c5907bb6e

SHA256
f89ccf61a2f91056a8166875b3d72a70ecec68e8eeb68fbeafeba7c2a6254f52

SHA512
f5d6aa0f676e60ece43e303a870dfbdddabb2e1e5c30abc05455c278d2d40168fd2460ae2ed8a011d4d75521e8be0b8a89e2f2b3ce13c272b351119ae80b3ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat

Filesize
215B

MD5
dd42de2c567ab1d7c3044ecf616b8861

SHA1
fb0393cc5aae6a38ee8cf06e105ecff473c48bdc

SHA256
5d0088fdce320fbffd9067c9e139b7cfd08eb8c4f55299e1a30a89ac795bdf39

SHA512
4a9801d4b4226852c91e3b9dfabd93426739960777dcbd636797150956c71906c916cda2913f320affa8bc0cc3fefb33e7662cc39ab0af03454a6ef2dfcc636b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat

Filesize
215B

MD5
1bae002582e423c9f3807efdc51ea8c7

SHA1
723a3ebf7721ca07fa2d50dc5e7f3594cafebf3d

SHA256
f7215992ac051ca340df648e3da6b3c08786b0ef1fef436a310f6cc32583b862

SHA512
84ade9adf6c14f144996cc0ae6ffea23dac5c7d9e0359d6194a1ff58da447c23f666ea9ae0aea5565e8b50e55a710780cf6d2b1462c1c220232431b72a0ec9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat

Filesize
215B

MD5
2ce864014517792607547706862ac179

SHA1
2419095f6fd8502b3051ae615269faaac8fd1b6e

SHA256
bb4669945a5e6977c4094466661cb62874a0a4d7f1f7aeb3618551411e56c4de

SHA512
da68c56394c7618c6deb41b531a2e80e78722f62d42a9084b09e93229b78ddfc1b4c297750da3163ae87e691366f5941da085021e24e8b95afe7b071468b0011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7B6KZFZAIGS1GI58NF29.temp

Filesize
7KB

MD5
064b16affcc62a2d9ad47369f4172282

SHA1
e458798856475d69847e3fc3fa47b2dd03eb26ee

SHA256
cdf3e1f380a7464c27440ecbce3a98b6190a66f2111683a61a898ba2791720a2

SHA512
992103c73d655c487367576bf3003c18ba8030f8cfb5bcb0d3a3bf6f21eee86d50d405250563a7ba4872768420fa4e1ff35a62c3c5ad77c3da7a93291796d0cb

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1616-607-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1808-57-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/1936-36-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/1936-73-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1964-487-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/1968-58-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2084-309-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download
memory/2804-547-0x0000000000F10000-0x0000000001020000-memory.dmp

Filesize
1.1MB

Download
memory/2960-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2960-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2960-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2960-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2960-13-0x0000000001170000-0x0000000001280000-memory.dmp

Filesize
1.1MB

Download