dcrat | 27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab.exe
Size

1.3MB
MD5

58fc356ab776b908fd6d702f26a7beee
SHA1

b1643ebb0bb4b7a0fb52a8e17e217146ac5598c9
SHA256

27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab
SHA512

d095da7aabcfc40e2b3c20e1d5c496db26f52bf2b837ba0000ae9e2c459c853371610525078d70dc6b54bcb6c1669cd0fc18cddf1984bdcb98ca6e91ea477e2c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2356	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2356	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2356	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2356	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2356	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2356	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2356	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2356	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2356	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019227-9.dat	dcrat
behavioral1/memory/2584-13-0x0000000000DF0000-0x0000000000F00000-memory.dmp	dcrat
behavioral1/memory/1352-39-0x0000000000860000-0x0000000000970000-memory.dmp	dcrat
behavioral1/memory/544-110-0x0000000000F10000-0x0000000001020000-memory.dmp	dcrat
behavioral1/memory/1540-229-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/2724-585-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/696-645-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1672	powershell.exe
2376	powershell.exe
852	powershell.exe
1732	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2584	DllCommonsvc.exe
1352	conhost.exe
544	conhost.exe
2636	conhost.exe
1540	conhost.exe
1572	conhost.exe
2544	conhost.exe
2748	conhost.exe
1948	conhost.exe
2972	conhost.exe
2724	conhost.exe
696	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2348	cmd.exe
2348	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
24	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
40	raw.githubusercontent.com
4	raw.githubusercontent.com
17	raw.githubusercontent.com
20	raw.githubusercontent.com
31	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2772	schtasks.exe
2808	schtasks.exe
2712	schtasks.exe
868	schtasks.exe
2912	schtasks.exe
2828	schtasks.exe
2656	schtasks.exe
2688	schtasks.exe
2240	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2584	DllCommonsvc.exe
2584	DllCommonsvc.exe
2584	DllCommonsvc.exe
1672	powershell.exe
2376	powershell.exe
1732	powershell.exe
852	powershell.exe
1352	conhost.exe
544	conhost.exe
2636	conhost.exe
1540	conhost.exe
1572	conhost.exe
2544	conhost.exe
2748	conhost.exe
1948	conhost.exe
2972	conhost.exe
2724	conhost.exe
696	conhost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	DllCommonsvc.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1352	conhost.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	544	conhost.exe
Token: SeDebugPrivilege	2636	conhost.exe
Token: SeDebugPrivilege	1540	conhost.exe
Token: SeDebugPrivilege	1572	conhost.exe
Token: SeDebugPrivilege	2544	conhost.exe
Token: SeDebugPrivilege	2748	conhost.exe
Token: SeDebugPrivilege	1948	conhost.exe
Token: SeDebugPrivilege	2972	conhost.exe
Token: SeDebugPrivilege	2724	conhost.exe
Token: SeDebugPrivilege	696	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2412	2424	JaffaCakes118_27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab.exe	30
PID 2424 wrote to memory of 2412	2424	JaffaCakes118_27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab.exe	30
PID 2424 wrote to memory of 2412	2424	JaffaCakes118_27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab.exe	30
PID 2424 wrote to memory of 2412	2424	JaffaCakes118_27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab.exe	30
PID 2412 wrote to memory of 2348	2412	WScript.exe	32
PID 2412 wrote to memory of 2348	2412	WScript.exe	32
PID 2412 wrote to memory of 2348	2412	WScript.exe	32
PID 2412 wrote to memory of 2348	2412	WScript.exe	32
PID 2348 wrote to memory of 2584	2348	cmd.exe	34
PID 2348 wrote to memory of 2584	2348	cmd.exe	34
PID 2348 wrote to memory of 2584	2348	cmd.exe	34
PID 2348 wrote to memory of 2584	2348	cmd.exe	34
PID 2584 wrote to memory of 1672	2584	DllCommonsvc.exe	45
PID 2584 wrote to memory of 1672	2584	DllCommonsvc.exe	45
PID 2584 wrote to memory of 1672	2584	DllCommonsvc.exe	45
PID 2584 wrote to memory of 2376	2584	DllCommonsvc.exe	46
PID 2584 wrote to memory of 2376	2584	DllCommonsvc.exe	46
PID 2584 wrote to memory of 2376	2584	DllCommonsvc.exe	46
PID 2584 wrote to memory of 1732	2584	DllCommonsvc.exe	47
PID 2584 wrote to memory of 1732	2584	DllCommonsvc.exe	47
PID 2584 wrote to memory of 1732	2584	DllCommonsvc.exe	47
PID 2584 wrote to memory of 852	2584	DllCommonsvc.exe	48
PID 2584 wrote to memory of 852	2584	DllCommonsvc.exe	48
PID 2584 wrote to memory of 852	2584	DllCommonsvc.exe	48
PID 2584 wrote to memory of 1352	2584	DllCommonsvc.exe	53
PID 2584 wrote to memory of 1352	2584	DllCommonsvc.exe	53
PID 2584 wrote to memory of 1352	2584	DllCommonsvc.exe	53
PID 1352 wrote to memory of 108	1352	conhost.exe	54
PID 1352 wrote to memory of 108	1352	conhost.exe	54
PID 1352 wrote to memory of 108	1352	conhost.exe	54
PID 108 wrote to memory of 716	108	cmd.exe	56
PID 108 wrote to memory of 716	108	cmd.exe	56
PID 108 wrote to memory of 716	108	cmd.exe	56
PID 108 wrote to memory of 544	108	cmd.exe	57
PID 108 wrote to memory of 544	108	cmd.exe	57
PID 108 wrote to memory of 544	108	cmd.exe	57
PID 544 wrote to memory of 2868	544	conhost.exe	58
PID 544 wrote to memory of 2868	544	conhost.exe	58
PID 544 wrote to memory of 2868	544	conhost.exe	58
PID 2868 wrote to memory of 2912	2868	cmd.exe	60
PID 2868 wrote to memory of 2912	2868	cmd.exe	60
PID 2868 wrote to memory of 2912	2868	cmd.exe	60
PID 2868 wrote to memory of 2636	2868	cmd.exe	61
PID 2868 wrote to memory of 2636	2868	cmd.exe	61
PID 2868 wrote to memory of 2636	2868	cmd.exe	61
PID 2636 wrote to memory of 1688	2636	conhost.exe	62
PID 2636 wrote to memory of 1688	2636	conhost.exe	62
PID 2636 wrote to memory of 1688	2636	conhost.exe	62
PID 1688 wrote to memory of 2736	1688	cmd.exe	64
PID 1688 wrote to memory of 2736	1688	cmd.exe	64
PID 1688 wrote to memory of 2736	1688	cmd.exe	64
PID 1688 wrote to memory of 1540	1688	cmd.exe	65
PID 1688 wrote to memory of 1540	1688	cmd.exe	65
PID 1688 wrote to memory of 1540	1688	cmd.exe	65
PID 1540 wrote to memory of 2288	1540	conhost.exe	66
PID 1540 wrote to memory of 2288	1540	conhost.exe	66
PID 1540 wrote to memory of 2288	1540	conhost.exe	66
PID 2288 wrote to memory of 1600	2288	cmd.exe	68
PID 2288 wrote to memory of 1600	2288	cmd.exe	68
PID 2288 wrote to memory of 1600	2288	cmd.exe	68
PID 2288 wrote to memory of 1572	2288	cmd.exe	69
PID 2288 wrote to memory of 1572	2288	cmd.exe	69
PID 2288 wrote to memory of 1572	2288	cmd.exe	69
PID 1572 wrote to memory of 2984	1572	conhost.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_27108950380722927f768c875bf2df17d2f2107aceb4a8db789e9029728561ab.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
    - - C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:716
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2912
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2736
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1600
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat"
        14⤵
        
        PID:2984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1124
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat"
        16⤵
        
        PID:1884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:760
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
        18⤵
        
        PID:2856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1976
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"
        20⤵
        
        PID:2380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2100
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"
        22⤵
        
        PID:2988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2744
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"
        24⤵
        
        PID:1252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:920
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"
        26⤵
        
        PID:948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ddb4a02b5685b6dbf2e056edaa91395

SHA1
089e3b7af929bef7439fde314af5ad63d81f605e

SHA256
a4304f6afc66ed289175dca63b9cad5da8e40eb7d3d75f081482f110da1abbc6

SHA512
9c93e448c4f9e26eb4ca31b9f247617ba7e0f3f8f2b18d2dc7929a90eda29fbd04449d1ac52dd68925b8156eb064eafe9dc2814c17c648e78df332564c75bf40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ed892e0695ce86701af1ee1b52a9351

SHA1
0c13c50ca0bea5d28521063193e1c5a0e22d5b9b

SHA256
442ed825f966b8ee13a6bd3742ae2689156f650b522930a748b5e3ba1320f9bd

SHA512
3aff2bd6ca8609a675736086099d4384c59284d5731079d2f94b65d6f31524cfa9a10870f1a002f64235f16bd61c61955271581b0c3776ff973e0c1aaeecdfb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cbaaf377be99014de56c1cdc225c025

SHA1
54d290de78b305dd066840263504976fa348fd96

SHA256
9a42ec53cef95cfb505515c24dcd78802ff31633604fa6f2f520c486dc115e2d

SHA512
775098ab0dee095f0c40c8157a18887ae51d75d1f7c052a1f3e51702c72feb07c0ff58ebfae0f8ed800ee2714d6dc247868242f6c1679b0c0ff6612317b993ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a24d27ebe0eebc10ec9fb455d646a59

SHA1
4c613e7f18f48edd904bb6f88a9eaf1431cce641

SHA256
fb29acb8fe0dc5f866286a598d7ed53ce208d5dbe415e1b456f3242ade717625

SHA512
275b6909ba03aadcda696f3250102627b1968ca355ecc7ca955a89aab9b81bfe7279c75ba1a32214170db6220ede900889f8d7220b286b64d2d65ec979969864

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4dcea41ebc7ba8fbdab0c798e9d65ce9

SHA1
a766b951a699ddfcb0b994bfd9fbbcabc75f0c32

SHA256
0a594ffdf344fb5ac471646ae4132620337a70f4a46b1ded6f00c4db4e6442ef

SHA512
a9e9f190f8427bb3bc6627f56eb4db4e943789db6a3f05d304d5dce2242cafb6b8e8950c703bdd56a904dbc873fbfdb7145777d132358efd1a73893ba38c3851

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
888660d8a20d64f5703b65c0d4601d30

SHA1
d329c950d948136be62961c6ff09e467388ea5f1

SHA256
61a0db4e8d1a9cd061a51340c16eb9b4ff8b470140cd8084fa479553e597b0d8

SHA512
8e9e5e1a38c6ab0745846e0e2082959e4f19d2077cdc933d1e7610b8d2f750dbb8a77f3bfbd4e371aa5efeed7bf74aeada907de2b6864c5513984da8f533695e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d05ed70c963740d1c9a8737d34ebf49b

SHA1
e33b5892d4d6fb32d48184decbd952d3617b7e4d

SHA256
c7b80641f69c8ae1f545356667a7a7b64bd46fa23fbcf5617d66789986bb11dd

SHA512
ecb2a1becd4f5f239088034cf6b56462c92f48bffa5a76268c652f89dcf7e3d4a66d277f399bb80f40dc5f3b580e013762ccbf07bd4f035c6839f19f7aebfa7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be7c972ad98dd719393e9c752d6069db

SHA1
da230c2ee0cac108b74c9959918a9e0bc675ecc6

SHA256
1f68b9f735a6e4530e717ce29adaef12986079642b050c4fab4b247cc4759696

SHA512
00a1c4808e73a5784e9fb3baebaadcedec8abb406a88ce6847bc34b3575853604b9a52a4435a15372a0dd04c6587570f8a5587497a13950f2de2be3e67419b2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae4d94beda9beecdd0d8b446759be2ea

SHA1
def0a42cb938cf6086273751741be6cb7914eb93

SHA256
566be3f727615aac4a6e746d27ff817cf79fd073408831bb5ce84ec37ae3a3a7

SHA512
c5f6f54fbf2591917fedca0e7816e0ffa9478de33c9a0966b7bbceaba440fc25af127084497d69073fc1e7c8beff021343ff5b44c324fb84f0b5fe95d04ccd9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01c8c3d299e1877590c49fa7b67dfdbf

SHA1
678bd07cf780e15deb66a6369355e02fea0c1945

SHA256
596285dfb0ddc4ecbba3ce868ff706c71c93e261b1a346cbdb4b6f5c2726dc5b

SHA512
18acb244ccc5b59f1c76e9c0646d69b23dafc23bab5db23c5686b0d42796779470da7d4dffc4bc15690dc2fe37f72bfc7391db37368f6e44afb0977f5dd4c1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat

Filesize
232B

MD5
a54a694b4387b2495756b569adef2104

SHA1
7ac77eac8ef8750b44fce553148ca0b60aa07d3c

SHA256
2d9b88bc8ba00b82aba030fd11b07865eac2c218e0f3139d321b100c27df5d11

SHA512
694f7d933895b674db7a9ad11c4029126fe43fe0249f156f38ab436c4b82f72de9fc952f2386c112f4a552bd5dbb1a82aa2f6169a1df81dbdb3f8129b900fe7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat

Filesize
232B

MD5
817d960156b04a4f066795340bdf8f4b

SHA1
e664a7f453de2661ba3d33bc7257ad2c69ed6e71

SHA256
d0781c206c74428ea536dd0f28084c43d5db2747d470a3fbbc4856f3baeadb86

SHA512
051c7a3c2fdd45a27b2e1d502297202cbb0c91d5bc6319110e0a96fdfdf52399cfd3d81f37e7cf79aee1bba19cd81e79f6fef1bbb9cc79686ee88334c46d2fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFF57.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat

Filesize
232B

MD5
e2a5973b3b7898fd78dfb456c50cf6f3

SHA1
529c89a48887a149a4e8f1a49ae3d4f91e75f360

SHA256
d9840053e4362496ec93d13953a4ff2b162da124cc1a2c8fe115009eb61f1f8a

SHA512
4dbdcb004dc6982becb8404c0e07b0aa8c6fc9ead5400fe587912cc5830a7daa3d4c46da86147931f93c8de917fef5d59e560ceda4df67e16d8b761931f49bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat

Filesize
232B

MD5
62fda2cb13de53fe2c5d158f1a150e20

SHA1
134b9ed716e157e5a0652f426327425a3c1c6f8c

SHA256
610a9eefb9a51a3c95cdd5b7004225aca0d7ded602cc7b1c93dfb27a4585ab38

SHA512
5d58b04fb44b3349815d85f1e49108de484b0637870a43a98554908a22891ca697931ec254a6178e46e690254be03621eef1ed70e4bde7aad37c9cf86d649470

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFF79.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat

Filesize
232B

MD5
ed07324a14c54f6d3ffd6986e34f7c4f

SHA1
ae863d55173167ea3be2a479a294ce123a10a30b

SHA256
9d5b36ad74c47f63b81e78ffd4b986016eb386763043f4a690e4ff8e5c8133be

SHA512
dd08eeca5134e3120135395602b5bb94d468eec4b7461e44af026ab93f0c046299ce6cebbc4583be5f279db1225db0a4aa0a4a78247169e6289c2b0ae5f7981b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat

Filesize
232B

MD5
7215adcca3c8609a6bd411c7cfb9152e

SHA1
44fc1507c23c94dc3c248d581c8a12de4e5cafe0

SHA256
24a07523d9ba3fd89dfbafae8cba3ca6d9a60f2edcba8b6a7f1088bc7a8b19dd

SHA512
19d5dd7f26d9b736b12c62402879c16279cf640ed5b80807db389e4c9091cbcfd61f4d0ac6fc77a773ff0b99e3c586dc9f2a58fc2685d66128ea71c21f02355c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat

Filesize
232B

MD5
1945d8a376aa225240a2fe3214db8251

SHA1
86c17bf4db83a4ac4955b8b92b10c53f140fe2d8

SHA256
d54078d6cde8821e449240342b3c2cb25a394409c6411826a1bc48a18844c69e

SHA512
8cc50890ea7aaf8bb9da0dae36fa59b2b718f1e7b85b6545e6306cd842e0399876c7c5ee7c52ed119c72bcd1347aa6118a01884ef692186c626c83bb58ec889c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat

Filesize
232B

MD5
af28efbbe7fa56161e37212c89ec2a51

SHA1
74f6e2e90d15eba3d013729ec6d262968463037d

SHA256
6e8297c72262b695236e59f276f9101ae2d203505f38392638ac8786d6dcff12

SHA512
82e45e3d7c6b07b197dcd3778635eb0cccc5ce92e617c9f34dfcd15eec32e8bc6cb827bd94b169abf0c1012f48e7ade962c00f80f6083e72e3163a5898576414

Download Submit
C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat

Filesize
232B

MD5
6e844c2450d7b862f74beffd7c70bdd7

SHA1
b80b8ec6b7170ae27799ba00fea5147de06756be

SHA256
5934c970fe269b71611f5e6a0b01190720114bb52154f43a304cb42a5528ec99

SHA512
d4d22a18258d7033ed073e14719a6748203fd19c1e50f902e906cb342a4f308d7b04889a9dabf17d3debc1afb9fdbd26d6cf86a8d303ce0521dc39d2344ff6a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat

Filesize
232B

MD5
c1dbd52e1e7898e7e4bd2c198923c5d2

SHA1
9806c9b0649b0a9c44ec9c160946f818d8416090

SHA256
32980bdf1f2d58fca2650619b81860fd88ed226d4e74788022783c57b88dee48

SHA512
6d63784ddaef2c245a1501f0444d75b2a44c6a42688e2468a744588fb0ffe8bbef06cdf3db91f204c4be76d2e663b940a087198193a7ad2fbf0773818e2d898c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat

Filesize
232B

MD5
2a58ce25a1ba2d11ddebc7bc3e91e635

SHA1
3ca6672161a132ca0d4dd1e60254ce84ee4dc972

SHA256
73ac277728d1853a1820923cd2eb529f7d150895c9012152bb584147d93cc788

SHA512
6952f7bd3e6d7077e501afa7748d38d2d344f2134278176702e29e23478887cff3a8435b6bf36f32f1145bfd6250b11f5decfa7f6acf5d5421df4928c75cba4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NVHYR43RD0W331VEYP2R.temp

Filesize
7KB

MD5
3eb9de773a07939400428963b0388f5e

SHA1
7c585ae6707c1b818c34337c80bf982d0e6ec5f4

SHA256
9ad142ba0cd3b02f3ddfdbc3117de021586fb250f203aad6111a0b5d13de43a0

SHA512
2d39fc664d6d1234a28cf1851f160c88f24905fc03157fc1d74b76236d7227eced767f0b4dc1fd43c7bf3f0d9ca4cd6d101770fb1395d31d672a8429844339ad

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/544-110-0x0000000000F10000-0x0000000001020000-memory.dmp

Filesize
1.1MB

Download
memory/696-646-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/696-645-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/1352-39-0x0000000000860000-0x0000000000970000-memory.dmp

Filesize
1.1MB

Download
memory/1540-229-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/1672-40-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/1672-41-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/1948-466-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2584-17-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2584-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2584-15-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2584-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2584-13-0x0000000000DF0000-0x0000000000F00000-memory.dmp

Filesize
1.1MB

Download
memory/2724-585-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download