dcrat | 095c1925016cafb81d78efe233fad4fb48d64dc92ba68515c1b94485f1fa1d7b

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_095c1925016cafb81d78efe233fad4fb48d64dc92ba68515c1b94485f1fa1d7b.exe
Size

1.3MB
MD5

35d776c1df4ca2eca7d71f8f8e177f1e
SHA1

f46c242c18994c08707f23a3842f0b5db3f4f628
SHA256

095c1925016cafb81d78efe233fad4fb48d64dc92ba68515c1b94485f1fa1d7b
SHA512

17a2e17f6f4cfe711f71eb501a253bdc7aa1d4890cd23fdb1d03f9db075a7d5564336ed6da7997f7d3d98a0bfd44b6295e7df7448e6196427fb81064edea53a8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2652	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016858-10.dat	dcrat
behavioral1/memory/488-13-0x00000000010A0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/2028-73-0x0000000001150000-0x0000000001260000-memory.dmp	dcrat
behavioral1/memory/2792-132-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/1492-192-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat
behavioral1/memory/2212-311-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/2888-372-0x0000000000F70000-0x0000000001080000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1064	powershell.exe
1612	powershell.exe
2000	powershell.exe
1688	powershell.exe
1944	powershell.exe
472	powershell.exe
1984	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
488	DllCommonsvc.exe
2028	lsass.exe
2792	lsass.exe
1492	lsass.exe
2584	lsass.exe
2212	lsass.exe
2888	lsass.exe
1792	lsass.exe
2140	lsass.exe
888	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2708	cmd.exe
2708	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\6203df4a6bafc7	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\101b941d020240	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_095c1925016cafb81d78efe233fad4fb48d64dc92ba68515c1b94485f1fa1d7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2932	schtasks.exe
2876	schtasks.exe
2052	schtasks.exe
1108	schtasks.exe
2888	schtasks.exe
352	schtasks.exe
1444	schtasks.exe
3064	schtasks.exe
2356	schtasks.exe
1672	schtasks.exe
1152	schtasks.exe
2516	schtasks.exe
2616	schtasks.exe
2636	schtasks.exe
2736	schtasks.exe
1736	schtasks.exe
1092	schtasks.exe
1604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
488	DllCommonsvc.exe
1612	powershell.exe
1688	powershell.exe
472	powershell.exe
1944	powershell.exe
1064	powershell.exe
2000	powershell.exe
1984	powershell.exe
2028	lsass.exe
2792	lsass.exe
1492	lsass.exe
2584	lsass.exe
2212	lsass.exe
2888	lsass.exe
1792	lsass.exe
2140	lsass.exe
888	lsass.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	488	DllCommonsvc.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	472	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2028	lsass.exe
Token: SeDebugPrivilege	2792	lsass.exe
Token: SeDebugPrivilege	1492	lsass.exe
Token: SeDebugPrivilege	2584	lsass.exe
Token: SeDebugPrivilege	2212	lsass.exe
Token: SeDebugPrivilege	2888	lsass.exe
Token: SeDebugPrivilege	1792	lsass.exe
Token: SeDebugPrivilege	2140	lsass.exe
Token: SeDebugPrivilege	888	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2548	2196	JaffaCakes118_095c1925016cafb81d78efe233fad4fb48d64dc92ba68515c1b94485f1fa1d7b.exe	30
PID 2196 wrote to memory of 2548	2196	JaffaCakes118_095c1925016cafb81d78efe233fad4fb48d64dc92ba68515c1b94485f1fa1d7b.exe	30
PID 2196 wrote to memory of 2548	2196	JaffaCakes118_095c1925016cafb81d78efe233fad4fb48d64dc92ba68515c1b94485f1fa1d7b.exe	30
PID 2196 wrote to memory of 2548	2196	JaffaCakes118_095c1925016cafb81d78efe233fad4fb48d64dc92ba68515c1b94485f1fa1d7b.exe	30
PID 2548 wrote to memory of 2708	2548	WScript.exe	32
PID 2548 wrote to memory of 2708	2548	WScript.exe	32
PID 2548 wrote to memory of 2708	2548	WScript.exe	32
PID 2548 wrote to memory of 2708	2548	WScript.exe	32
PID 2708 wrote to memory of 488	2708	cmd.exe	34
PID 2708 wrote to memory of 488	2708	cmd.exe	34
PID 2708 wrote to memory of 488	2708	cmd.exe	34
PID 2708 wrote to memory of 488	2708	cmd.exe	34
PID 488 wrote to memory of 1688	488	DllCommonsvc.exe	54
PID 488 wrote to memory of 1688	488	DllCommonsvc.exe	54
PID 488 wrote to memory of 1688	488	DllCommonsvc.exe	54
PID 488 wrote to memory of 1944	488	DllCommonsvc.exe	55
PID 488 wrote to memory of 1944	488	DllCommonsvc.exe	55
PID 488 wrote to memory of 1944	488	DllCommonsvc.exe	55
PID 488 wrote to memory of 472	488	DllCommonsvc.exe	56
PID 488 wrote to memory of 472	488	DllCommonsvc.exe	56
PID 488 wrote to memory of 472	488	DllCommonsvc.exe	56
PID 488 wrote to memory of 1984	488	DllCommonsvc.exe	57
PID 488 wrote to memory of 1984	488	DllCommonsvc.exe	57
PID 488 wrote to memory of 1984	488	DllCommonsvc.exe	57
PID 488 wrote to memory of 1064	488	DllCommonsvc.exe	58
PID 488 wrote to memory of 1064	488	DllCommonsvc.exe	58
PID 488 wrote to memory of 1064	488	DllCommonsvc.exe	58
PID 488 wrote to memory of 1612	488	DllCommonsvc.exe	59
PID 488 wrote to memory of 1612	488	DllCommonsvc.exe	59
PID 488 wrote to memory of 1612	488	DllCommonsvc.exe	59
PID 488 wrote to memory of 2000	488	DllCommonsvc.exe	60
PID 488 wrote to memory of 2000	488	DllCommonsvc.exe	60
PID 488 wrote to memory of 2000	488	DllCommonsvc.exe	60
PID 488 wrote to memory of 3056	488	DllCommonsvc.exe	65
PID 488 wrote to memory of 3056	488	DllCommonsvc.exe	65
PID 488 wrote to memory of 3056	488	DllCommonsvc.exe	65
PID 3056 wrote to memory of 540	3056	cmd.exe	70
PID 3056 wrote to memory of 540	3056	cmd.exe	70
PID 3056 wrote to memory of 540	3056	cmd.exe	70
PID 3056 wrote to memory of 2028	3056	cmd.exe	71
PID 3056 wrote to memory of 2028	3056	cmd.exe	71
PID 3056 wrote to memory of 2028	3056	cmd.exe	71
PID 2028 wrote to memory of 2640	2028	lsass.exe	72
PID 2028 wrote to memory of 2640	2028	lsass.exe	72
PID 2028 wrote to memory of 2640	2028	lsass.exe	72
PID 2640 wrote to memory of 2120	2640	cmd.exe	74
PID 2640 wrote to memory of 2120	2640	cmd.exe	74
PID 2640 wrote to memory of 2120	2640	cmd.exe	74
PID 2640 wrote to memory of 2792	2640	cmd.exe	75
PID 2640 wrote to memory of 2792	2640	cmd.exe	75
PID 2640 wrote to memory of 2792	2640	cmd.exe	75
PID 2792 wrote to memory of 2916	2792	lsass.exe	76
PID 2792 wrote to memory of 2916	2792	lsass.exe	76
PID 2792 wrote to memory of 2916	2792	lsass.exe	76
PID 2916 wrote to memory of 2448	2916	cmd.exe	78
PID 2916 wrote to memory of 2448	2916	cmd.exe	78
PID 2916 wrote to memory of 2448	2916	cmd.exe	78
PID 2916 wrote to memory of 1492	2916	cmd.exe	79
PID 2916 wrote to memory of 1492	2916	cmd.exe	79
PID 2916 wrote to memory of 1492	2916	cmd.exe	79
PID 1492 wrote to memory of 2352	1492	lsass.exe	80
PID 1492 wrote to memory of 2352	1492	lsass.exe	80
PID 1492 wrote to memory of 2352	1492	lsass.exe	80
PID 2352 wrote to memory of 1792	2352	cmd.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_095c1925016cafb81d78efe233fad4fb48d64dc92ba68515c1b94485f1fa1d7b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_095c1925016cafb81d78efe233fad4fb48d64dc92ba68515c1b94485f1fa1d7b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YDZtC7gNkI.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:540
      - C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2120
        
        C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V61H6ynXXY.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2448
        
        C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1792
        
        C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat"
        13⤵
        
        PID:1308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2252
        
        C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
        15⤵
        
        PID:1556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2804
        
        C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat"
        17⤵
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1588
        
        C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\InhrPXXuGB.bat"
        19⤵
        
        PID:1916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1780
        
        C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat"
        21⤵
        
        PID:2596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:548
        
        C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe
        
        "C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c99c4eedbbf150bbecbaead7c884de5a

SHA1
c43648f425defdce7f2f81bfde064c9a75a8a24d

SHA256
81fa63274a0d44224ea8f73022135465074b57003f08968caef5ebd8895e599f

SHA512
55497cf3b2084f2ffb60936c7c220397f8ea98da3c796b815a75a080d491aceacf3466e9bdd7b63a71b77496c9218ca9a8179d19049225ce0c8674df4853e9d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21ef10689eb1c464ac7dc7db4811d448

SHA1
78403984310183fad4aa988181a3a85e43f03f67

SHA256
de0a489c488ea08e137600a21867ab7a405a9954ea2df8e14ba83edffbeceed3

SHA512
e0d65063f9ccb5c687025fff7f9e6eb4beb823cc9e7b2de3c0eca9b24271064f1b80cdb01388f9e2fec973abbfde386a3ffa411df38a1bd128c55b5949aa4bd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa30916ae2aeace9e1c7b4a824187937

SHA1
767cd8e83ba384e876509220bb10ec6278343f2d

SHA256
50d87a4617f5e1c39984b05e612224bffd5269bc1e88824f28960a7082c90463

SHA512
13f6391f8691fdf69394d73c1c01d113fb37517d86695da9ba103dbd69bbd160bf59e8a6be890aa2026a8025d5881bd2f4e1a2ae256b310b5c7b863450be0306

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71706488938be1e018e92ca4ecda7840

SHA1
74b4fac6f17af416f867f09597150a80c731f07e

SHA256
929dea6d00711378d81a080e9305186eca6ab46b420c46d6885cf5d30e782c90

SHA512
a5165e55a276839b104ea77dc2889972b1f2ec04aaa98b05d89f4e2a10852a7dc7058c2e89770c461b4f142025b56f71ee20771ce2fca5c8a82b438ad981b2d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0814fd6b3e6bc998d8e68566cc38affe

SHA1
e1c7a8518eddc196fd48750d79951bb599db34ea

SHA256
c76245a360ae112515d73e60d520dfa3bf444db40131bee45becb84784073f42

SHA512
6cae3d848e8f82f8c8d1f18856ef11fdac6520fa5fcdf958d5af875c3e0edc0ad986de27bebce9e6a4f4e4e2c1c99724d9b64baaa41e0a8ad728d0fa5b183179

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcef1cda35106c554d9b06f011b58f88

SHA1
3ee514dc80f8f5ed04660a783004901fb4050c80

SHA256
ae2e03a706db05128242754f6eaa16cbc2e381cefe0b3697899fdfcfcd9a73e3

SHA512
7d48a357196249fc4c2cdca011389f03a051dea0a1ddff21273ca4a01a7602594fde68880f4886530b5eec04c622612bd8a875850c6c98d2a82aed0945ca8c61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61c1836a52e76273196cc1c86a24beb3

SHA1
cdc205cb336dd1e56535f3e574392718591d3f7b

SHA256
0a931231ad3b487a1db663ed312bc5852e4cc035dfacf22acb4a94612e3ce3f9

SHA512
f6847cf3ec6a82257e79482cad22841827333a3376032ef4c58319bab79cc63ff4b246e99aaf34f645300c0bcf64712a59389ccfc0f2ce3cbb9f1ad8d506cf80

Download Submit
C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat

Filesize
219B

MD5
5d3e871e6dd6cb77ebd1814050cf2dbb

SHA1
ff667d9f80f08d62e5ae5186f7989d817c98f942

SHA256
0ed571a6e70733d2872a86bbe776bc6a24f45a4850f6b72ae9280cb78526ad98

SHA512
0dad83bd3fd979ee176d40e7f171d5da4db6940001f9e1b6a0d26867d390b938332b08ac3d2283d58aa92eb7cb271e9ca22a92cb7c09ad1bf9fc22a5fa365a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat

Filesize
219B

MD5
4eedc22c7a215af5bb069dfa3746d5b7

SHA1
e84d584805cd57ba1d74de790501ccfb00bb6e44

SHA256
ff37f47c8585fe125f7aa57f59426202711702ddbf92db305b2e515e83752879

SHA512
1d18272b4420885f9f88da5c3652a84870c7e6df78d61bb5066db08c0137b8e7a5fc0dcf82b231a5111c13f57c2269c0b6c732e2013ff9842346b9bc1958ecc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB68.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat

Filesize
219B

MD5
26720b5751ac6f4570456e88afa8f450

SHA1
6b788333f70733d00bc2e0c77dcecc665ee02bd8

SHA256
8cb483d8a72e2d661497345f8528987e9b90bf961e993077c9fd556c7d34ef2a

SHA512
f17701680ad20ec81e56539c0d554f5556576aa27cc0cea393cf7bf3d2cf683dc0939b388d7e2cafcc8f6fb50ef0d2a5899fdf6ab7e9e27e1b3c7bfa2a3a556a

Download Submit
C:\Users\Admin\AppData\Local\Temp\InhrPXXuGB.bat

Filesize
219B

MD5
c9875b029a415e556ed50a66ce62f012

SHA1
b114d7e1e53d1c06ae6d5dd6c0c4ca80fd47c37f

SHA256
16d366763cfa8abb55e24c6276c956a4acbaf31818b05408e3a7eab22238eec9

SHA512
7266d97589c82de6010067a0b283a73e990d601a3ddde12ced4ff0b0454814a100be73fb1e2e5e7bed899cbb91eb0cbf907b7eda2321ed35caf148afa00f67ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat

Filesize
219B

MD5
4a2d0057289a427076aa201008fdf004

SHA1
b76178094bdf9fc0b22d781be782a11bed191085

SHA256
5eca34232f6f6816faa2443508c3afeb3a3053c532db61ac6cec6259b2a34f1a

SHA512
37d061cc20162c009f33aa5b32820174589e0454ab0cd98f8d7fdab8e745b442289144091131b19b853fbcb181c66afdce71905f06797c2e0dfc07d14644c3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat

Filesize
219B

MD5
5e678e588371d4ccc37dc2fc918929d6

SHA1
b10b604a1a494c5e4d1267f2d46283bc3d1d62e2

SHA256
f0e9d047b3a207ca350621a6619aab55226491c355e4e8070913575c0c866de8

SHA512
dd1717f5f656a428f0988d760fe3fa00e4186e7a1bd2a143789f94d7d9f65d54e2dd14995dcc78bcc59880cc5439d828285bca5f86aa9fe7b849a494381854fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB7B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\V61H6ynXXY.bat

Filesize
219B

MD5
851bfc885048044b453f5e88936e5ea1

SHA1
6287a0b84e872130c7bda13c12a33ffaf5dd456f

SHA256
a501d68a0336187a5dda6d53cad3cbe91687c87a8cceeabed68b8d6e8f19c07a

SHA512
2bab4a924d9ceb4b5c9da4d01bb829664526eab31e46c606018408d065b0fb8360d4f774478232c8e41da6093a3fae88d410ded8003ad75b3476fcb55e796e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\YDZtC7gNkI.bat

Filesize
219B

MD5
cfe1ff09f6beac849c4bad7be141492e

SHA1
fa841875636f3a9b79fc8c7b465579a00fa2875c

SHA256
6483ada6470a3d11797ad2cd1519d8ab40bec3ccadbd465fe6bf3d0444ac2b5b

SHA512
114f86bc753b8009792fdb7cea2ab75ca478c32d33fd8e51b965f1fc97a68e2afc82485eb89b5962f4a9a460570e2bd99a7e5cb8fe0a3c306c6f300da041cdeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat

Filesize
219B

MD5
ebad7647306b75b26fb57f7d347faff3

SHA1
3885899eaa23b27ed4148ba7a04b6cd2e45d5651

SHA256
c8b15638159e17db969f4092d95bd2eca4188e28ec2e0d46efd7d2e5caf67b85

SHA512
f30f44b17ac2f143206b1428fa3e84c1c8520d07d66a576b4ab1039be782e401cb5320ce5f36ee47386deffb2e9999408c6b8b79e61bb41493281d1d5c9a26ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d96dc243875fecce2dc3e455d8ccfcca

SHA1
3035cd9ac816d092c97d294359498b26f34c97dd

SHA256
42ed4de42c08e420a0bf8244f0ba726b0dc838889e3dd7b2d4de34bce83416c9

SHA512
c07eb7220239b032442c64aad24ed98aad5aae23eb795382abbdb4b790be9c2626f077e1c4c31e245457d3293d52c33a26fcd5777830aecd56540eeec6afb100

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/488-15-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/488-16-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/488-13-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download
memory/488-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/488-17-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/1492-192-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/1612-45-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/1688-43-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2028-73-0x0000000001150000-0x0000000001260000-memory.dmp

Filesize
1.1MB

Download
memory/2140-491-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2212-312-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2212-311-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2792-132-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2888-372-0x0000000000F70000-0x0000000001080000-memory.dmp

Filesize
1.1MB

Download