dcrat | 093b7e95d3d1c10b0289246bd79d9c9c4ac0012d4b19544f526b9ac965eed471

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_093b7e95d3d1c10b0289246bd79d9c9c4ac0012d4b19544f526b9ac965eed471.exe
Size

1.3MB
MD5

7b27f3a94280a7b2fd587bcc61b0b766
SHA1

4433b22fff151f69ac1befeeb1e6eafdafd9518b
SHA256

093b7e95d3d1c10b0289246bd79d9c9c4ac0012d4b19544f526b9ac965eed471
SHA512

133b379958caaf48965fb089ac3a1c81a4980678120f9a596c2567601ea9562af58f4179c975f3eeff3c2edee395cf628531f523796b4a9fa8f5ddbaae4c69df
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2640	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2640	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2640	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2640	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2640	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2640	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2640	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2640	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2640	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001922c-11.dat	dcrat
behavioral1/memory/2060-13-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat
behavioral1/memory/2788-37-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/1572-107-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/1028-167-0x0000000000CA0000-0x0000000000DB0000-memory.dmp	dcrat
behavioral1/memory/2236-227-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
behavioral1/memory/2904-287-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/1588-465-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/1912-525-0x0000000000960000-0x0000000000A70000-memory.dmp	dcrat
behavioral1/memory/2580-585-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
688	powershell.exe
1288	powershell.exe
2776	powershell.exe
1588	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2060	DllCommonsvc.exe
2788	explorer.exe
1572	explorer.exe
1028	explorer.exe
2236	explorer.exe
2904	explorer.exe
712	explorer.exe
2588	explorer.exe
1588	explorer.exe
1912	explorer.exe
2580	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2428	cmd.exe
2428	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\088424020bedd6	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\AppCompat\Programs\42af1c969fbb7b	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_093b7e95d3d1c10b0289246bd79d9c9c4ac0012d4b19544f526b9ac965eed471.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2584	schtasks.exe
2692	schtasks.exe
2852	schtasks.exe
2280	schtasks.exe
2544	schtasks.exe
536	schtasks.exe
2352	schtasks.exe
2652	schtasks.exe
2180	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2060	DllCommonsvc.exe
2060	DllCommonsvc.exe
2060	DllCommonsvc.exe
1288	powershell.exe
688	powershell.exe
1588	powershell.exe
2776	powershell.exe
2788	explorer.exe
1572	explorer.exe
1028	explorer.exe
2236	explorer.exe
2904	explorer.exe
712	explorer.exe
2588	explorer.exe
1588	explorer.exe
1912	explorer.exe
2580	explorer.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	DllCommonsvc.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2788	explorer.exe
Token: SeDebugPrivilege	1572	explorer.exe
Token: SeDebugPrivilege	1028	explorer.exe
Token: SeDebugPrivilege	2236	explorer.exe
Token: SeDebugPrivilege	2904	explorer.exe
Token: SeDebugPrivilege	712	explorer.exe
Token: SeDebugPrivilege	2588	explorer.exe
Token: SeDebugPrivilege	1588	explorer.exe
Token: SeDebugPrivilege	1912	explorer.exe
Token: SeDebugPrivilege	2580	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1660	2328	JaffaCakes118_093b7e95d3d1c10b0289246bd79d9c9c4ac0012d4b19544f526b9ac965eed471.exe	30
PID 2328 wrote to memory of 1660	2328	JaffaCakes118_093b7e95d3d1c10b0289246bd79d9c9c4ac0012d4b19544f526b9ac965eed471.exe	30
PID 2328 wrote to memory of 1660	2328	JaffaCakes118_093b7e95d3d1c10b0289246bd79d9c9c4ac0012d4b19544f526b9ac965eed471.exe	30
PID 2328 wrote to memory of 1660	2328	JaffaCakes118_093b7e95d3d1c10b0289246bd79d9c9c4ac0012d4b19544f526b9ac965eed471.exe	30
PID 1660 wrote to memory of 2428	1660	WScript.exe	31
PID 1660 wrote to memory of 2428	1660	WScript.exe	31
PID 1660 wrote to memory of 2428	1660	WScript.exe	31
PID 1660 wrote to memory of 2428	1660	WScript.exe	31
PID 2428 wrote to memory of 2060	2428	cmd.exe	33
PID 2428 wrote to memory of 2060	2428	cmd.exe	33
PID 2428 wrote to memory of 2060	2428	cmd.exe	33
PID 2428 wrote to memory of 2060	2428	cmd.exe	33
PID 2060 wrote to memory of 688	2060	DllCommonsvc.exe	44
PID 2060 wrote to memory of 688	2060	DllCommonsvc.exe	44
PID 2060 wrote to memory of 688	2060	DllCommonsvc.exe	44
PID 2060 wrote to memory of 1588	2060	DllCommonsvc.exe	45
PID 2060 wrote to memory of 1588	2060	DllCommonsvc.exe	45
PID 2060 wrote to memory of 1588	2060	DllCommonsvc.exe	45
PID 2060 wrote to memory of 2776	2060	DllCommonsvc.exe	46
PID 2060 wrote to memory of 2776	2060	DllCommonsvc.exe	46
PID 2060 wrote to memory of 2776	2060	DllCommonsvc.exe	46
PID 2060 wrote to memory of 1288	2060	DllCommonsvc.exe	48
PID 2060 wrote to memory of 1288	2060	DllCommonsvc.exe	48
PID 2060 wrote to memory of 1288	2060	DllCommonsvc.exe	48
PID 2060 wrote to memory of 2788	2060	DllCommonsvc.exe	52
PID 2060 wrote to memory of 2788	2060	DllCommonsvc.exe	52
PID 2060 wrote to memory of 2788	2060	DllCommonsvc.exe	52
PID 2788 wrote to memory of 624	2788	explorer.exe	54
PID 2788 wrote to memory of 624	2788	explorer.exe	54
PID 2788 wrote to memory of 624	2788	explorer.exe	54
PID 624 wrote to memory of 332	624	cmd.exe	56
PID 624 wrote to memory of 332	624	cmd.exe	56
PID 624 wrote to memory of 332	624	cmd.exe	56
PID 624 wrote to memory of 1572	624	cmd.exe	57
PID 624 wrote to memory of 1572	624	cmd.exe	57
PID 624 wrote to memory of 1572	624	cmd.exe	57
PID 1572 wrote to memory of 2620	1572	explorer.exe	58
PID 1572 wrote to memory of 2620	1572	explorer.exe	58
PID 1572 wrote to memory of 2620	1572	explorer.exe	58
PID 2620 wrote to memory of 2808	2620	cmd.exe	60
PID 2620 wrote to memory of 2808	2620	cmd.exe	60
PID 2620 wrote to memory of 2808	2620	cmd.exe	60
PID 2620 wrote to memory of 1028	2620	cmd.exe	61
PID 2620 wrote to memory of 1028	2620	cmd.exe	61
PID 2620 wrote to memory of 1028	2620	cmd.exe	61
PID 1028 wrote to memory of 2064	1028	explorer.exe	62
PID 1028 wrote to memory of 2064	1028	explorer.exe	62
PID 1028 wrote to memory of 2064	1028	explorer.exe	62
PID 2064 wrote to memory of 1224	2064	cmd.exe	64
PID 2064 wrote to memory of 1224	2064	cmd.exe	64
PID 2064 wrote to memory of 1224	2064	cmd.exe	64
PID 2064 wrote to memory of 2236	2064	cmd.exe	65
PID 2064 wrote to memory of 2236	2064	cmd.exe	65
PID 2064 wrote to memory of 2236	2064	cmd.exe	65
PID 2236 wrote to memory of 2172	2236	explorer.exe	66
PID 2236 wrote to memory of 2172	2236	explorer.exe	66
PID 2236 wrote to memory of 2172	2236	explorer.exe	66
PID 2172 wrote to memory of 1976	2172	cmd.exe	68
PID 2172 wrote to memory of 1976	2172	cmd.exe	68
PID 2172 wrote to memory of 1976	2172	cmd.exe	68
PID 2172 wrote to memory of 2904	2172	cmd.exe	69
PID 2172 wrote to memory of 2904	2172	cmd.exe	69
PID 2172 wrote to memory of 2904	2172	cmd.exe	69
PID 2904 wrote to memory of 2648	2904	explorer.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_093b7e95d3d1c10b0289246bd79d9c9c4ac0012d4b19544f526b9ac965eed471.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_093b7e95d3d1c10b0289246bd79d9c9c4ac0012d4b19544f526b9ac965eed471.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
    - - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:332
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2808
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1224
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1976
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
        14⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2832
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat"
        16⤵
        
        PID:1948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2432
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat"
        18⤵
        
        PID:108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1276
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat"
        20⤵
        
        PID:1552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1652
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat"
        22⤵
        
        PID:2404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1372
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat"
        24⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\AppCompat\Programs\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\AppCompat\Programs\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc3c14e05e42f969dda3524bb1ec67d9

SHA1
0d294e2ba86fd1089b088934a01e248facb0c89f

SHA256
82763aec1c2f1c1df552072386e199ce9a75a3b47e1aa3a7051b1cfc63e1a570

SHA512
455d1886e7a39c6e604ab1a17fbf24de14b9d42119d62adf182a66b9825376dec7ba8a9dc8ee6678b81d38374b02fd97ef41a82fc6a43119a8c92619f59386a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
684c71d3267f9514880d00c1621d125b

SHA1
641b0944c2dc0f18094559601357a965e9b1cda5

SHA256
f76250b19d0a7d77bde6a7fa185ed00a0c126bbf305ab5194bf501e5ee1b0cb8

SHA512
0e8ecf606c947fbd1586cf12136f5474a415dd8ee95e5ca22f2bbc4b89769ecd73a2937913e4364f654f17da614222a342640282c97a4a2bab6ef73569057b25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4eb610fff263758f17378f098a94a84e

SHA1
4fedfe08fe9d8aec3222f65e0a3fb63d4ac5b564

SHA256
90a663053f5e1df6f2b9159f79ec9d98ad770ae1555539b9f40408a905e1f267

SHA512
8c51155a1b88828e3dec49ccd9871b47a9b17d6a5c845162ded2e20296d2553c9722fa881eb4b13a4517362036c510a92608e00289952de5ad2dba7b520966a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ecec98d95b1899af36b5ba9d43e1500

SHA1
6e915f76c50c200e6e76d3e11742629b9c04a8c8

SHA256
50cbd6d959c169a291dc719bcc5de574850b15c3c2dc38dd9a0d30404344191b

SHA512
a4d6acdb5a3daf94e73011be29d5117cbff5e2e0dada0d796bd875e126e2c486562442047ab878bdccc132095822eaffc43885757c9d0a1c5f4b92ef4d2c3799

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70bfb32632089eebd51bfa97912b975d

SHA1
27f908bc249bd2268e1588c48cc0f11f1622f264

SHA256
f721c5e45f403cee7abacbfd586e1ebe347018ce74e16f1e9a11a56f4a4dc877

SHA512
06fa23f31f9462b3c572f80b4c5ce306ccab153094b3cd82704db5f474ed09447a82866d25a6f2510e777088210f7ef01ad3ca6ea15edd7970e2679ad0d76fda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0c2d6f90e74b7e15b5c25af812e3c0d

SHA1
c12861e82425111bbab9a1f23edd2a3b7ca56a08

SHA256
51f7097d774abe630ad4001f144f99bfc9c36510e3edb4781f688c1d262d2196

SHA512
7c70b41cb1fc3f84c23026bf910b530dbe01b0e5e49c36f1b7fbab0e62ff62bc71c07c0dd20dcd8f3b24453aa60b81111afff62e52b297de220554967d41cace

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cbe17955c0ba945b02c418096c282de

SHA1
a8e8af66cdfbf3e0d94064f3a23dc73c10bc2a0b

SHA256
ea559f0e7c06fb24dc87e1fd3105cc546f18c62c716d014b1f0dbbe968d5bc30

SHA512
61f1a05f6d6296e81c320cfe3883fadbbd540cf800ce6d3f4f40f50b7dbfe21bb600f5dd45077dc59ccd7ae1d370871c34405b30d6a646a6ec0d5ddeabe1b144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecedaa63eb4c8f2f87556b9c77701afa

SHA1
054488d08b1efc2917da2536c6d5c137dd9720a9

SHA256
e2444c8331a02a9199884b3a1f9b9a03e0e48793ba2e4a8cdc8c3103c9c1332b

SHA512
9dee34bb9bb804b32f3bb0444144a2f33e78fff0691f5751c7a944f388d290cfa57c6c8ba7bdb176474d45653dceff0e30534b12b8b20ed338bbf34e46b795eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95d79c6edc5221df9629c64c66f24047

SHA1
ad49b9f6cff63b20687417f0f802872e9e38b6e9

SHA256
2ad60f8b4c627d5264eef3afff345d5a6485ddb972fcb538286dfb4fbf38c1a3

SHA512
66f1a1f8b02d427111ed60a1a4a0a13bedae3cb0a8a7f6a074821cf73e33e05a6d813f1117c97f79efa12747695b109f10d0fdcd30cc3eae2770aea07a6850cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat

Filesize
226B

MD5
5271a185662faae4c94eef89874000db

SHA1
7a8fc5a926f3c7eb12c65e8b0ebb51cae109aa1c

SHA256
ac65bb0d34b8c5a39858e119adabbd41718f7035cb0be690206ddf5e63d7a188

SHA512
ad65e172493fa657de7adea23b93c660b421a0f01ca8b9c2037d91b8cb310057a966841d896c0f0c78d078831313b8c935305d5bede3fc83f58f8a5bbef16c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat

Filesize
226B

MD5
b8442bec13ae75773c6fa0383142ab84

SHA1
53062a133b070a9d1d6e1c7ed0b5812970754504

SHA256
61f109218047f2a46875708c6737054306f3fb7a9d92d74fad883cdb671ac078

SHA512
6ce6611491230a45f357fb4425997c1a7849e5e92cc0f6dab28bed609f98c6a3c71b92c11c9ee2fd13e8574010bdb718f0422416d710f7471704472787b34146

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE571.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat

Filesize
226B

MD5
2d01f562fb0b42cb0b0ff90d2aa573d5

SHA1
36f84bb00fb60422e2f75ca367a624500e5c03f5

SHA256
2634ff0d46d80d29dc20136d2fc63c21106f1ec29bb287adc042b200f76424ea

SHA512
814f861815f53023b346f677363606394dd33d9139c7b06fa9267408b05067ea0faf9217b5738b36a04253ed5417a505a7befa4107d2ffa784f48248aeaf9e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat

Filesize
226B

MD5
24bfc44d39e56571fbd4287086624500

SHA1
48bec62cb51556e9ade94646a5900bcdad94c388

SHA256
b0141f325703e3ed44102c3a43202474ba46ae7880b51c6caed8098819cddead

SHA512
bbb5419bac006dc5333de3445c358cd19d2e8aab9835841eef22aa2075e7ae6b78eeea8bfb4a77f26a1cbc033f1c6b4d00197dba8a4de9d15d7d317ce7d4ab22

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat

Filesize
226B

MD5
b44b749037de76b05a5bb59e994b52c5

SHA1
7a9ad62beea6abf4dd66cdacf1277ca62beba139

SHA256
0ae905e1210d48a42d74994c9c3adfe22dd351529158fa3a46934ede382b4e87

SHA512
eb5bc954180ebdd708042cc28b1a1838ddfa0369b8c320389fca5a68d2a1638043b6fdaddf7e57c158de0f8252ffa1bba8c1d1b10371379eef042c39f62d3589

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat

Filesize
226B

MD5
39d0440fd77476487fcefc1bf94cc833

SHA1
e407403f56c10a3ac388ec5f139914655ea7998c

SHA256
38c39b2b1c33646a3c94bb3ccafebdedc7c10f18dc16657c3f25bc3b4b9bc846

SHA512
02fe4c1de0ab066c2253e2895b4d7e8d2496a90a46fab64a63dba27cdcd12ad9de5576d7ecd4be09d3c77ea9170381cb09b0c96a05cbd4beb11848ca0f56a76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat

Filesize
226B

MD5
7c8901ab3051c0e90fdda40b400f04d0

SHA1
ecf2132aedc2ff04a102bbe6b47de35f3b194311

SHA256
ebd904c80f059da36e7c4ca1c9baf88037a83ac7cb19a0dd83fd6a416bdb8958

SHA512
aa7ff555e2cbd155aa62183068d3a6d4625f0bd0fc37e1c87a902dea958340266ec23fb4495d580682eb276e65dcc431a5ce327165ee7b2b42d9a1fa34b3baa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE584.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat

Filesize
226B

MD5
8b53c86a90ee6e00db39b6ff874f7629

SHA1
56ae881f41d89a8dd466c82967de7f3a34aaedd8

SHA256
39a2d83355d17e9c6719de1b467b2accb4175652cc0e02679673fb25ae91458b

SHA512
fa8bad3be651701a8f95e568c4a657372cd75cdea6649373789efd0452f3c83be66837a9efd761555ef08fa036a3375f134789358ca28ab0421aec3ff937ce4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat

Filesize
226B

MD5
6f4d9f0ba39d912b4df2354d22c5330d

SHA1
81c9cfb9e1a47ca3c9c223ef432dda986f3eaa52

SHA256
8a7975273940443827785e9cf3733a0d2a79ea18baf376188dfeeee04d11cc12

SHA512
fcef8f194b2f86d4bdefe2c4362f07f345b62b0d61a6c78fd0e25f01a9018e16ff3a31770f672b6590a95864ff962637f70b72b9698aa95dbceb73b79f03b462

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat

Filesize
226B

MD5
3128cc3c81e00e0d2d691b67f9a1d8d8

SHA1
0056dfdfa76c621a8d5221fa408f4366c2fb07bf

SHA256
fab991c38500bf6ee6e41ec3ebf5af6461201c86c622097afe147a7532774606

SHA512
8297a820496388f2de11bb0d9a5357ee0ebfe83c6cd7ede5145773c9971d38a8a462eabcaacfd984fa82d0b44eb1b0fb393aa65ce022e11175a924b5c33ecf84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\COI5W1B6CSZQZXZNYN5Q.temp

Filesize
7KB

MD5
8a8312484dc402474fe9fa7bca7570aa

SHA1
3b3df5eea5d06c78fd141d194dcf4a5b4feffd22

SHA256
1d57b93963038c1ed93b06e837d4cdd883e5dec119fbee86dec556bdf8e4378c

SHA512
a0ed6d80283ee1c5cea10ff61756376b5c50b755b516ac53df506f1d44045830ed2ca96b471fb85b0cdd859d9716545c0ce47018b8b9993806ddc6f8ca59d952

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1028-167-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

Filesize
1.1MB

Download
memory/1288-42-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/1288-48-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/1572-107-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/1588-465-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/1912-525-0x0000000000960000-0x0000000000A70000-memory.dmp

Filesize
1.1MB

Download
memory/2060-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2060-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2060-13-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/2060-16-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2060-17-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2236-227-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/2580-585-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/2788-37-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/2904-287-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download