dcrat | 98fee6c166e71fb6de4fbef094baa018708695ca095c16733fc091236c130b52

Analysis

max time kernel
141s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_98fee6c166e71fb6de4fbef094baa018708695ca095c16733fc091236c130b52.exe
Size

1.3MB
MD5

273453c8e0730de00ebe1234e8bfcf84
SHA1

aa3d730a9fe36cfcdfdcb27029ba1a408580a6bc
SHA256

98fee6c166e71fb6de4fbef094baa018708695ca095c16733fc091236c130b52
SHA512

8b798c1f41d9e91d459cdf122b75ae87cd292ee9d2205cc8ae4d6d3ee006bb7c7308902afeb478219298544d2199393b064d0169a743a87c09795c67d780b306
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	3016	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d31-12.dat	dcrat
behavioral1/memory/2936-13-0x0000000000CA0000-0x0000000000DB0000-memory.dmp	dcrat
behavioral1/memory/336-30-0x0000000000D50000-0x0000000000E60000-memory.dmp	dcrat
behavioral1/memory/2024-108-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/2836-288-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/2280-349-0x00000000010A0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/2148-409-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/1212-469-0x0000000000900000-0x0000000000A10000-memory.dmp	dcrat
behavioral1/memory/1584-529-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/1968-589-0x0000000000880000-0x0000000000990000-memory.dmp	dcrat
behavioral1/memory/1824-650-0x0000000000A30000-0x0000000000B40000-memory.dmp	dcrat
behavioral1/memory/1516-710-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2412	powershell.exe
768	powershell.exe
840	powershell.exe
568	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2936	DllCommonsvc.exe
336	dwm.exe
2024	dwm.exe
2168	dwm.exe
1744	dwm.exe
2836	dwm.exe
2280	dwm.exe
2148	dwm.exe
1212	dwm.exe
1584	dwm.exe
1968	dwm.exe
1824	dwm.exe
1516	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
3004	cmd.exe
3004	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
40	raw.githubusercontent.com
5	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\CrashReports\Idle.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98fee6c166e71fb6de4fbef094baa018708695ca095c16733fc091236c130b52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2708	schtasks.exe
2760	schtasks.exe
2592	schtasks.exe
2876	schtasks.exe
2624	schtasks.exe
2180	schtasks.exe
2568	schtasks.exe
2152	schtasks.exe
2620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2936	DllCommonsvc.exe
2936	DllCommonsvc.exe
2936	DllCommonsvc.exe
568	powershell.exe
2412	powershell.exe
768	powershell.exe
840	powershell.exe
336	dwm.exe
2024	dwm.exe
2168	dwm.exe
1744	dwm.exe
2836	dwm.exe
2280	dwm.exe
2148	dwm.exe
1212	dwm.exe
1584	dwm.exe
1968	dwm.exe
1824	dwm.exe
1516	dwm.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	DllCommonsvc.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	336	dwm.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	2024	dwm.exe
Token: SeDebugPrivilege	2168	dwm.exe
Token: SeDebugPrivilege	1744	dwm.exe
Token: SeDebugPrivilege	2836	dwm.exe
Token: SeDebugPrivilege	2280	dwm.exe
Token: SeDebugPrivilege	2148	dwm.exe
Token: SeDebugPrivilege	1212	dwm.exe
Token: SeDebugPrivilege	1584	dwm.exe
Token: SeDebugPrivilege	1968	dwm.exe
Token: SeDebugPrivilege	1824	dwm.exe
Token: SeDebugPrivilege	1516	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2236	2672	JaffaCakes118_98fee6c166e71fb6de4fbef094baa018708695ca095c16733fc091236c130b52.exe	30
PID 2672 wrote to memory of 2236	2672	JaffaCakes118_98fee6c166e71fb6de4fbef094baa018708695ca095c16733fc091236c130b52.exe	30
PID 2672 wrote to memory of 2236	2672	JaffaCakes118_98fee6c166e71fb6de4fbef094baa018708695ca095c16733fc091236c130b52.exe	30
PID 2672 wrote to memory of 2236	2672	JaffaCakes118_98fee6c166e71fb6de4fbef094baa018708695ca095c16733fc091236c130b52.exe	30
PID 2236 wrote to memory of 3004	2236	WScript.exe	31
PID 2236 wrote to memory of 3004	2236	WScript.exe	31
PID 2236 wrote to memory of 3004	2236	WScript.exe	31
PID 2236 wrote to memory of 3004	2236	WScript.exe	31
PID 3004 wrote to memory of 2936	3004	cmd.exe	33
PID 3004 wrote to memory of 2936	3004	cmd.exe	33
PID 3004 wrote to memory of 2936	3004	cmd.exe	33
PID 3004 wrote to memory of 2936	3004	cmd.exe	33
PID 2936 wrote to memory of 2412	2936	DllCommonsvc.exe	44
PID 2936 wrote to memory of 2412	2936	DllCommonsvc.exe	44
PID 2936 wrote to memory of 2412	2936	DllCommonsvc.exe	44
PID 2936 wrote to memory of 768	2936	DllCommonsvc.exe	45
PID 2936 wrote to memory of 768	2936	DllCommonsvc.exe	45
PID 2936 wrote to memory of 768	2936	DllCommonsvc.exe	45
PID 2936 wrote to memory of 568	2936	DllCommonsvc.exe	46
PID 2936 wrote to memory of 568	2936	DllCommonsvc.exe	46
PID 2936 wrote to memory of 568	2936	DllCommonsvc.exe	46
PID 2936 wrote to memory of 840	2936	DllCommonsvc.exe	47
PID 2936 wrote to memory of 840	2936	DllCommonsvc.exe	47
PID 2936 wrote to memory of 840	2936	DllCommonsvc.exe	47
PID 2936 wrote to memory of 336	2936	DllCommonsvc.exe	52
PID 2936 wrote to memory of 336	2936	DllCommonsvc.exe	52
PID 2936 wrote to memory of 336	2936	DllCommonsvc.exe	52
PID 336 wrote to memory of 1584	336	dwm.exe	54
PID 336 wrote to memory of 1584	336	dwm.exe	54
PID 336 wrote to memory of 1584	336	dwm.exe	54
PID 1584 wrote to memory of 3040	1584	cmd.exe	56
PID 1584 wrote to memory of 3040	1584	cmd.exe	56
PID 1584 wrote to memory of 3040	1584	cmd.exe	56
PID 1584 wrote to memory of 2024	1584	cmd.exe	57
PID 1584 wrote to memory of 2024	1584	cmd.exe	57
PID 1584 wrote to memory of 2024	1584	cmd.exe	57
PID 2024 wrote to memory of 2736	2024	dwm.exe	58
PID 2024 wrote to memory of 2736	2024	dwm.exe	58
PID 2024 wrote to memory of 2736	2024	dwm.exe	58
PID 2736 wrote to memory of 2764	2736	cmd.exe	60
PID 2736 wrote to memory of 2764	2736	cmd.exe	60
PID 2736 wrote to memory of 2764	2736	cmd.exe	60
PID 2736 wrote to memory of 2168	2736	cmd.exe	61
PID 2736 wrote to memory of 2168	2736	cmd.exe	61
PID 2736 wrote to memory of 2168	2736	cmd.exe	61
PID 2168 wrote to memory of 1548	2168	dwm.exe	62
PID 2168 wrote to memory of 1548	2168	dwm.exe	62
PID 2168 wrote to memory of 1548	2168	dwm.exe	62
PID 1548 wrote to memory of 2216	1548	cmd.exe	64
PID 1548 wrote to memory of 2216	1548	cmd.exe	64
PID 1548 wrote to memory of 2216	1548	cmd.exe	64
PID 1548 wrote to memory of 1744	1548	cmd.exe	65
PID 1548 wrote to memory of 1744	1548	cmd.exe	65
PID 1548 wrote to memory of 1744	1548	cmd.exe	65
PID 1744 wrote to memory of 916	1744	dwm.exe	66
PID 1744 wrote to memory of 916	1744	dwm.exe	66
PID 1744 wrote to memory of 916	1744	dwm.exe	66
PID 916 wrote to memory of 2680	916	cmd.exe	68
PID 916 wrote to memory of 2680	916	cmd.exe	68
PID 916 wrote to memory of 2680	916	cmd.exe	68
PID 916 wrote to memory of 2836	916	cmd.exe	69
PID 916 wrote to memory of 2836	916	cmd.exe	69
PID 916 wrote to memory of 2836	916	cmd.exe	69
PID 2836 wrote to memory of 2264	2836	dwm.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98fee6c166e71fb6de4fbef094baa018708695ca095c16733fc091236c130b52.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98fee6c166e71fb6de4fbef094baa018708695ca095c16733fc091236c130b52.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
    - - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:336
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3040
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2764
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2216
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2680
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat"
        14⤵
        
        PID:2264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2908
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat"
        16⤵
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2872
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat"
        18⤵
        
        PID:2032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1836
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"
        20⤵
        
        PID:2112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1180
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
        22⤵
        
        PID:1260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1888
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
        24⤵
        
        PID:948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2492
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"
        26⤵
        
        PID:1788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1784
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19e6b4862c54b3a2bafc9b8750bf2b4e

SHA1
a54cacbb24f351f300bbbe77ccb0369fcf2abe51

SHA256
f770bf11bfbb8f9c44539b3d215262acb12be8172fc859b1bcd88896d0c211b0

SHA512
3fe4176ed808cfae78899aeb04a2e382baae53f1ab60e0efea8701f98a1967f8878e904e731853a36f8e95e037c9618fff53fdd5c2341260226ce82c1f86391d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1c8c808fe4650e432c1b8912d18ad8a

SHA1
b37171ffe0f003c171e4177eccd842e2909cda0f

SHA256
9517b0fac1675ff1511defbb9460ac6dc3f9a48cfd044783ea1b87b0070889e5

SHA512
3d0e6d2c6fca0e90de3053946f5c20e580919f44b0029b1701f9570ec704c4b171ae5be6fcb29de63b1d857327902c5ee82f755e93021ec162decaf2602b5735

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76f741d4e1c272bcfb5d7fef099b0995

SHA1
e2dd306bd1c9cfab4c4daa2567ce4699fb967dd1

SHA256
f6ab37e4d5f38f651dd2236d030da84d7cf3535e8eb35e119a5103a2b987e8f6

SHA512
e689b17bbbbd51f45680fc379cb7adc66e7b25a3527bcd8f2b69e2fc4b1c7f00697e4f00a8d75996bd2120c2e3000b3ba9159976115ca20e889052fbd0974f62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5597c7d3a3b9e95d5f5d885abe6906b1

SHA1
cbe19d6eca67730e79e58a2691debc37c8d6af29

SHA256
9033d50826c82dd6c6e7d9305393e3df7c7cf1a22e85c797acfba1710aa15d22

SHA512
22715011fef33bbdb15911968daed2f076710fcabdfc9a4ca9760a4249905166040be9549eebf59a9f86eb0b76cecff35167a57f7593bcde0d808dcad894ee83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb67b2dca228517e3f6890cfb7f4c430

SHA1
7f4f58429457f7d3c8ba7349d3612aec2b38b3be

SHA256
aa627ca030dc48dc48c58b06ddb1a5aba17063795374796dc8cbda8c65540884

SHA512
b522b8882584cf006b5434aaeffb8f1cdbac9e7668ba47ac88e4bb9d6bf930d7977e2eda33a84d3e22ede15e30b4359dda092f81e7acf24ebe5bd20b8087ad9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9010c2a7cfc79a46487bbb32d3de75b6

SHA1
2ce4dff061a3d40098dc25674a541d1b58eb4582

SHA256
68cd2d4c550047b4b8c0eb41d174d2ffc85ae16b37e05c5c56f3bebf6c307092

SHA512
afd16bae1ec02947c5da88788454028df85cb98c440e59894d7cd5987597f4bab693cda829110677e845aac31f993771f409bcfc059343fa2e661b2ba55fd91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15612afeacf20a8d3f18bd574270e497

SHA1
b51fe90ef276a79abd7b705c5c78010d899afd40

SHA256
bd0ca7152188307b49ba104b802cf3dd2204b23db117ee731f72ec0a724e6140

SHA512
9e9a93315f7357ab456afe41e35dac9403f2716f761a27b0ac3727900e691694211de1bee54a1f48ef76344193f9376f9f2806b55c6d5004a6d8e0ac55d2ee29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6a265d2d04530da7a5bd991fdc47938

SHA1
a4bbf24b47281dc11846a540a48e3eb215f40912

SHA256
0b333e21e293922082b5b81ac8706f66b92b018b7213ecfed9c9593134bb7713

SHA512
090b75b0f65070a97adad6d9ad31109a66b552d3fe85c72735bd0ba698d222ac51a196fb26225455b5fbbd932687f50440040b3ad71674b8d94514bc4c1b20b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2551f78bf6817ac0c5aa6eb9fed14187

SHA1
e3f178aa3f646e1929d4e3762d34fc8aa0204183

SHA256
8bd21496f5ed12bac3a01d55ee22a13d5c9fa7270c19d1a611cc5736751ea323

SHA512
3a02e73eba284579d9e521518882622642ea803c022aa4cba310a891d9f07d6c3b5cac039a4d7969b61bc2741ce3ac026cbf35364b41b1598bdb688d650dd49b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d7d6c1bac6d6f5d6d0f54c7567ab865

SHA1
073c5012b3c62770dfb718bc1de3fb4a0d0f4bc1

SHA256
beca7d8033fbaa993c9a0126fe03e18ad17cf06a27219304aa91dd45839cf483

SHA512
9c679c8afc42b1579417f490d6916f809117e2cb0a567f48f7b3aac493b73699fc4ef36e10b746cecca8b7d1e42d93725cb42e7f63067572459e7f8b07d0c969

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat

Filesize
221B

MD5
d49b1ddaad5c71d3a1b3b1b2c7f04d9e

SHA1
1ffbd6a1cbeb4d2f6aff623dbedd9ee5ab5e240e

SHA256
4bc8e052639246ec0e12e1ef122c0aaaf5f7cc4558176faed87d8837d30aac64

SHA512
74b81478047355d9c2d1219c78ce6c042836bbd9b6d1e950eca577fcc057991660a01e2905961a86d74ee5c1e6685af3e06978aca12d02430b6360ea7ce89bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD589.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat

Filesize
221B

MD5
19a0579bab78e67081cb19c10b133279

SHA1
4e1f1b90693aefb67ab4bfd7fe992b08809910a0

SHA256
bb497612364881e7b634e73009f4ab05e9901b1d22a01de66cfae32236899440

SHA512
34cf659a039e2ec2ce62cc34d008106d182f9a8bb31de7c104d41f6e18ea395b96b50ee316d6f54b8d25ee601ccb4280470901709c7ce247393f1c0480fbcb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD5AC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat

Filesize
221B

MD5
8edb46cf4c716b2965a25e9f21a10ef7

SHA1
c6e9fe17c94ff5e41c6d5267ab72e672e86de769

SHA256
25132e0919fdab475a3e758433cb695bffff0ff51ec07802011ecec5f7eea9e6

SHA512
afea9d380a27e2266bf3dc17006029e0a1fd68b0346f69c588fa0a7dd36243a869a3373bf702c0d749cf40a259aea43030b961b7b19947bac9268e36598a50eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat

Filesize
221B

MD5
e615d74d9b3d9501354dab74f1343f4b

SHA1
69b73a0f54fd9969f55acd4d9589a2f283ae12c9

SHA256
573682adbb36e1f9c8af8fb72a595c1134d6485f699259143fb52756886afb5e

SHA512
6030a43a7bdb8fe00b4f6142cdbfc48e8c5efaa463c8d6c539527c4188f8579e869b3e628eb6a7c79316eec41eedc89be67cf8da13b59a87efdbd8c3b298ef02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat

Filesize
221B

MD5
cb01465024d18304f119ff8c554ad101

SHA1
0579566dbbdfea22362d3afb0ddb652c6fcedcce

SHA256
9e96fb42832808e55c46f51ee808dbf35631f87df0b920084251177f1c6f1dc4

SHA512
898f9b5c4df3ae25f9593f58b5401e797dd08782685ccc7dd8d1eea1cb9a79552a0470d93756c04569814be714348d40477459fc158084432237ba1564add377

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat

Filesize
221B

MD5
c5e4fa00369ff1446626dd6217f5d5d8

SHA1
8b2a394337cc50498beb0928c68ff56fec590499

SHA256
a6d4d749ec1f4db9179539806928eb95ddd936b2cc2f8bca444998c7953f0057

SHA512
6e843f07d931ba3023b0d59b163c9a8f681e259c1ddde0eeefb5a7b5e754aeb3585fbc6f0984238b2f65fa9c176320115bb56097b6a36cd1980d260743c49e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

Filesize
221B

MD5
cf54777145b6854cd2590e40f78cf589

SHA1
38cb36cd0ad988c277b175b0c51a9a7958bd0277

SHA256
372d65c87c493690f2a3dace1569062ace1eb4dbf2e7ee490ca8042394ae0460

SHA512
d212a18770adab2e3f481ec85fdc48d82ac622b43b064a88b9b736ea163ea787b35ce5ce8eb0d75cf9736d29f995f7437f9aede37a8fcc9c2988d2c9d18a7ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat

Filesize
221B

MD5
7796290a5717d2a09ae9bc1ac16c9a72

SHA1
ed9d88729749443cb022f0f09f55d8ca17192cbf

SHA256
c839036cbf26e080303d2daacb16c02a8d57eec6fb8a2c685dc810101ab6c68e

SHA512
c6a74be744a14065f22ae9c9f586a27bfd8a2573272e55d78066175eb0480c466c349ae99a6764d1ed9c159d36713dea759721b984998032f3b6b41ea31fdd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat

Filesize
221B

MD5
15ff2748314c4f0a6ae99e83042abe0a

SHA1
e52473a32a0c82765a9536e5737bd9bc081ac940

SHA256
94d0e97fa069cf3fee4cb98f3499942e18d052272934308d330780692666b309

SHA512
6fc63d7d8ad426730aeeb1ccc57c12ba8ac531f6d5ad8346ed44fc5678194ad8b4e698e888c56aed2b364423db5a5fa6cae101a5d7a454379490f77bcbd53e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat

Filesize
221B

MD5
c3ce73f30dbccb9f7425e312798cac50

SHA1
92559a876ff1a691f39e7a7619273a725022ba0e

SHA256
9567edc05c3fde9350fb90ea21afb7e56392fffce1805ac154a31b0a1b7b9233

SHA512
830ca7e7c2424e255f2060f6781378e6d72416267199ddef6634d946587fe33bd434970fb1c1ebe49fa7f66f70a993b53e23f064ad852e7eca5562663e803bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat

Filesize
221B

MD5
1b544814dd26e0811e9d24d1ec9cfbd6

SHA1
b4e6a4a18d5bfd3728443843094f6378b0bc84aa

SHA256
c6d79d3888f2c85f83b5cce5746642825373a9cacadcc5c07de04ac3001b89e6

SHA512
9f80aae0519d25545b23932a7b1faf129ec62214b3d9925b3c9084600822ca9c0bda6cfe96afd80ae962926888152d91448f29302a0642803895ae6bb3a3b428

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2eeb6ac1d22d83786a1bcfff4b8c6b54

SHA1
1d820560640ddae6ddb1d486836880df7bf40a6e

SHA256
e205da36908ade1ed0e665747b922f803fe0ef10cbfef2db52280abb54bf7412

SHA512
71141396b2b04bb80ef87e76fb77049830e759e97a9f339ac3172e55042f3280366c89196e89ffed3f43e271b9b541f2042c652ff73311699b4d453db2a2b1fc

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/336-30-0x0000000000D50000-0x0000000000E60000-memory.dmp

Filesize
1.1MB

Download
memory/568-48-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/768-49-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/1212-469-0x0000000000900000-0x0000000000A10000-memory.dmp

Filesize
1.1MB

Download
memory/1516-710-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/1584-529-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/1824-650-0x0000000000A30000-0x0000000000B40000-memory.dmp

Filesize
1.1MB

Download
memory/1968-589-0x0000000000880000-0x0000000000990000-memory.dmp

Filesize
1.1MB

Download
memory/1968-590-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2024-108-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/2024-109-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2148-409-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/2168-169-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2280-349-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download
memory/2836-288-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/2836-289-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2936-16-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2936-17-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2936-13-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2936-15-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2936-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download