dcrat | 5faed8a565ffd08e34be5415ba66d4279b154edcb8c4635ca3f1e11d4ee9b04b

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5faed8a565ffd08e34be5415ba66d4279b154edcb8c4635ca3f1e11d4ee9b04b.exe
Size

1.3MB
MD5

a2682b02abff1dcc96661f5c71213d13
SHA1

67f79ff964c47ef65d2a1a38e2169ecefa5473c8
SHA256

5faed8a565ffd08e34be5415ba66d4279b154edcb8c4635ca3f1e11d4ee9b04b
SHA512

57cf43f76fc3123dcc031727a26c99880613c73b4c09385f25f3a13d28067e223a1a291087fe7889d1a00a8b909a390f9d976479a605e1921ec029f2234e5e7d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2836	schtasks.exe	35

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000186f1-9.dat	dcrat
behavioral1/memory/1020-13-0x0000000001180000-0x0000000001290000-memory.dmp	dcrat
behavioral1/memory/1276-38-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/memory/1772-104-0x0000000000EC0000-0x0000000000FD0000-memory.dmp	dcrat
behavioral1/memory/1648-164-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/2848-402-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/2476-462-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/1044-522-0x0000000000AA0000-0x0000000000BB0000-memory.dmp	dcrat
behavioral1/memory/2800-582-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/1956-643-0x0000000001160000-0x0000000001270000-memory.dmp	dcrat
behavioral1/memory/608-703-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2756	powershell.exe
2724	powershell.exe
2748	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
1020	DllCommonsvc.exe
1276	lsm.exe
1772	lsm.exe
1648	lsm.exe
1980	lsm.exe
1992	lsm.exe
2512	lsm.exe
2848	lsm.exe
2476	lsm.exe
1044	lsm.exe
2800	lsm.exe
1956	lsm.exe
608	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
1664	cmd.exe
1664	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
32	raw.githubusercontent.com
39	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
21	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\Idle.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5faed8a565ffd08e34be5415ba66d4279b154edcb8c4635ca3f1e11d4ee9b04b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2184	schtasks.exe
2948	schtasks.exe
2124	schtasks.exe
2848	schtasks.exe
2896	schtasks.exe
2696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1020	DllCommonsvc.exe
2724	powershell.exe
2748	powershell.exe
2756	powershell.exe
1276	lsm.exe
1772	lsm.exe
1648	lsm.exe
1980	lsm.exe
1992	lsm.exe
2512	lsm.exe
2848	lsm.exe
2476	lsm.exe
1044	lsm.exe
2800	lsm.exe
1956	lsm.exe
608	lsm.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1020	DllCommonsvc.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1276	lsm.exe
Token: SeDebugPrivilege	1772	lsm.exe
Token: SeDebugPrivilege	1648	lsm.exe
Token: SeDebugPrivilege	1980	lsm.exe
Token: SeDebugPrivilege	1992	lsm.exe
Token: SeDebugPrivilege	2512	lsm.exe
Token: SeDebugPrivilege	2848	lsm.exe
Token: SeDebugPrivilege	2476	lsm.exe
Token: SeDebugPrivilege	1044	lsm.exe
Token: SeDebugPrivilege	2800	lsm.exe
Token: SeDebugPrivilege	1956	lsm.exe
Token: SeDebugPrivilege	608	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2096	1624	JaffaCakes118_5faed8a565ffd08e34be5415ba66d4279b154edcb8c4635ca3f1e11d4ee9b04b.exe	30
PID 1624 wrote to memory of 2096	1624	JaffaCakes118_5faed8a565ffd08e34be5415ba66d4279b154edcb8c4635ca3f1e11d4ee9b04b.exe	30
PID 1624 wrote to memory of 2096	1624	JaffaCakes118_5faed8a565ffd08e34be5415ba66d4279b154edcb8c4635ca3f1e11d4ee9b04b.exe	30
PID 1624 wrote to memory of 2096	1624	JaffaCakes118_5faed8a565ffd08e34be5415ba66d4279b154edcb8c4635ca3f1e11d4ee9b04b.exe	30
PID 2096 wrote to memory of 1664	2096	WScript.exe	32
PID 2096 wrote to memory of 1664	2096	WScript.exe	32
PID 2096 wrote to memory of 1664	2096	WScript.exe	32
PID 2096 wrote to memory of 1664	2096	WScript.exe	32
PID 1664 wrote to memory of 1020	1664	cmd.exe	34
PID 1664 wrote to memory of 1020	1664	cmd.exe	34
PID 1664 wrote to memory of 1020	1664	cmd.exe	34
PID 1664 wrote to memory of 1020	1664	cmd.exe	34
PID 1020 wrote to memory of 2724	1020	DllCommonsvc.exe	42
PID 1020 wrote to memory of 2724	1020	DllCommonsvc.exe	42
PID 1020 wrote to memory of 2724	1020	DllCommonsvc.exe	42
PID 1020 wrote to memory of 2748	1020	DllCommonsvc.exe	43
PID 1020 wrote to memory of 2748	1020	DllCommonsvc.exe	43
PID 1020 wrote to memory of 2748	1020	DllCommonsvc.exe	43
PID 1020 wrote to memory of 2756	1020	DllCommonsvc.exe	44
PID 1020 wrote to memory of 2756	1020	DllCommonsvc.exe	44
PID 1020 wrote to memory of 2756	1020	DllCommonsvc.exe	44
PID 1020 wrote to memory of 1276	1020	DllCommonsvc.exe	48
PID 1020 wrote to memory of 1276	1020	DllCommonsvc.exe	48
PID 1020 wrote to memory of 1276	1020	DllCommonsvc.exe	48
PID 1276 wrote to memory of 1840	1276	lsm.exe	49
PID 1276 wrote to memory of 1840	1276	lsm.exe	49
PID 1276 wrote to memory of 1840	1276	lsm.exe	49
PID 1840 wrote to memory of 2328	1840	cmd.exe	51
PID 1840 wrote to memory of 2328	1840	cmd.exe	51
PID 1840 wrote to memory of 2328	1840	cmd.exe	51
PID 1840 wrote to memory of 1772	1840	cmd.exe	52
PID 1840 wrote to memory of 1772	1840	cmd.exe	52
PID 1840 wrote to memory of 1772	1840	cmd.exe	52
PID 1772 wrote to memory of 2128	1772	lsm.exe	53
PID 1772 wrote to memory of 2128	1772	lsm.exe	53
PID 1772 wrote to memory of 2128	1772	lsm.exe	53
PID 2128 wrote to memory of 2640	2128	cmd.exe	55
PID 2128 wrote to memory of 2640	2128	cmd.exe	55
PID 2128 wrote to memory of 2640	2128	cmd.exe	55
PID 2128 wrote to memory of 1648	2128	cmd.exe	56
PID 2128 wrote to memory of 1648	2128	cmd.exe	56
PID 2128 wrote to memory of 1648	2128	cmd.exe	56
PID 1648 wrote to memory of 3040	1648	lsm.exe	57
PID 1648 wrote to memory of 3040	1648	lsm.exe	57
PID 1648 wrote to memory of 3040	1648	lsm.exe	57
PID 3040 wrote to memory of 1900	3040	cmd.exe	59
PID 3040 wrote to memory of 1900	3040	cmd.exe	59
PID 3040 wrote to memory of 1900	3040	cmd.exe	59
PID 3040 wrote to memory of 1980	3040	cmd.exe	60
PID 3040 wrote to memory of 1980	3040	cmd.exe	60
PID 3040 wrote to memory of 1980	3040	cmd.exe	60
PID 1980 wrote to memory of 444	1980	lsm.exe	61
PID 1980 wrote to memory of 444	1980	lsm.exe	61
PID 1980 wrote to memory of 444	1980	lsm.exe	61
PID 444 wrote to memory of 2000	444	cmd.exe	63
PID 444 wrote to memory of 2000	444	cmd.exe	63
PID 444 wrote to memory of 2000	444	cmd.exe	63
PID 444 wrote to memory of 1992	444	cmd.exe	64
PID 444 wrote to memory of 1992	444	cmd.exe	64
PID 444 wrote to memory of 1992	444	cmd.exe	64
PID 1992 wrote to memory of 2228	1992	lsm.exe	65
PID 1992 wrote to memory of 2228	1992	lsm.exe	65
PID 1992 wrote to memory of 2228	1992	lsm.exe	65
PID 2228 wrote to memory of 1580	2228	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5faed8a565ffd08e34be5415ba66d4279b154edcb8c4635ca3f1e11d4ee9b04b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5faed8a565ffd08e34be5415ba66d4279b154edcb8c4635ca3f1e11d4ee9b04b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Users\Public\Pictures\Sample Pictures\lsm.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1276
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2328
        
        C:\Users\Public\Pictures\Sample Pictures\lsm.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2640
        
        C:\Users\Public\Pictures\Sample Pictures\lsm.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1900
        
        C:\Users\Public\Pictures\Sample Pictures\lsm.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2000
        
        C:\Users\Public\Pictures\Sample Pictures\lsm.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1580
        
        C:\Users\Public\Pictures\Sample Pictures\lsm.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
        16⤵
        
        PID:3032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2036
        
        C:\Users\Public\Pictures\Sample Pictures\lsm.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat"
        18⤵
        
        PID:2156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2264
        
        C:\Users\Public\Pictures\Sample Pictures\lsm.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat"
        20⤵
        
        PID:2560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2472
        
        C:\Users\Public\Pictures\Sample Pictures\lsm.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\lsm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"
        22⤵
        
        PID:2928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2152
        
        C:\Users\Public\Pictures\Sample Pictures\lsm.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\lsm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
        24⤵
        
        PID:2016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1620
        
        C:\Users\Public\Pictures\Sample Pictures\lsm.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\lsm.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat"
        26⤵
        
        PID:1220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1788
        
        C:\Users\Public\Pictures\Sample Pictures\lsm.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\lsm.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8cb75e6b4de06a62aca980c59f2a0fe

SHA1
dcee91766354c4ccc4e33a625daad42e4171d6d4

SHA256
f2a98ad02e27a3ed86f2af892bb6cdb143c06f5abcfa9c4fdbb793d97ba2d1ad

SHA512
5dd40e220cadf9ecbd61b022c9c63279a9f3b087068902f9f25475b69ecbec6666555f30c54c682f6a9049e6d2beb438f6bca933e5dd85f939cdc945616cfbcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f811a9af1e2ffc618ce9dfca55e449bb

SHA1
62275d0904feb17597d794acf2043af472f8198d

SHA256
a4c90fef61e7d36dea2ebbd17d9c948a1cbec9210d855351629a810696ea9200

SHA512
5a1ba914b8ef3483276f0451f89f3018609bb3ade3e28296574826afe66c077dba1276b7bf2bbd77bc69321a3856b9f76619a1e11f353cf0cef98075d208bc40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63f27af645b647aebd0a050c453c551b

SHA1
c2240da0617a59f4fefacf5a11970c5f50988adb

SHA256
76113a265c71c4fdecbc1771ec79e076ecfa1eb93587f6019607ef6709bfa4c7

SHA512
b09f2f1c2ee758e2c52c86d166caf1709394fb1bef8881e284f54ec974553da9fa5db47eb4630601e51fe1d61f3928b9fec9599013812ee10635247949e9da20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c488f036ec8b3497d7e497f8b60f03b0

SHA1
4d43022b3c36306eb021d7a8ff43dc144c501fd3

SHA256
ac8c09ffcf6cac82ac97f90af64313f1ac8f764bd4cfcb0870d436ae04ce8f03

SHA512
21e922f35d62864f2a28c19260756b2aeab5b174d1c9136ab9d592d9b6cb1e886911c4e5c9f2c772b0ce6fb6bbc9e6d6df09ab575d0143803f0cad5da63f480b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01e5a79b659c1ea35eec449e0ec00893

SHA1
b9d8d2e57cbdea3f985a6a0d09e2838fa2786c67

SHA256
e84c40327486f8d47ea3f43e12337476cbc3f323f659e1d1ca5aabeed5da9967

SHA512
88cc4e02d2eec9f9f11d8da1e75c5508437300f4ad5da60e8ebe6195478682d96479405eff0e6e6b9fca840eb8a2e4d32e3988fbef438214c90c5bfc2a6402f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4aa39a52b218142b5e27f00e5abca345

SHA1
9b58b54da1865f476a0971b197aaf1cbf0c49a63

SHA256
04fc8ef83dd4e80657ae76d7da03a5dd04bffe5de4dd9fe791b23a05affd3d28

SHA512
82650cb449802c5266084890462108f700f81f2b1595cb3aa690a0933ea14557e4b559b6a7f14db39e781ccd776dbc48472431e7435a714c6b67c45ef31b2e98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfcf00e0f7ced613ae36a658b1eabfaa

SHA1
61ddc7d91b871647e57bbf049b119db30d1e0360

SHA256
93004a640813d40dce2acde44a91273ac1d93423a408534ba88642d5daab44c0

SHA512
c04d7b7f17e0039b5ee828b0d2bc1927a4e457b38a69eb0c5d8d050c8a0d365b055459cf7e995bcb542601308250268959d236ab1a275b38f05d751c5f78c191

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb07caef3126864f314e5be315d79eb9

SHA1
48e29ba1b2cd19b6724c7463e51123d96079596d

SHA256
cac14c2d95c2753c40f159f4fa02b63fec9a2469ebc7668008f07cb794d09b4c

SHA512
5b87d86b9e0c0eb4ac688e8a9ba9380218f4771382c5f9b8a848d96811adebacf98fe0867eeffff80b0df8304c5557256120d631f161d87652167ed833a85345

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8bea463b325bd3b1ec35f3e93b92731

SHA1
0dfec24927e585f738b5d9d049c7e38f6a535d42

SHA256
b02dad5222f2c95e13e2819e8b323418f88e08a7edf8af1990e2337c8e85c6e8

SHA512
f0827ff5819d78648912beab5a6ce0e5a522a7f1bd74a98f869eebb893ab9e9c2729303347ae034b126d67854ecbfc89621031288a71d0208ad0f7ca42307063

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebef1712bd5fb4f67c2d03a52015b3b3

SHA1
6cf0088a92a1bc9277366197b65e63cacefbd4c1

SHA256
b6d303b26fc60982c088f16ed39faac1b45d582572fc8dd023eb00a520b0340f

SHA512
b0ccd7b8718062c9c90679f3644f4c73fd12de989dae6b630a3e23036ed7589a90dba739e06f478c745b8ec0d737896cad9f1b74f7b2f44e3b79fb0ddd1a408c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat

Filesize
213B

MD5
ac339664d69ed2b1e409f440f11e7e7a

SHA1
bf826b5340fe0457a32d5d9c28e543498be0550b

SHA256
ef11c683ef559067beb9273465f3c2dca885c19c8e468ba4a990a498a39095df

SHA512
9364681fb70c13f88cc1136ed0c0a41531c38f9824d9c520dd45d8245c971b7b8bac5ecdd25cf224d690186e94325720b0b9abc8cef7415e43f389b874d037e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat

Filesize
213B

MD5
9c41bdb4a3c63c80fe9c20a875f19292

SHA1
bce8ef1e367add85809e193b579c36d2efe2bb02

SHA256
153efdb23773b3f0116e5d8260d2f26a58b56b9f6cc737517704cff899245940

SHA512
62737b19c8660f3a71102f7fb56318f99b50d97f5c316e6bcce93016f7c14d8ff5e0471c6e20941b4e25734dd80debc9e6fdef1a476a6c57fea3882e708ac180

Download Submit
C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat

Filesize
213B

MD5
a67349caad568b5f7dd2bc5fa19287c4

SHA1
4f7ff5ab98d6f4c48502f8d1a2828e87dfc6cec7

SHA256
c2057a59094507326598d16e81c8a4c656b4027cf44fb517981b0196b891c56b

SHA512
821e318d00a6f3bce9e1ce341e7fdcfdb799e9637076b41ba6ec0fef2275674fd1f384a8d4a4a0c64c7ae74d8d65025fc4daa431cd97e53edeb027257349f8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEBC8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat

Filesize
213B

MD5
99b490783e7f94e620dc5062f4cc096d

SHA1
852287276e16503d34fb89110bfa23f2e21d665b

SHA256
aabbbad64b3008e6f4111e4d829c8c2bdc64e0795a5c79a06daf6abe8dd0ab8c

SHA512
510d5dff73cdaf05c034995cc2713853df94cad18697f2908524c8ae296452914c7fc496f3f7d3fcf8907aff35f8f5dd1fc394135c8ba28905aa33d582888ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat

Filesize
213B

MD5
735109c8c490774f508a91de48b62e2a

SHA1
68dc718e7098962f65d961a659992ad0d8cfd017

SHA256
542e21f99e97672703df8d8279a6f53b5a142c700c1f1e8f5042fe3e56977818

SHA512
59469e0b2b57a342d6bc08d013620efb20051eac343fd8f1cd1a8516c04864f98b914854c6a514054121b9f51b1bcfb7c066cfc9663fdb6b75d6204282d0ffc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat

Filesize
213B

MD5
951efe7ccebba8017c6ee0843e7d0dae

SHA1
dd2b9887fe02720c1c8aa53703203c4269149de1

SHA256
326999765fe944ce8f5186fcd711cc365fe721e89910d4470e0856befc4d643b

SHA512
94534c0baaa437723593efa4678e71d02b995435a092a999e11ecc4fbf4e3989245eaf221b7ac2cef9885bba3a6cf9159c81f964e40b3353432807ce7b045f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat

Filesize
213B

MD5
6027f86eabc89213218f2bbc2398a907

SHA1
e85322c84fbc3da45f574fbe648b506d3eab9f42

SHA256
426a8e58082cc71166e3873aa11a054a045aabb05989bfcff609199ead5e0785

SHA512
b2dd076000a1551a56a46e1127f29a1651c64ac9719511a98374d972a5f4bd32a0ade9a4557d2a11b971bd824f2e78f63e8b080028dbca478090e061e704b310

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEBF9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat

Filesize
213B

MD5
dadfdb4a6b1dc0ea5e49cb7b82630ebc

SHA1
f39003d74701f47874a2e5a1a3dd685c8276fe6b

SHA256
90c930d31461c14b98a33cbd63390810d01788c3d223798158ffc95f1a7ab166

SHA512
7358b8f130703f57b59ea9e150e200fdaad8575e56fdf586d2d8c710ad0f836033de29e48362e0e6495d2e819a82e6a801c04db103d74651a4ef038e6867a35a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

Filesize
213B

MD5
4de4b4e23688558c061de47b10d4a112

SHA1
aa8a57d55ae8bf5eed85a4c590611f11ca5d178d

SHA256
55d3387fb6b1583d3d9ef0cc1f128a550415978664078ec71fded06f9abc5f42

SHA512
2f43381f8146b0b517caf59b41b3e79b511503054b65ffb3153db3336018bfab203beabf2f576a601d4b03abf62dbdce6a60623d1c640d3ad5457cbe127e5706

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat

Filesize
213B

MD5
bc8f5494d36eeacd0686f51ac8cf9fcf

SHA1
ffc917be7e9ae5b172aa72a161cd09883c1a4f86

SHA256
6468b1705edfb5ed2d12eab33df38cb99bdd5238a2d3497396b2a85675e222dc

SHA512
1debc16dc3701e690bd1559356e52b61ca74ce5ce346ba8f7a35b0e4869fa79a9eb5abdf47b90a9296319429788060dc27c35f86fd1768a24634117dcd67e6cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat

Filesize
213B

MD5
8fb705c3eac416e97bc4efbb44dbe523

SHA1
340a8f89890c7f307068faceff5901f293284c7d

SHA256
d2aad354d16460a3ffb709aea52b823ecc760c143a92290c20f1e8bc2991c21f

SHA512
e00ea2ab7bdcbf1b4a6f6992927d55ff1a87fc1f09d540c8c3a7e593a83f290f8936f81db6510a1a82238457100657cd68d735554dbff40ada37e7c8d77200ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f68d4ad43c06e07399ee43693b9b98e4

SHA1
31e521230138da615d76d32770d3c8f0a4470c84

SHA256
80be22c1cd2c8e4571a52ed005110f7875cdb8157a66420c42fe22c20c132249

SHA512
9ac3fb0b9c581a6c9073c1ef004eb91e10ab7ce627232edfc6999b401215ab5d56bd569ebadcd0c911fd9c1f2d2b46bcc011fcf2b5613db1e0e98ab5d2c812a1

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/608-703-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/1020-17-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/1020-16-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/1020-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/1020-14-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/1020-13-0x0000000001180000-0x0000000001290000-memory.dmp

Filesize
1.1MB

Download
memory/1044-522-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/1276-38-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download
memory/1276-45-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1648-164-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/1772-104-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

Filesize
1.1MB

Download
memory/1956-643-0x0000000001160000-0x0000000001270000-memory.dmp

Filesize
1.1MB

Download
memory/1980-224-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2476-462-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/2748-39-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2748-40-0x00000000023D0000-0x00000000023D8000-memory.dmp

Filesize
32KB

Download
memory/2800-582-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/2800-583-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2848-402-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download