dcrat | 58a7fe4f93c4252d5e1d12356b887897caaa5e88beba0722442e23545e3e44e5

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_58a7fe4f93c4252d5e1d12356b887897caaa5e88beba0722442e23545e3e44e5.exe
Size

1.3MB
MD5

3b476ac7e482beee4492355bd81a167c
SHA1

a1d1a526a930e1819883095d348bdbb076e529ef
SHA256

58a7fe4f93c4252d5e1d12356b887897caaa5e88beba0722442e23545e3e44e5
SHA512

4c8a3a5698f9b8fbbb9e126503b7c92a4c329c739e84d67b9b64c838a0ef61f430db58bb9a43fbce8b8fddebb3b4fe459d14b550a3e51ff7551fa8490c15e163
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2920	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d21-10.dat	dcrat
behavioral1/memory/2724-13-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/1556-37-0x0000000000810000-0x0000000000920000-memory.dmp	dcrat
behavioral1/memory/1476-104-0x0000000000C60000-0x0000000000D70000-memory.dmp	dcrat
behavioral1/memory/1928-164-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat
behavioral1/memory/1908-224-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/2952-285-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/1856-346-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/memory/1964-406-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/332-645-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2192	powershell.exe
1860	powershell.exe
1852	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2724	DllCommonsvc.exe
1556	OSPPSVC.exe
1476	OSPPSVC.exe
1928	OSPPSVC.exe
1908	OSPPSVC.exe
2952	OSPPSVC.exe
1856	OSPPSVC.exe
1964	OSPPSVC.exe
2072	OSPPSVC.exe
2248	OSPPSVC.exe
2680	OSPPSVC.exe
332	OSPPSVC.exe
1644	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
1888	cmd.exe
1888	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
27	raw.githubusercontent.com
38	raw.githubusercontent.com
41	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\1610b97d3ab4a7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_58a7fe4f93c4252d5e1d12356b887897caaa5e88beba0722442e23545e3e44e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1932	schtasks.exe
2644	schtasks.exe
2756	schtasks.exe
2676	schtasks.exe
2852	schtasks.exe
1872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2192	powershell.exe
1852	powershell.exe
1860	powershell.exe
1556	OSPPSVC.exe
1476	OSPPSVC.exe
1928	OSPPSVC.exe
1908	OSPPSVC.exe
2952	OSPPSVC.exe
1856	OSPPSVC.exe
1964	OSPPSVC.exe
2072	OSPPSVC.exe
2248	OSPPSVC.exe
2680	OSPPSVC.exe
332	OSPPSVC.exe
1644	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	DllCommonsvc.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1556	OSPPSVC.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1476	OSPPSVC.exe
Token: SeDebugPrivilege	1928	OSPPSVC.exe
Token: SeDebugPrivilege	1908	OSPPSVC.exe
Token: SeDebugPrivilege	2952	OSPPSVC.exe
Token: SeDebugPrivilege	1856	OSPPSVC.exe
Token: SeDebugPrivilege	1964	OSPPSVC.exe
Token: SeDebugPrivilege	2072	OSPPSVC.exe
Token: SeDebugPrivilege	2248	OSPPSVC.exe
Token: SeDebugPrivilege	2680	OSPPSVC.exe
Token: SeDebugPrivilege	332	OSPPSVC.exe
Token: SeDebugPrivilege	1644	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2396	2524	JaffaCakes118_58a7fe4f93c4252d5e1d12356b887897caaa5e88beba0722442e23545e3e44e5.exe	30
PID 2524 wrote to memory of 2396	2524	JaffaCakes118_58a7fe4f93c4252d5e1d12356b887897caaa5e88beba0722442e23545e3e44e5.exe	30
PID 2524 wrote to memory of 2396	2524	JaffaCakes118_58a7fe4f93c4252d5e1d12356b887897caaa5e88beba0722442e23545e3e44e5.exe	30
PID 2524 wrote to memory of 2396	2524	JaffaCakes118_58a7fe4f93c4252d5e1d12356b887897caaa5e88beba0722442e23545e3e44e5.exe	30
PID 2396 wrote to memory of 1888	2396	WScript.exe	31
PID 2396 wrote to memory of 1888	2396	WScript.exe	31
PID 2396 wrote to memory of 1888	2396	WScript.exe	31
PID 2396 wrote to memory of 1888	2396	WScript.exe	31
PID 1888 wrote to memory of 2724	1888	cmd.exe	33
PID 1888 wrote to memory of 2724	1888	cmd.exe	33
PID 1888 wrote to memory of 2724	1888	cmd.exe	33
PID 1888 wrote to memory of 2724	1888	cmd.exe	33
PID 2724 wrote to memory of 1860	2724	DllCommonsvc.exe	41
PID 2724 wrote to memory of 1860	2724	DllCommonsvc.exe	41
PID 2724 wrote to memory of 1860	2724	DllCommonsvc.exe	41
PID 2724 wrote to memory of 1852	2724	DllCommonsvc.exe	42
PID 2724 wrote to memory of 1852	2724	DllCommonsvc.exe	42
PID 2724 wrote to memory of 1852	2724	DllCommonsvc.exe	42
PID 2724 wrote to memory of 2192	2724	DllCommonsvc.exe	43
PID 2724 wrote to memory of 2192	2724	DllCommonsvc.exe	43
PID 2724 wrote to memory of 2192	2724	DllCommonsvc.exe	43
PID 2724 wrote to memory of 1556	2724	DllCommonsvc.exe	47
PID 2724 wrote to memory of 1556	2724	DllCommonsvc.exe	47
PID 2724 wrote to memory of 1556	2724	DllCommonsvc.exe	47
PID 1556 wrote to memory of 1628	1556	OSPPSVC.exe	48
PID 1556 wrote to memory of 1628	1556	OSPPSVC.exe	48
PID 1556 wrote to memory of 1628	1556	OSPPSVC.exe	48
PID 1628 wrote to memory of 1788	1628	cmd.exe	50
PID 1628 wrote to memory of 1788	1628	cmd.exe	50
PID 1628 wrote to memory of 1788	1628	cmd.exe	50
PID 1628 wrote to memory of 1476	1628	cmd.exe	51
PID 1628 wrote to memory of 1476	1628	cmd.exe	51
PID 1628 wrote to memory of 1476	1628	cmd.exe	51
PID 1476 wrote to memory of 2988	1476	OSPPSVC.exe	53
PID 1476 wrote to memory of 2988	1476	OSPPSVC.exe	53
PID 1476 wrote to memory of 2988	1476	OSPPSVC.exe	53
PID 2988 wrote to memory of 2528	2988	cmd.exe	55
PID 2988 wrote to memory of 2528	2988	cmd.exe	55
PID 2988 wrote to memory of 2528	2988	cmd.exe	55
PID 2988 wrote to memory of 1928	2988	cmd.exe	56
PID 2988 wrote to memory of 1928	2988	cmd.exe	56
PID 2988 wrote to memory of 1928	2988	cmd.exe	56
PID 1928 wrote to memory of 1708	1928	OSPPSVC.exe	57
PID 1928 wrote to memory of 1708	1928	OSPPSVC.exe	57
PID 1928 wrote to memory of 1708	1928	OSPPSVC.exe	57
PID 1708 wrote to memory of 352	1708	cmd.exe	59
PID 1708 wrote to memory of 352	1708	cmd.exe	59
PID 1708 wrote to memory of 352	1708	cmd.exe	59
PID 1708 wrote to memory of 1908	1708	cmd.exe	60
PID 1708 wrote to memory of 1908	1708	cmd.exe	60
PID 1708 wrote to memory of 1908	1708	cmd.exe	60
PID 1908 wrote to memory of 3028	1908	OSPPSVC.exe	61
PID 1908 wrote to memory of 3028	1908	OSPPSVC.exe	61
PID 1908 wrote to memory of 3028	1908	OSPPSVC.exe	61
PID 3028 wrote to memory of 956	3028	cmd.exe	63
PID 3028 wrote to memory of 956	3028	cmd.exe	63
PID 3028 wrote to memory of 956	3028	cmd.exe	63
PID 3028 wrote to memory of 2952	3028	cmd.exe	64
PID 3028 wrote to memory of 2952	3028	cmd.exe	64
PID 3028 wrote to memory of 2952	3028	cmd.exe	64
PID 2952 wrote to memory of 2492	2952	OSPPSVC.exe	65
PID 2952 wrote to memory of 2492	2952	OSPPSVC.exe	65
PID 2952 wrote to memory of 2492	2952	OSPPSVC.exe	65
PID 2492 wrote to memory of 1660	2492	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58a7fe4f93c4252d5e1d12356b887897caaa5e88beba0722442e23545e3e44e5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58a7fe4f93c4252d5e1d12356b887897caaa5e88beba0722442e23545e3e44e5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Program Files\Windows Defender\OSPPSVC.exe
        
        "C:\Program Files\Windows Defender\OSPPSVC.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1788
        
        C:\Program Files\Windows Defender\OSPPSVC.exe
        
        "C:\Program Files\Windows Defender\OSPPSVC.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2528
        
        C:\Program Files\Windows Defender\OSPPSVC.exe
        
        "C:\Program Files\Windows Defender\OSPPSVC.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:352
        
        C:\Program Files\Windows Defender\OSPPSVC.exe
        
        "C:\Program Files\Windows Defender\OSPPSVC.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:956
        
        C:\Program Files\Windows Defender\OSPPSVC.exe
        
        "C:\Program Files\Windows Defender\OSPPSVC.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1660
        
        C:\Program Files\Windows Defender\OSPPSVC.exe
        
        "C:\Program Files\Windows Defender\OSPPSVC.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat"
        16⤵
        
        PID:2788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2844
        
        C:\Program Files\Windows Defender\OSPPSVC.exe
        
        "C:\Program Files\Windows Defender\OSPPSVC.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
        18⤵
        
        PID:2256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:876
        
        C:\Program Files\Windows Defender\OSPPSVC.exe
        
        "C:\Program Files\Windows Defender\OSPPSVC.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zXOrWkEHk.bat"
        20⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3032
        
        C:\Program Files\Windows Defender\OSPPSVC.exe
        
        "C:\Program Files\Windows Defender\OSPPSVC.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"
        22⤵
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2300
        
        C:\Program Files\Windows Defender\OSPPSVC.exe
        
        "C:\Program Files\Windows Defender\OSPPSVC.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat"
        24⤵
        
        PID:2192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1112
        
        C:\Program Files\Windows Defender\OSPPSVC.exe
        
        "C:\Program Files\Windows Defender\OSPPSVC.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"
        26⤵
        
        PID:748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2360
        
        C:\Program Files\Windows Defender\OSPPSVC.exe
        
        "C:\Program Files\Windows Defender\OSPPSVC.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a4f42407ee1f0e0bb534620704aaad2

SHA1
d3c23fbfdd5568c897a3400d495270e71aaf1b87

SHA256
65cda5b77816e635425c2871a536099a1724ae5935c221425e5861ff3894697b

SHA512
3d2d32a782217b6474c54ae6a825047bb4d7f44651eebea85d92a29afe042e0a7da6404cdcb2fffb0cbbfd3244d142d408c6d26ec101403a61faa2d396056689

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29d1b4f647781729fd1eac54a54b7a4b

SHA1
cbc65d71e46d2a7408b789c90e1c11a63a22ba25

SHA256
07b0e054b5670229584d52da31a5e12fea8418af409f79d268509465aab1959f

SHA512
c374072183ada82b79b5679f0cd7e3d3c33024f41786fd257c121349be26795a2ad5fa67cc7c018d3421cc373a1c08791421b76027c5abb0116aae2f0b7cd543

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0c2d2fe64b277f6927e816aaf68e07b

SHA1
fc69e7acdc1d330ec224e9fd28dc049ce86a2542

SHA256
0ffc9e9e63923d578b93d57ef9942d2ea1b36c72a52124ee0a44e7674dbe98af

SHA512
9b56ea2de53551c47a9bb9e711be4bbc3327e43910f69029dd2ab556592da532d60aaafa6873d1c10d9e1d0726264bb676bacc257b2b353e6a69fea66e2f4fff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d921a9248fe467868794cdf58afca621

SHA1
912f6869004fa9e97260fcd539d5eb0481257a8f

SHA256
e9a1bfcdd432fb2b9ddc922c09dafb8fc6622b09ecbe1ce34a1c79ac6a459626

SHA512
2326f03575be22db4088d6eb3ed9ec8ef53f50a13419cd9c62bfdf2a8e3a05fa0a1ff79d9407608da3a3077af5f1ae84a725fcd99a6ea23ce26adb1fb90bd833

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b67185a8ad5fe56579a931b4b5c7f448

SHA1
4376895cdf6033b5f84fb56bc4dc6a5c6dda244d

SHA256
bc3ffde86a5e55dd2af7c0954ad475af74cff538fb3c116386c9273a94e7835c

SHA512
d1165d4d4995d692625550ddc237578086ec49cd5852c78e10ee7e43c2e703599e22174fcf71f684c8d9b515fc8e09fd172525988bd58da71a62ecfb3913fef9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22692211d3752a87f0a0e79e3149120d

SHA1
88654745b81d4ba2500deefa8ec26757de6c5176

SHA256
4a2a09a1cbcc9788b691e3b0586744bdec89df08bbbf0465c809fd84a6c7c4a6

SHA512
9c5532c1212b8e4ecf1c8dd4c42049457e12400a19b9e9ede27e833b19c8d266f66be3cd2fc78df3171ecad674de3f8659f82957604bdca0c7fced574560fe09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94cf3b376c974a7e478d366f3b250db3

SHA1
b74ede80f36598823bcfcf45042fee511fa0396e

SHA256
c36cc658077df6c229e1e8f3845afe138b9235fccb35de54175c40f11903739a

SHA512
8725643028dee29204ede50129499b5c92f8ff7940826ad556b216fb7abc7142904e912406a9eca266eedb67d3226b5b524968907b19d32bad6ba3892ff24d71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6fcdfc038f8985b41fdd4e7f2ba1afb

SHA1
6b35d47b2eba896d6e127a23ee5253ffd38d8b1f

SHA256
1d6bb041c3670e3fd5bc882be130b2347f2f6b7f875669b329624e352926948e

SHA512
41f586812c9f3c118daffb7c185dcff73d5ddb037eedf198dce70783bc4e3317563390b2279d58a1a55bd26edc3dee69e7f632715eea6932fc587263d0f9c86b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a172b5ca5876553c0798e93387a267a

SHA1
f9093e36c113514abd04f5b9938eae9d55c64239

SHA256
8c7b2d3dea863a4986df1f1afeab42f1733101bca8e422c10b7d313964056252

SHA512
5086b81a840d76091b6b058ac2f2236e86c3c6ecefd448ba5d3e49cf73dfa54e2e9cb5670e3083501936432a147e47201acd837b1d787baa2e93ad887daf081a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a2601c4e2168a87fd991b4ff506dad4

SHA1
f1b14d5b45d6db0c5d6973ac90ce57a143f37e8a

SHA256
b20118cc62131cb9871c049231fc43fb289cf240f43ed129b611a9800bb6e158

SHA512
0f8b3fb39b1da33908b77f7693b3c3cfb985eec7ba6e25dfb365564586ef04deda5e0fff2d653fb21f6328a291561bd159d0bf98235470a08de4edaa4866bd3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zXOrWkEHk.bat

Filesize
210B

MD5
b2931d07dc324b44269fb18e8066640b

SHA1
5493aa91dae888a10ecae0e668c3f4f28bdb0d8a

SHA256
2c0cad2920bb50b4671a91bdae7576b884a5322c0d77e50b6d20c8fd8d37e429

SHA512
8ea62bb2454d992e36671dc307965ecc181bf1c954302589e3d3023b836e129ff071f1975d45f5c8ade392a3f9281aae7b8868d871636663a54b38f87cedec43

Download Submit
C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat

Filesize
210B

MD5
19264b933dd5853b992ee2ce1772f334

SHA1
2113722c03d6001ec7492c49a489e4cedfbaf1f6

SHA256
04153c46b723abd24a159b9bc87b347adf49a48dff116c954430c4f89b96c09a

SHA512
b9c71e1d892c6d633ab2049e08f117169d8b687829104be24b0b68bd6bbadfce88d16e97d7510789595ebddfd05934de126bb1009efb2ddaa12986ebfcbc7d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

Filesize
210B

MD5
586a8926031869b3eaf9895938941a9c

SHA1
3b630cc3b65004f5cc103fb1729af34bdb2fa1e9

SHA256
1c93d1697bc6258e2e03b0598891b2091ae79a5e61ac0291bc5e5cfa07c2ef31

SHA512
471a88881da5c7c8a0d087176f67b21d07411ad3988f2cb42c9530a3fe6cc09de1c336350a297710fea607f22aac3cd68c7b8d46519f79194e48b240795829f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat

Filesize
210B

MD5
9938904c545e02e2a4affd8fff9ece28

SHA1
3690ee36a002508f521ecd9395bb2e48cfba9ae3

SHA256
de65ebddeed41a9498b36e8de5d31f34929f6f8ca5be1079e6a8d9f3b8d1004a

SHA512
6e8c59dd775b98f8272c458d5d7b0b32b574ab3e36f23bbbf6b695fa5bebf81d41c9b5ffa4dc5815a878205d1069be97a02278e374c60f9ac1061098dfaf40a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB35A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat

Filesize
210B

MD5
89f57ddfd65d5217c8e7f85d58921201

SHA1
29ee2d3efe0b5deecb20c16d59395620320a3a9b

SHA256
b00c6659828a175a634bc914ddcdb16bfd245d258c1f55b8ea58a5e7ce386b91

SHA512
31db2f0d55c659c7dd2e97cbcedb455c04dc4cd2da91b2023f8fbe95373cfdc5cc149c3868adaf01daa6d99afdbf6abfeb0ec2414ea38152433994fb97b2255d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat

Filesize
210B

MD5
1f99bc3722e5921a0c2493327af1baec

SHA1
574ef3f12c176c1bdef49dcead2fad5fce6baea0

SHA256
7a450c74466bf4e30d7910e5155c717592a4911f0abf634d6d56a7f0b8cb88d2

SHA512
bc4c70ad4260be2f26c6e110880de6220b7866203327c507e0b960b732e4d323a1372a7b614d51c557756c2e5bb98a11b2e85a5719ecc20c09965aee3c123902

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB36C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat

Filesize
210B

MD5
9e1fd68baecfcb17a4764cb2ba2cb114

SHA1
d16c021ff1790667543230687352f4883ed7afb2

SHA256
661d1eb730fb0de9ce6e908969efd6103f1a2c74ebfc3671c0a1e4bb20ee245b

SHA512
dc23bbbc818eb5f5cd538f79d135c010302540094684b0cf4f3d8deff4cac581681225428ee997876fbedd994537ebcce01a4e45331ab1692338ea46abf59896

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat

Filesize
210B

MD5
8a37761adc3f368ba4d50d311dce860a

SHA1
514bd2bc03e3e39a758cfddcfdb8dd365717fda7

SHA256
6bce0a4adb43bc8c765522df123141cd0737d96175261cd9528b22918a9e9190

SHA512
26263cd706dcd5378ff8f46e7b11ebe68f4e89b5b2aee5291adb44b1e4b2bbb94f8396f4a60bfb1aa22b77923b41acfe3d091c279bc992456f29039a236e914e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat

Filesize
210B

MD5
6429e33f1e05d4b523c221c799f84833

SHA1
e38e3a37bd317ab8753c0a039c3f8e7ab64e0921

SHA256
f60dcf6ba0534730c9d93d7bd00205b7fc9858e1513bd4fb6b01d8a36ce38ab9

SHA512
369e892f214674afc8961603da48895d92ab75274b6417ced7ad14aea323642379b860e4768c2ddbd2eb22d2dec02fdd9eaff696c778212c96fec76d8ab97a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat

Filesize
210B

MD5
d1ca812f22895fef439456766d2d8000

SHA1
ff1c7d3bd8532e9ed601f4358ca8f72315b384a0

SHA256
6c5b5da92ddf7b5c782f8833b4254016f2c39b8561d08664e6c62cfb9d6349b1

SHA512
23ac82c0ee0891e3baef980992cf7fd04d103f12601fe40e7f2f0a0787a1cab4a984911a6c2cbfd1d88a02678146a862c6fdb2fd1d8b43930c6ebd01d9a3ec64

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat

Filesize
210B

MD5
5f319cc7699afba655cb348f9078b0c0

SHA1
00cb5450c68ee249290f25d555745d61c1b9c95f

SHA256
5bf91eaf62b6c31cdafc8b54aa0b003e86d2a69ac97f3f31c053e11e6603e3b0

SHA512
4d2d09dac24add7bc78243de17883335df077fa603cc119efc2bdc266d3c15283893d80c938fdadd2d69be6412a4a39928c28e5155a612c6fb951eaa899b5c5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
73d09777b30341801e8cddadd1321177

SHA1
81dae24ad1ad0cb6bc0a1c849dc84d8763426acf

SHA256
711b6feecbb10737289ff6e7763162f2c9917e012bc61972559b8eddb69d033d

SHA512
726a4407e493907599d874c785ad0177b3325acffd458c8db370f9e3757c95bb227fd5d40e73627bc279fddf01d09aab7ce17334bec4d3b0f9c71415f90b201d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/332-645-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/1476-104-0x0000000000C60000-0x0000000000D70000-memory.dmp

Filesize
1.1MB

Download
memory/1556-45-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1556-37-0x0000000000810000-0x0000000000920000-memory.dmp

Filesize
1.1MB

Download
memory/1852-43-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/1856-346-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/1908-225-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1908-224-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/1928-164-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download
memory/1964-406-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/1964-407-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2192-44-0x0000000002800000-0x0000000002808000-memory.dmp

Filesize
32KB

Download
memory/2248-526-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/2724-17-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2724-16-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/2724-15-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2724-14-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2724-13-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/2952-286-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2952-285-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download