dcrat | b4a09225228396bb9a44d8bbf4256ee936adfa089bff8694cb1ad53981433dd3

Analysis

max time kernel
144s
max time network
140s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b4a09225228396bb9a44d8bbf4256ee936adfa089bff8694cb1ad53981433dd3.exe
Size

1.3MB
MD5

f8a297c243bab2a7375cf80052c03870
SHA1

b5760caacfb718eb2e65c4982ae75a409d203c9c
SHA256

b4a09225228396bb9a44d8bbf4256ee936adfa089bff8694cb1ad53981433dd3
SHA512

0c45480eaec7b8d3c470187397c12d6e2bcba0bfba969426db5dcf4f5284ecd7e906f4611966691b5b21b86b64229f514cd3a0e3d571e43ff246aaff7d5e2b29
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2632	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2632	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015f7b-12.dat	dcrat
behavioral1/memory/2116-13-0x0000000000FB0000-0x00000000010C0000-memory.dmp	dcrat
behavioral1/memory/1680-73-0x0000000000980000-0x0000000000A90000-memory.dmp	dcrat
behavioral1/memory/2696-132-0x0000000001080000-0x0000000001190000-memory.dmp	dcrat
behavioral1/memory/2064-310-0x00000000002E0000-0x00000000003F0000-memory.dmp	dcrat
behavioral1/memory/1036-370-0x0000000000830000-0x0000000000940000-memory.dmp	dcrat
behavioral1/memory/2992-431-0x0000000001060000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/560-609-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1776	powershell.exe
1800	powershell.exe
1816	powershell.exe
2156	powershell.exe
2244	powershell.exe
2808	powershell.exe
2608	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2116	DllCommonsvc.exe
1680	dwm.exe
2696	dwm.exe
2988	dwm.exe
1624	dwm.exe
2064	dwm.exe
1036	dwm.exe
2992	dwm.exe
1552	dwm.exe
332	dwm.exe
560	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2868	cmd.exe
2868	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
14	raw.githubusercontent.com
17	raw.githubusercontent.com
21	raw.githubusercontent.com
24	raw.githubusercontent.com
28	raw.githubusercontent.com
4	raw.githubusercontent.com
10	raw.githubusercontent.com
31	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\de-DE\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\de-DE\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Google\audiodg.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b4a09225228396bb9a44d8bbf4256ee936adfa089bff8694cb1ad53981433dd3.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
996	schtasks.exe
2572	schtasks.exe
2912	schtasks.exe
3012	schtasks.exe
1148	schtasks.exe
2012	schtasks.exe
2944	schtasks.exe
2980	schtasks.exe
1772	schtasks.exe
2404	schtasks.exe
1720	schtasks.exe
2176	schtasks.exe
1288	schtasks.exe
2728	schtasks.exe
624	schtasks.exe
1476	schtasks.exe
1300	schtasks.exe
1332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2116	DllCommonsvc.exe
2116	DllCommonsvc.exe
2116	DllCommonsvc.exe
1816	powershell.exe
2156	powershell.exe
1800	powershell.exe
2608	powershell.exe
1776	powershell.exe
2808	powershell.exe
2244	powershell.exe
1680	dwm.exe
2696	dwm.exe
2988	dwm.exe
1624	dwm.exe
2064	dwm.exe
1036	dwm.exe
2992	dwm.exe
1552	dwm.exe
332	dwm.exe
560	dwm.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	DllCommonsvc.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	1680	dwm.exe
Token: SeDebugPrivilege	2696	dwm.exe
Token: SeDebugPrivilege	2988	dwm.exe
Token: SeDebugPrivilege	1624	dwm.exe
Token: SeDebugPrivilege	2064	dwm.exe
Token: SeDebugPrivilege	1036	dwm.exe
Token: SeDebugPrivilege	2992	dwm.exe
Token: SeDebugPrivilege	1552	dwm.exe
Token: SeDebugPrivilege	332	dwm.exe
Token: SeDebugPrivilege	560	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 3056	2844	JaffaCakes118_b4a09225228396bb9a44d8bbf4256ee936adfa089bff8694cb1ad53981433dd3.exe	30
PID 2844 wrote to memory of 3056	2844	JaffaCakes118_b4a09225228396bb9a44d8bbf4256ee936adfa089bff8694cb1ad53981433dd3.exe	30
PID 2844 wrote to memory of 3056	2844	JaffaCakes118_b4a09225228396bb9a44d8bbf4256ee936adfa089bff8694cb1ad53981433dd3.exe	30
PID 2844 wrote to memory of 3056	2844	JaffaCakes118_b4a09225228396bb9a44d8bbf4256ee936adfa089bff8694cb1ad53981433dd3.exe	30
PID 3056 wrote to memory of 2868	3056	WScript.exe	31
PID 3056 wrote to memory of 2868	3056	WScript.exe	31
PID 3056 wrote to memory of 2868	3056	WScript.exe	31
PID 3056 wrote to memory of 2868	3056	WScript.exe	31
PID 2868 wrote to memory of 2116	2868	cmd.exe	33
PID 2868 wrote to memory of 2116	2868	cmd.exe	33
PID 2868 wrote to memory of 2116	2868	cmd.exe	33
PID 2868 wrote to memory of 2116	2868	cmd.exe	33
PID 2116 wrote to memory of 2608	2116	DllCommonsvc.exe	53
PID 2116 wrote to memory of 2608	2116	DllCommonsvc.exe	53
PID 2116 wrote to memory of 2608	2116	DllCommonsvc.exe	53
PID 2116 wrote to memory of 1776	2116	DllCommonsvc.exe	54
PID 2116 wrote to memory of 1776	2116	DllCommonsvc.exe	54
PID 2116 wrote to memory of 1776	2116	DllCommonsvc.exe	54
PID 2116 wrote to memory of 1800	2116	DllCommonsvc.exe	55
PID 2116 wrote to memory of 1800	2116	DllCommonsvc.exe	55
PID 2116 wrote to memory of 1800	2116	DllCommonsvc.exe	55
PID 2116 wrote to memory of 1816	2116	DllCommonsvc.exe	56
PID 2116 wrote to memory of 1816	2116	DllCommonsvc.exe	56
PID 2116 wrote to memory of 1816	2116	DllCommonsvc.exe	56
PID 2116 wrote to memory of 2156	2116	DllCommonsvc.exe	57
PID 2116 wrote to memory of 2156	2116	DllCommonsvc.exe	57
PID 2116 wrote to memory of 2156	2116	DllCommonsvc.exe	57
PID 2116 wrote to memory of 2244	2116	DllCommonsvc.exe	58
PID 2116 wrote to memory of 2244	2116	DllCommonsvc.exe	58
PID 2116 wrote to memory of 2244	2116	DllCommonsvc.exe	58
PID 2116 wrote to memory of 2808	2116	DllCommonsvc.exe	59
PID 2116 wrote to memory of 2808	2116	DllCommonsvc.exe	59
PID 2116 wrote to memory of 2808	2116	DllCommonsvc.exe	59
PID 2116 wrote to memory of 2524	2116	DllCommonsvc.exe	67
PID 2116 wrote to memory of 2524	2116	DllCommonsvc.exe	67
PID 2116 wrote to memory of 2524	2116	DllCommonsvc.exe	67
PID 2524 wrote to memory of 1924	2524	cmd.exe	69
PID 2524 wrote to memory of 1924	2524	cmd.exe	69
PID 2524 wrote to memory of 1924	2524	cmd.exe	69
PID 2524 wrote to memory of 1680	2524	cmd.exe	70
PID 2524 wrote to memory of 1680	2524	cmd.exe	70
PID 2524 wrote to memory of 1680	2524	cmd.exe	70
PID 1680 wrote to memory of 1768	1680	dwm.exe	71
PID 1680 wrote to memory of 1768	1680	dwm.exe	71
PID 1680 wrote to memory of 1768	1680	dwm.exe	71
PID 1768 wrote to memory of 1524	1768	cmd.exe	73
PID 1768 wrote to memory of 1524	1768	cmd.exe	73
PID 1768 wrote to memory of 1524	1768	cmd.exe	73
PID 1768 wrote to memory of 2696	1768	cmd.exe	75
PID 1768 wrote to memory of 2696	1768	cmd.exe	75
PID 1768 wrote to memory of 2696	1768	cmd.exe	75
PID 2696 wrote to memory of 2936	2696	dwm.exe	76
PID 2696 wrote to memory of 2936	2696	dwm.exe	76
PID 2696 wrote to memory of 2936	2696	dwm.exe	76
PID 2936 wrote to memory of 2012	2936	cmd.exe	78
PID 2936 wrote to memory of 2012	2936	cmd.exe	78
PID 2936 wrote to memory of 2012	2936	cmd.exe	78
PID 2936 wrote to memory of 2988	2936	cmd.exe	79
PID 2936 wrote to memory of 2988	2936	cmd.exe	79
PID 2936 wrote to memory of 2988	2936	cmd.exe	79
PID 2988 wrote to memory of 2020	2988	dwm.exe	80
PID 2988 wrote to memory of 2020	2988	dwm.exe	80
PID 2988 wrote to memory of 2020	2988	dwm.exe	80
PID 2020 wrote to memory of 1996	2020	cmd.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4a09225228396bb9a44d8bbf4256ee936adfa089bff8694cb1ad53981433dd3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4a09225228396bb9a44d8bbf4256ee936adfa089bff8694cb1ad53981433dd3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\de-DE\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lLNgICC7cT.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1924
      - C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1524
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2012
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1996
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat"
        13⤵
        
        PID:2332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:880
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat"
        15⤵
        
        PID:1152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1488
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat"
        17⤵
        
        PID:1856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1228
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"
        19⤵
        
        PID:2344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:884
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"
        21⤵
        
        PID:1548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2136
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat"
        23⤵
        
        PID:2456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1612
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Google\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\de-DE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c68ba7d0468621fc629e0f272b1aaff

SHA1
77d8ceba9b029da8cb5860267bb75fa0883daa93

SHA256
d77df45e39ca14491ebac7fb820e5e08a4b33306fbf9659c8ba6a14a26dac468

SHA512
6459318db2047ec95d38c9da85b053b1361d313a471ecae478cf7234450f0d74fcc13813d8349ee4a35cbfb329718b8ba8fadcb0cf97b9ae01f97e5179b9225f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf59090571cc598ce49fc871c7481d3c

SHA1
611056b84c289b6de50d2095cd7ed01fb142b27f

SHA256
ffd41d2c2e9d3b467035f89b7152c747062b93655d2da2120d6166bdfdc68815

SHA512
04ac01a7ade870d7c3edbd305cee7c380621e411002e57c9e23ab324769ebf9620b6e957a5cb4298a2308d1865b27afb5a02ff39560d1a5df29883c237f9f5b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f05805cfbe7fdcd6f191aad4b226458

SHA1
6c7f86c91a42a6014949c3e31e11cda298989b5a

SHA256
600ab55b32a1680a64c238abf5e881b9997e7d04260351471c68519f8dfd7427

SHA512
c4238e28ebada9a9ff01619e431321a9e314b5375195b4b0b4ad6c76e23813f1947d3a360c01a8bd4d85e1025d0127b590eb59597318793da4d27995c4f7087f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8228f70867960daf9e3c6ae550f73a0c

SHA1
f6c85c04fd497fe57d10ae4af108761565bd3d6f

SHA256
87cb3842316e5fbc3de3786aab1cacac957897dc1a6bde86198aceeaffa2e3ad

SHA512
01638925ae9b325bad8d338cc2c2a3f03913ad9b1832605336532b9774f7d5ff8e08c8e15dd2776a640d623b2b455bf265a8d40d7b15ede82ab216086e5c71ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2e4e7f7220c34b7871199c74e019a59

SHA1
5188791ae35815d9ea6263ada0c1335439b33cbc

SHA256
ce7f86bdebf9caf6b55278ac01eb8e986024c6d90ac04035d76116f0eed8f712

SHA512
867ae2c23f40bba4f248aa62cd7a5155acb0eba92be852dc8e21d365896d8d6b0cd85752c7db777bdf1ca0f0dcd9b24b2d9c271d6b8d5113aca421d6cdf4793d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba0c47995b5183c7d2caca1dcb6f7090

SHA1
5a182376aa9eaa230f8dad23291c3cc2100181d8

SHA256
0218ea6c5e298b4fd76266aa8257395c195e86e89d373ea1978318b4539a3bda

SHA512
584720a4f1e18ba8886ce583518a18184c1abdcdfcc0e06cae34dff49c75f4a114798339b6a0a0dded35f40691ee166e11994fb406def41aafe5c7758bb4d281

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbad2e58bafecadf84bea9d9ea220b34

SHA1
0d41246020b4751217ea3bb8e39179d5b55fb4f2

SHA256
d3f61f6a7394805d374318fb0a06547539946d0928e95ab9b714f72e13ba781f

SHA512
2878a7e64d07beb9d1cf3067d4e0dd47bd0a4ed8c54e51e3978fc456295422dbb4666bed234e57897402016c5daa3aebe181ad81e30cfda72436b8178ec74816

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d2cff20bb633d2f517242497fb7b338

SHA1
5bb5f4216c94ebce7090f221b5b6ec621c918757

SHA256
f629aeadac35f01668b545b2a5d65ddfb8c0c7713e9588195a042427716e3e56

SHA512
11ffb8841758e8609064582356a93f0d817728c4a438e6081464ef5b0555251033ca341af8984e492bca43b727fee479e8df36ddf88c53da2511030fa64328fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat

Filesize
190B

MD5
8fe3e94cfef55d7856e1334ac817901d

SHA1
f688aa641d6057f601124ec56296b797d6a60869

SHA256
a52e1a28ff3feef62e537c0aa4cb07ab5e0c0cd40c133b9b2c314c826ab952c2

SHA512
89c60919a92dbacb914c1ff5e15138a52b5c230edcf49cd7194adf7ebae7ea9a7cf4b1b108af8fcc9bed9a39854855b32e6be4a0fcd1a57ffab825276d0255c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC5F0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC602.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat

Filesize
190B

MD5
97bbf3ea8dfdf09b837542f841e8b684

SHA1
61715af8b4a4ac6942b2e3132ee0101a310a57e3

SHA256
3eefc87977ab5056e4ad48b0bc3e8f45f15e1b58970e6a245a82886c81245233

SHA512
597c58ff48b9f3949a52576587e5bd9e07f8d528681350050b3043dd1fdc51f403d26ab365cc9d63d47f33e3e9638f7bf4c67a64d0c6eaa879420bc945b2e241

Download Submit
C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat

Filesize
190B

MD5
b0f44b1d1039249e566b322355c18349

SHA1
c73f6a0cba56f9cd14892bd5a40f86bd106619d1

SHA256
199d1afcc5558070628912894e532c7fcdce914910dcb61543998e415519421f

SHA512
7ff298004ca2360cebf2a6338782d9378aab0bbc27f99236f5f88f46f42c918479b4f60f4250571f18a0bfdb2869cd274b02a46f2521ae5258556c09f16f0432

Download Submit
C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

Filesize
190B

MD5
180b0798c66be7e1fcf7f295a78afa76

SHA1
d9fa42b806da9b55ec262328d1ead5ac914ad1fc

SHA256
e36bc5cc6cd1af4748739badb82a9e6ecfcfc8d2b960cf3753bf0bcc8642499a

SHA512
b65c361a7e67e9280899b4e56657494e5a6dffdc1946aeea69d479fe05a7f5cec9ab14ce7c6c48f059d6d8b21a1ce3b1364a778fc197e74877c52b892a9c2a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

Filesize
190B

MD5
ed1680a73ad27e576a2dd3549690e232

SHA1
4d290c6045ab7b0614617dc3600fbc46b98b1025

SHA256
2f0541688ee86d02be22f2b27559be580fda7d1024cfe90f8aa2aafa8e94b999

SHA512
64c71c76af8e7781b278ef8c7bdfc82c55539f394d1d51abb9b9dec2d6afe9296b363051348442ee4e436e013e42f34eb479a6b1317c2dcd03b0e52be00ec508

Download Submit
C:\Users\Admin\AppData\Local\Temp\lLNgICC7cT.bat

Filesize
190B

MD5
2448d161b1119d8a645ea3f606e5b4b7

SHA1
81072bb0a33e8c34839d34bd665be7211bd44f9e

SHA256
20d902cb2cbd9f8c2bf361e778f8fa681036ea52c7b171d7402b28ef9527ee1a

SHA512
b46c1986ff0b2b4b9d60757fbdb64e8be6c6be245120fb32a293769bd91342a0b2a3b6e3e6eb90d6cf1faf7cfb7263343a2ecf615a6a390be89ca13500601285

Download Submit
C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat

Filesize
190B

MD5
0ee2cfc29578bb8acae0e9dee36d9fe3

SHA1
805b6b2d07cee768ee5b0eefc888aa2d3e1c65cc

SHA256
ee3d0161d1b69f52416b78d5674084bba0234666e6dc48e3fa64a60f5df1cc72

SHA512
7661dad811785a451b44adcc0693dbefef9f46faf5fb513bf13d94f09ca12acde4a238c55891b1e2cae8d8b8a7fca9acdae5d5ff74c62c995172a8700f1e775f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat

Filesize
190B

MD5
c48fb7536e06db24bf693812538692d5

SHA1
dc97656ee7859a9e1f7925ad7f7e1f9a0e1debe0

SHA256
23a337e3d302e6d1fce5cdf1cecef716a49ba77fe1d1968a5d346bc91edce334

SHA512
9637e2b1b8d28968754b2980a6eeefca31e48cb5a47963d32b49ae85e33915c4f09fda67d753e76312bf4a93f841abf32ac34f446e3ccf5c0ab3c9ffd2351727

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat

Filesize
190B

MD5
cf047ccfd7c64b29f9d4e04fb729dfb8

SHA1
be20c83fff06aba65d0155459afb1ba30c082934

SHA256
8f92426a1d57b8f4166644e03c121fe622c361c17f663dd02d7bfcbbff56bc8f

SHA512
c9a94cff8f49dfe6a33369e7bc78205a8ce005f3ec54cee7fd396911abbcb883a60e24ff8fd9bbb042511d5315e9831771d2e3406a9cc083f5dba61c71f18290

Download Submit
C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat

Filesize
190B

MD5
b62eb4af515268c44e2bab0cabb0782e

SHA1
638876c9e0ca3f9bc25d93cabd8a64d71134c385

SHA256
d634d06242d94a2a467a783cda69b3a71beb672144180bc282ab2dc4c9e76ce0

SHA512
ce3362a6ef140649d388b06d3043e98f4eab545ecb72290dc6aa7312da94999ecb50f12b74fd4c0381c26ae792b7bae8b4731624bb96d13e7f586a555fb5a384

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1435bd6491f801d9135bf8c9032222e7

SHA1
fe9346f179cc752fc929ff7f4b77ecfdaa6df841

SHA256
f55f7e949cab3c29b2269eab37abe405ee930e4ea0be3b04c4af8cc19c14ddca

SHA512
dce920ff6786db7d37f0af87bd5b248a63631973ae3aa8d6c5667f1bd4f3809b26b64df108ecd8810b5d763d6f931160f00f823daed6d84d0b2eaf6f6cec3903

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/560-609-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/1036-371-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/1036-370-0x0000000000830000-0x0000000000940000-memory.dmp

Filesize
1.1MB

Download
memory/1680-73-0x0000000000980000-0x0000000000A90000-memory.dmp

Filesize
1.1MB

Download
memory/1816-39-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1816-40-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2064-310-0x00000000002E0000-0x00000000003F0000-memory.dmp

Filesize
1.1MB

Download
memory/2116-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2116-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2116-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2116-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2116-13-0x0000000000FB0000-0x00000000010C0000-memory.dmp

Filesize
1.1MB

Download
memory/2696-132-0x0000000001080000-0x0000000001190000-memory.dmp

Filesize
1.1MB

Download
memory/2992-431-0x0000000001060000-0x0000000001170000-memory.dmp

Filesize
1.1MB

Download