Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
31/10/2022, 22:07
Behavioral task
behavioral1
Sample
e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe
Resource
win10-20220812-en
General
-
Target
e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe
-
Size
1.3MB
-
MD5
cb7abdf4e4c93cab3449a14cf499ea57
-
SHA1
0ba5eace1cab4455aef40e9a3d78d32b276b582e
-
SHA256
e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56
-
SHA512
feb6445476d81b420fc07f80f0e512b83f71db63b70940b4abaee0f16e5dd526dff5fd3c3e4a8047287c23ecf87cf41a8645fd45afb7ef23864fb614f95c5094
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4240 4256 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4204 4256 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3716 4256 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 4256 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4308 4256 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 4256 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000900000001ac19-283.dat dcrat behavioral1/files/0x000900000001ac19-284.dat dcrat behavioral1/memory/3472-285-0x0000000000270000-0x0000000000380000-memory.dmp dcrat behavioral1/files/0x000600000001ac25-305.dat dcrat behavioral1/files/0x000600000001ac25-306.dat dcrat behavioral1/files/0x000600000001ac25-405.dat dcrat behavioral1/files/0x000600000001ac25-411.dat dcrat behavioral1/files/0x000600000001ac25-417.dat dcrat behavioral1/files/0x000600000001ac25-422.dat dcrat behavioral1/files/0x000600000001ac25-428.dat dcrat behavioral1/files/0x000600000001ac25-434.dat dcrat behavioral1/files/0x000600000001ac25-439.dat dcrat behavioral1/files/0x000600000001ac25-445.dat dcrat behavioral1/files/0x000600000001ac25-450.dat dcrat behavioral1/files/0x000600000001ac25-456.dat dcrat behavioral1/files/0x000600000001ac25-461.dat dcrat behavioral1/files/0x000600000001ac25-466.dat dcrat -
Executes dropped EXE 14 IoCs
pid Process 3472 DllCommonsvc.exe 4444 spoolsv.exe 4736 spoolsv.exe 1292 spoolsv.exe 376 spoolsv.exe 4788 spoolsv.exe 4308 spoolsv.exe 4456 spoolsv.exe 1040 spoolsv.exe 4500 spoolsv.exe 4356 spoolsv.exe 4744 spoolsv.exe 2668 spoolsv.exe 1400 spoolsv.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4240 schtasks.exe 4204 schtasks.exe 3716 schtasks.exe 1948 schtasks.exe 4308 schtasks.exe 2616 schtasks.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 3472 DllCommonsvc.exe 5044 powershell.exe 5020 powershell.exe 4932 powershell.exe 4932 powershell.exe 4444 spoolsv.exe 5020 powershell.exe 5044 powershell.exe 4932 powershell.exe 5044 powershell.exe 5020 powershell.exe 4736 spoolsv.exe 1292 spoolsv.exe 376 spoolsv.exe 4788 spoolsv.exe 4308 spoolsv.exe 4456 spoolsv.exe 1040 spoolsv.exe 4500 spoolsv.exe 4356 spoolsv.exe 4744 spoolsv.exe 2668 spoolsv.exe 1400 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3472 DllCommonsvc.exe Token: SeDebugPrivilege 5020 powershell.exe Token: SeDebugPrivilege 5044 powershell.exe Token: SeDebugPrivilege 4444 spoolsv.exe Token: SeDebugPrivilege 4932 powershell.exe Token: SeIncreaseQuotaPrivilege 5044 powershell.exe Token: SeSecurityPrivilege 5044 powershell.exe Token: SeTakeOwnershipPrivilege 5044 powershell.exe Token: SeLoadDriverPrivilege 5044 powershell.exe Token: SeSystemProfilePrivilege 5044 powershell.exe Token: SeSystemtimePrivilege 5044 powershell.exe Token: SeProfSingleProcessPrivilege 5044 powershell.exe Token: SeIncBasePriorityPrivilege 5044 powershell.exe Token: SeCreatePagefilePrivilege 5044 powershell.exe Token: SeBackupPrivilege 5044 powershell.exe Token: SeRestorePrivilege 5044 powershell.exe Token: SeShutdownPrivilege 5044 powershell.exe Token: SeDebugPrivilege 5044 powershell.exe Token: SeSystemEnvironmentPrivilege 5044 powershell.exe Token: SeRemoteShutdownPrivilege 5044 powershell.exe Token: SeUndockPrivilege 5044 powershell.exe Token: SeManageVolumePrivilege 5044 powershell.exe Token: 33 5044 powershell.exe Token: 34 5044 powershell.exe Token: 35 5044 powershell.exe Token: 36 5044 powershell.exe Token: SeIncreaseQuotaPrivilege 4932 powershell.exe Token: SeSecurityPrivilege 4932 powershell.exe Token: SeTakeOwnershipPrivilege 4932 powershell.exe Token: SeLoadDriverPrivilege 4932 powershell.exe Token: SeSystemProfilePrivilege 4932 powershell.exe Token: SeSystemtimePrivilege 4932 powershell.exe Token: SeProfSingleProcessPrivilege 4932 powershell.exe Token: SeIncBasePriorityPrivilege 4932 powershell.exe Token: SeCreatePagefilePrivilege 4932 powershell.exe Token: SeBackupPrivilege 4932 powershell.exe Token: SeRestorePrivilege 4932 powershell.exe Token: SeShutdownPrivilege 4932 powershell.exe Token: SeDebugPrivilege 4932 powershell.exe Token: SeSystemEnvironmentPrivilege 4932 powershell.exe Token: SeRemoteShutdownPrivilege 4932 powershell.exe Token: SeUndockPrivilege 4932 powershell.exe Token: SeManageVolumePrivilege 4932 powershell.exe Token: 33 4932 powershell.exe Token: 34 4932 powershell.exe Token: 35 4932 powershell.exe Token: 36 4932 powershell.exe Token: SeIncreaseQuotaPrivilege 5020 powershell.exe Token: SeSecurityPrivilege 5020 powershell.exe Token: SeTakeOwnershipPrivilege 5020 powershell.exe Token: SeLoadDriverPrivilege 5020 powershell.exe Token: SeSystemProfilePrivilege 5020 powershell.exe Token: SeSystemtimePrivilege 5020 powershell.exe Token: SeProfSingleProcessPrivilege 5020 powershell.exe Token: SeIncBasePriorityPrivilege 5020 powershell.exe Token: SeCreatePagefilePrivilege 5020 powershell.exe Token: SeBackupPrivilege 5020 powershell.exe Token: SeRestorePrivilege 5020 powershell.exe Token: SeShutdownPrivilege 5020 powershell.exe Token: SeDebugPrivilege 5020 powershell.exe Token: SeSystemEnvironmentPrivilege 5020 powershell.exe Token: SeRemoteShutdownPrivilege 5020 powershell.exe Token: SeUndockPrivilege 5020 powershell.exe Token: SeManageVolumePrivilege 5020 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2656 wrote to memory of 4784 2656 e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe 66 PID 2656 wrote to memory of 4784 2656 e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe 66 PID 2656 wrote to memory of 4784 2656 e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe 66 PID 4784 wrote to memory of 1568 4784 WScript.exe 67 PID 4784 wrote to memory of 1568 4784 WScript.exe 67 PID 4784 wrote to memory of 1568 4784 WScript.exe 67 PID 1568 wrote to memory of 3472 1568 cmd.exe 69 PID 1568 wrote to memory of 3472 1568 cmd.exe 69 PID 3472 wrote to memory of 5044 3472 DllCommonsvc.exe 75 PID 3472 wrote to memory of 5044 3472 DllCommonsvc.exe 75 PID 3472 wrote to memory of 5020 3472 DllCommonsvc.exe 76 PID 3472 wrote to memory of 5020 3472 DllCommonsvc.exe 76 PID 3472 wrote to memory of 4932 3472 DllCommonsvc.exe 79 PID 3472 wrote to memory of 4932 3472 DllCommonsvc.exe 79 PID 3472 wrote to memory of 4444 3472 DllCommonsvc.exe 83 PID 3472 wrote to memory of 4444 3472 DllCommonsvc.exe 83 PID 4444 wrote to memory of 4716 4444 spoolsv.exe 85 PID 4444 wrote to memory of 4716 4444 spoolsv.exe 85 PID 4716 wrote to memory of 2632 4716 cmd.exe 87 PID 4716 wrote to memory of 2632 4716 cmd.exe 87 PID 4716 wrote to memory of 4736 4716 cmd.exe 88 PID 4716 wrote to memory of 4736 4716 cmd.exe 88 PID 4736 wrote to memory of 3316 4736 spoolsv.exe 89 PID 4736 wrote to memory of 3316 4736 spoolsv.exe 89 PID 3316 wrote to memory of 2760 3316 cmd.exe 91 PID 3316 wrote to memory of 2760 3316 cmd.exe 91 PID 3316 wrote to memory of 1292 3316 cmd.exe 92 PID 3316 wrote to memory of 1292 3316 cmd.exe 92 PID 1292 wrote to memory of 4840 1292 spoolsv.exe 93 PID 1292 wrote to memory of 4840 1292 spoolsv.exe 93 PID 4840 wrote to memory of 3892 4840 cmd.exe 95 PID 4840 wrote to memory of 3892 4840 cmd.exe 95 PID 4840 wrote to memory of 376 4840 cmd.exe 96 PID 4840 wrote to memory of 376 4840 cmd.exe 96 PID 376 wrote to memory of 4764 376 spoolsv.exe 97 PID 376 wrote to memory of 4764 376 spoolsv.exe 97 PID 4764 wrote to memory of 4908 4764 cmd.exe 99 PID 4764 wrote to memory of 4908 4764 cmd.exe 99 PID 4764 wrote to memory of 4788 4764 cmd.exe 100 PID 4764 wrote to memory of 4788 4764 cmd.exe 100 PID 4788 wrote to memory of 4320 4788 spoolsv.exe 101 PID 4788 wrote to memory of 4320 4788 spoolsv.exe 101 PID 4320 wrote to memory of 4568 4320 cmd.exe 103 PID 4320 wrote to memory of 4568 4320 cmd.exe 103 PID 4320 wrote to memory of 4308 4320 cmd.exe 104 PID 4320 wrote to memory of 4308 4320 cmd.exe 104 PID 4308 wrote to memory of 1868 4308 spoolsv.exe 105 PID 4308 wrote to memory of 1868 4308 spoolsv.exe 105 PID 1868 wrote to memory of 872 1868 cmd.exe 107 PID 1868 wrote to memory of 872 1868 cmd.exe 107 PID 1868 wrote to memory of 4456 1868 cmd.exe 108 PID 1868 wrote to memory of 4456 1868 cmd.exe 108 PID 4456 wrote to memory of 220 4456 spoolsv.exe 109 PID 4456 wrote to memory of 220 4456 spoolsv.exe 109 PID 220 wrote to memory of 2180 220 cmd.exe 111 PID 220 wrote to memory of 2180 220 cmd.exe 111 PID 220 wrote to memory of 1040 220 cmd.exe 112 PID 220 wrote to memory of 1040 220 cmd.exe 112 PID 1040 wrote to memory of 2132 1040 spoolsv.exe 113 PID 1040 wrote to memory of 2132 1040 spoolsv.exe 113 PID 2132 wrote to memory of 2392 2132 cmd.exe 115 PID 2132 wrote to memory of 2392 2132 cmd.exe 115 PID 2132 wrote to memory of 4500 2132 cmd.exe 116 PID 2132 wrote to memory of 4500 2132 cmd.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe"C:\Users\Admin\AppData\Local\Temp\e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2632
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2760
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:3892
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:4908
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:4568
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:872
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"18⤵
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2180
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat"20⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2392
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"22⤵PID:1848
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:4340
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"23⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4356 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"24⤵PID:1216
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:3820
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"25⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"26⤵PID:4740
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4716
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"27⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"28⤵PID:3896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2748
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"29⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1400 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"30⤵PID:4224
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:3912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\odt\ShellExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
Filesize
1KB
MD5b8434b46a9fc311482dfa3ec2c6baf2f
SHA1ab925a9da43821ca31158f8ddbe682fbf4f96400
SHA25623fe0033babdfe0c502df6de36685a5cdc5613086e222edc57f97a266ced8149
SHA512e6ff732fccc6a6444b298f68b6fc4045a6b2ecc73a40a171bac07224529615252a1a8fa4c50a29b1e6daabb34e14bac3845ad22f620e18ed7f684a54b6e3a1bc
-
Filesize
1KB
MD5092012581b38cacd04073f0befea943a
SHA13ae45afb2d715f74dabd25d0c1036e2d1ab13d24
SHA256e4f55f299bd74de0c8da82b4ed70a87053a89a785b84c694ed4008bcad0b7d43
SHA5124d305282639e627c7708b2fca9601d4c2436e213fe14a53452f76fc3407c12cc7590628e7ff2e589445ba9bd1cb03c4b210a52e320cbb6c123abff4115490873
-
Filesize
194B
MD56c522770f0c79d069de1ef041a2964db
SHA18302f36bf0b5bea9dca1c2a5a50961e56ecb0bb9
SHA2565330e72eaf0a9be3b692900fcb82f271d9840ce64dd4bb9865edc749c2518a16
SHA5128a0615cf2fcb3a0b321a26aaf9f9fce4d98f02d32e4abb904581761c85d4776aad2dab96b525e00a035d2715942d4989e68c089ce7e5c658c6300e209bbb7397
-
Filesize
194B
MD56c522770f0c79d069de1ef041a2964db
SHA18302f36bf0b5bea9dca1c2a5a50961e56ecb0bb9
SHA2565330e72eaf0a9be3b692900fcb82f271d9840ce64dd4bb9865edc749c2518a16
SHA5128a0615cf2fcb3a0b321a26aaf9f9fce4d98f02d32e4abb904581761c85d4776aad2dab96b525e00a035d2715942d4989e68c089ce7e5c658c6300e209bbb7397
-
Filesize
194B
MD51858f84b7b73cfc217a383938d8a8150
SHA1f2d4f39c94b0536ce58c66de2907c4907d5bb56f
SHA256605c285c4597920bdd8034383c15a5353364d6d196af343a454636d8f5963bdd
SHA512ab56ec1da589d522aa81592cbf78095f4eacdf4f327e7ed32af16595ab399680f08e604f59c4f6d2c43049e5dd7bef9184e443f8ab79b34c0437e268283218e7
-
Filesize
194B
MD529bd0125796fde2ef8132f8eaa217fd5
SHA1cc2fb831cce856f60686ddd3cfad627d6d66ab5a
SHA256afc15f23191d430539f609cbd398868e3e566708c6ea5b78a33ee2cedd22811c
SHA51204d2037be4d85896697d7f82f467d84cb6ae23b2e6c45937062142f6eeba99b9c830b34b88eb6a2d4a5f5825e5ef520798cdb3ebc9f63218c73900b1131ff262
-
Filesize
194B
MD529bd0125796fde2ef8132f8eaa217fd5
SHA1cc2fb831cce856f60686ddd3cfad627d6d66ab5a
SHA256afc15f23191d430539f609cbd398868e3e566708c6ea5b78a33ee2cedd22811c
SHA51204d2037be4d85896697d7f82f467d84cb6ae23b2e6c45937062142f6eeba99b9c830b34b88eb6a2d4a5f5825e5ef520798cdb3ebc9f63218c73900b1131ff262
-
Filesize
194B
MD5427255b2c8ddf096e6fddeadf31deb46
SHA142b5ae31fe33ff1e425a52b3f6f41a486028ba79
SHA2561061f887ef79ad9264b63f7dc2a9a8f43e43ca9d5ae0e72fdeca55fca67c3b5b
SHA5120aeab5b4f2ee270026bfbe5ba597004590daa7c357b702d6f2b97d3436eb299767ea412c94f00a43153f91211032f60c5b65acc844c031a631a6398a9cc82731
-
Filesize
194B
MD5d70f90efaef46f3a65e8705ee25b41cb
SHA118a7cb2ec46583c1e2dfba33479e19fa15c7035c
SHA2561ae98bbc1b48d226920d540af178858d844041e6bea6ad8e2cc3199cb8d5a8b0
SHA512972cc184972980fdc5aa119ca91cbf678a3eb35d2b719b032575ea2137dea86ee2af6b5569831ce74c77295de3c4762c3477469092f107e153db525f87e78754
-
Filesize
194B
MD5053299379af7f320502094d4db361064
SHA1fb52af0a338f97f6b027396761289af1c47b05d9
SHA256b7e1d763d0da3815816fd79bb73aa384438802766c5e201cbe20d07d4146579b
SHA51208fa30b721812ccd2a3311a91d538151e8d9b2fb738dcf4882f7879fc4488e0e2b5ce6aac5cadecc64c0c089d389013cfd703bc87be266a2e148a9685888764a
-
Filesize
194B
MD5dd60a0b180866a8990e9ce5e71e92014
SHA13426c79c42ce1955a807a8db0e7384367530e626
SHA256251cdcb3fd8495edc3ccfa0e8032cbce872c9f88a1112cdab48cb869f7968fa9
SHA512df86fb1d2429a8c93a31cdc780c74c0e73b24fc12c43832afbccfab04e076686ef75eca186d048deaed35b7c262b414d2059595f54c236db30203fd711784e48
-
Filesize
194B
MD5f08ede0c3722e29faa90ee33271baf31
SHA1187cf7178a9e86e74961dd5b7be0c6d304661453
SHA2565aab7437fccad7c0382313275a43dee9c7ebfac13ecfaa02ea7133355c217be3
SHA512260a22a20612fcd5f65bcbee0a5fddab647750df83f7a89bc43706d58d8ea701bc1f7c1d19531b884578084d1ccb4491efa9b533f38628692664bb23cb97cc16
-
Filesize
194B
MD50ea0d87ad435c307b8d9dd2b4d2cba51
SHA17bd4afcca773d72eaec8f535fb3e68cf5e632a4c
SHA25657251a912d8124f8f558e5ae490378ab906f691d01e050dcf46f09fe6654f6af
SHA512d60efca0a133fa6e14e0fc08cbcc7758a2cfbe645b668177bdd5d6ed2f71761db13beb54488904481107ed4b6b898b7fedbd683d19dff31f0249b812fd21b158
-
Filesize
194B
MD57521031780c8016c32a493702821cffb
SHA1e68fe9f5735b775d225628c47dafff53607d5f54
SHA25679d31363a5391f9379cdf62a97638a429387f99e36f7f599de3b52c434e420e6
SHA512f5d4305a3ad6367499b929cf9246bc8d97af8f3dabe7d2888b5694c3bce43d220914663a599186e1d97dd518f30a67d4c2956068940454061e44e75d285f2b19
-
Filesize
194B
MD5b32e168ee4749de589617064dc2c61db
SHA1946988d13b9bd7d1875409555c9afbf97320aeb4
SHA256cf6521a7b24a76ad5d9ac4909ec54b9a9a222d5aaa3f63196b5c3bcc23df21df
SHA5123c9081b2cd5817d34ba5af66a0808dbb3115c0b50b672dd36f3ef120003fd5f33ae37bf87d95a45e146d0112e1b95102647ffec1408b06e996e9f819cc42a78d
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478