dcrat | 3608c74f4bdd766f16c750a3bd6cd59c51589dc042b50f43a9825777d0d3718b

Analysis

max time kernel
145s
max time network
141s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3608c74f4bdd766f16c750a3bd6cd59c51589dc042b50f43a9825777d0d3718b.exe
Size

1.3MB
MD5

b28630f459427df4012a89f625c61425
SHA1

eb68d93d6bdb8ac70ff49ffc9d0e5beab68e924f
SHA256

3608c74f4bdd766f16c750a3bd6cd59c51589dc042b50f43a9825777d0d3718b
SHA512

580b4240e42b5bd501b85161f5c411443847348dd34c4ccf083fdb55ede1ada3459bdd812931cf925826e7679cf357bf6c18ff0e78c8b2bf13ffdc456194753d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2688	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2688	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2688	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2688	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2688	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2688	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2688	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2688	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2688	schtasks.exe	33

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016be9-9.dat	dcrat
behavioral1/memory/2800-13-0x0000000000830000-0x0000000000940000-memory.dmp	dcrat
behavioral1/memory/2244-52-0x0000000000B80000-0x0000000000C90000-memory.dmp	dcrat
behavioral1/memory/2364-290-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat
behavioral1/memory/1972-350-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/1376-410-0x0000000001020000-0x0000000001130000-memory.dmp	dcrat
behavioral1/memory/664-647-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
484	powershell.exe
1656	powershell.exe
672	powershell.exe
300	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2800	DllCommonsvc.exe
2244	wininit.exe
1180	wininit.exe
1404	wininit.exe
1388	wininit.exe
2364	wininit.exe
1972	wininit.exe
1376	wininit.exe
2568	wininit.exe
2876	wininit.exe
1572	wininit.exe
664	wininit.exe
1764	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2912	cmd.exe
2912	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
40	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\088424020bedd6	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\en-US\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\en-US\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3608c74f4bdd766f16c750a3bd6cd59c51589dc042b50f43a9825777d0d3718b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2520	schtasks.exe
2772	schtasks.exe
2664	schtasks.exe
2756	schtasks.exe
2160	schtasks.exe
2700	schtasks.exe
2704	schtasks.exe
2612	schtasks.exe
2328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2800	DllCommonsvc.exe
1656	powershell.exe
672	powershell.exe
300	powershell.exe
484	powershell.exe
2244	wininit.exe
1180	wininit.exe
1404	wininit.exe
1388	wininit.exe
2364	wininit.exe
1972	wininit.exe
1376	wininit.exe
2568	wininit.exe
2876	wininit.exe
1572	wininit.exe
664	wininit.exe
1764	wininit.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	DllCommonsvc.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	300	powershell.exe
Token: SeDebugPrivilege	484	powershell.exe
Token: SeDebugPrivilege	2244	wininit.exe
Token: SeDebugPrivilege	1180	wininit.exe
Token: SeDebugPrivilege	1404	wininit.exe
Token: SeDebugPrivilege	1388	wininit.exe
Token: SeDebugPrivilege	2364	wininit.exe
Token: SeDebugPrivilege	1972	wininit.exe
Token: SeDebugPrivilege	1376	wininit.exe
Token: SeDebugPrivilege	2568	wininit.exe
Token: SeDebugPrivilege	2876	wininit.exe
Token: SeDebugPrivilege	1572	wininit.exe
Token: SeDebugPrivilege	664	wininit.exe
Token: SeDebugPrivilege	1764	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2204	2604	JaffaCakes118_3608c74f4bdd766f16c750a3bd6cd59c51589dc042b50f43a9825777d0d3718b.exe	29
PID 2604 wrote to memory of 2204	2604	JaffaCakes118_3608c74f4bdd766f16c750a3bd6cd59c51589dc042b50f43a9825777d0d3718b.exe	29
PID 2604 wrote to memory of 2204	2604	JaffaCakes118_3608c74f4bdd766f16c750a3bd6cd59c51589dc042b50f43a9825777d0d3718b.exe	29
PID 2604 wrote to memory of 2204	2604	JaffaCakes118_3608c74f4bdd766f16c750a3bd6cd59c51589dc042b50f43a9825777d0d3718b.exe	29
PID 2204 wrote to memory of 2912	2204	WScript.exe	30
PID 2204 wrote to memory of 2912	2204	WScript.exe	30
PID 2204 wrote to memory of 2912	2204	WScript.exe	30
PID 2204 wrote to memory of 2912	2204	WScript.exe	30
PID 2912 wrote to memory of 2800	2912	cmd.exe	32
PID 2912 wrote to memory of 2800	2912	cmd.exe	32
PID 2912 wrote to memory of 2800	2912	cmd.exe	32
PID 2912 wrote to memory of 2800	2912	cmd.exe	32
PID 2800 wrote to memory of 484	2800	DllCommonsvc.exe	43
PID 2800 wrote to memory of 484	2800	DllCommonsvc.exe	43
PID 2800 wrote to memory of 484	2800	DllCommonsvc.exe	43
PID 2800 wrote to memory of 1656	2800	DllCommonsvc.exe	44
PID 2800 wrote to memory of 1656	2800	DllCommonsvc.exe	44
PID 2800 wrote to memory of 1656	2800	DllCommonsvc.exe	44
PID 2800 wrote to memory of 672	2800	DllCommonsvc.exe	45
PID 2800 wrote to memory of 672	2800	DllCommonsvc.exe	45
PID 2800 wrote to memory of 672	2800	DllCommonsvc.exe	45
PID 2800 wrote to memory of 300	2800	DllCommonsvc.exe	46
PID 2800 wrote to memory of 300	2800	DllCommonsvc.exe	46
PID 2800 wrote to memory of 300	2800	DllCommonsvc.exe	46
PID 2800 wrote to memory of 2376	2800	DllCommonsvc.exe	51
PID 2800 wrote to memory of 2376	2800	DllCommonsvc.exe	51
PID 2800 wrote to memory of 2376	2800	DllCommonsvc.exe	51
PID 2376 wrote to memory of 928	2376	cmd.exe	53
PID 2376 wrote to memory of 928	2376	cmd.exe	53
PID 2376 wrote to memory of 928	2376	cmd.exe	53
PID 2376 wrote to memory of 2244	2376	cmd.exe	54
PID 2376 wrote to memory of 2244	2376	cmd.exe	54
PID 2376 wrote to memory of 2244	2376	cmd.exe	54
PID 2244 wrote to memory of 2044	2244	wininit.exe	55
PID 2244 wrote to memory of 2044	2244	wininit.exe	55
PID 2244 wrote to memory of 2044	2244	wininit.exe	55
PID 2044 wrote to memory of 1980	2044	cmd.exe	57
PID 2044 wrote to memory of 1980	2044	cmd.exe	57
PID 2044 wrote to memory of 1980	2044	cmd.exe	57
PID 2044 wrote to memory of 1180	2044	cmd.exe	58
PID 2044 wrote to memory of 1180	2044	cmd.exe	58
PID 2044 wrote to memory of 1180	2044	cmd.exe	58
PID 1180 wrote to memory of 3044	1180	wininit.exe	59
PID 1180 wrote to memory of 3044	1180	wininit.exe	59
PID 1180 wrote to memory of 3044	1180	wininit.exe	59
PID 3044 wrote to memory of 2820	3044	cmd.exe	61
PID 3044 wrote to memory of 2820	3044	cmd.exe	61
PID 3044 wrote to memory of 2820	3044	cmd.exe	61
PID 3044 wrote to memory of 1404	3044	cmd.exe	62
PID 3044 wrote to memory of 1404	3044	cmd.exe	62
PID 3044 wrote to memory of 1404	3044	cmd.exe	62
PID 1404 wrote to memory of 1792	1404	wininit.exe	63
PID 1404 wrote to memory of 1792	1404	wininit.exe	63
PID 1404 wrote to memory of 1792	1404	wininit.exe	63
PID 1792 wrote to memory of 2644	1792	cmd.exe	65
PID 1792 wrote to memory of 2644	1792	cmd.exe	65
PID 1792 wrote to memory of 2644	1792	cmd.exe	65
PID 1792 wrote to memory of 1388	1792	cmd.exe	66
PID 1792 wrote to memory of 1388	1792	cmd.exe	66
PID 1792 wrote to memory of 1388	1792	cmd.exe	66
PID 1388 wrote to memory of 3064	1388	wininit.exe	67
PID 1388 wrote to memory of 3064	1388	wininit.exe	67
PID 1388 wrote to memory of 3064	1388	wininit.exe	67
PID 3064 wrote to memory of 2316	3064	cmd.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3608c74f4bdd766f16c750a3bd6cd59c51589dc042b50f43a9825777d0d3718b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3608c74f4bdd766f16c750a3bd6cd59c51589dc042b50f43a9825777d0d3718b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KlTIOvRnY0.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2376
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:928
      - C:\Windows\en-US\wininit.exe
        
        "C:\Windows\en-US\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1980
        
        C:\Windows\en-US\wininit.exe
        
        "C:\Windows\en-US\wininit.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2820
        
        C:\Windows\en-US\wininit.exe
        
        "C:\Windows\en-US\wininit.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2644
        
        C:\Windows\en-US\wininit.exe
        
        "C:\Windows\en-US\wininit.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2316
        
        C:\Windows\en-US\wininit.exe
        
        "C:\Windows\en-US\wininit.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"
        15⤵
        
        PID:3032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2960
        
        C:\Windows\en-US\wininit.exe
        
        "C:\Windows\en-US\wininit.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"
        17⤵
        
        PID:2988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1992
        
        C:\Windows\en-US\wininit.exe
        
        "C:\Windows\en-US\wininit.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat"
        19⤵
        
        PID:1540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1568
        
        C:\Windows\en-US\wininit.exe
        
        "C:\Windows\en-US\wininit.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat"
        21⤵
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2420
        
        C:\Windows\en-US\wininit.exe
        
        "C:\Windows\en-US\wininit.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat"
        23⤵
        
        PID:2984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1988
        
        C:\Windows\en-US\wininit.exe
        
        "C:\Windows\en-US\wininit.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat"
        25⤵
        
        PID:1092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:752
        
        C:\Windows\en-US\wininit.exe
        
        "C:\Windows\en-US\wininit.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"
        27⤵
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2416
        
        C:\Windows\en-US\wininit.exe
        
        "C:\Windows\en-US\wininit.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc40d0f2fd985e988d9cd1f402ec0701

SHA1
b900b242db628e71a30db86ce78b566de23c3fb2

SHA256
584269092bfaf18ee74b33f6d1d9f6e3ae9fefa44e6903688644bde638cfc294

SHA512
409370474a8bb85fa11ab853afdd17e5eea9ad6d942db4f563f1fa2554b27a88432e99b2ddc419622c1c5be88ba00afcd4d80f2e9f0eca315ff8e9ce6eb81c7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e05b0e71c1744aa03cb99f28cc628faa

SHA1
9da3b34ed05f84d5a0456b1eccb827e8f82b7bb6

SHA256
f1609cda838acedcabe2299f8403d5c6876d6c5c1248ecaf9d03f3f9c7edab5b

SHA512
ad103939d93385d5ab141c40fb6a26209a56d36e79ed0c799f2b7b26c3d6d5eb32be69a8646ad80b561b706dfdefc2ed8ab4ab2ad5afe58273c2712d766a189d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c2dd2114bd09e02fd119f6e3baef61d

SHA1
d34c9cf66bf43eed1ae67380bd800679e9d26559

SHA256
ff78ffff82d3dc3dfb82b683963d2a1490b67b8a7cd5290ff1be8255be178989

SHA512
9f5b4c376e252f15e26ecfe313535e340cc50ce2115b21082abe0e331bddc5ed3dbfc71c0b9fbbefdedf9bde3b99ffbdf6e59b312c4c58e872fe75801ea162b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e98e5681ef4b2cd942e931d0fbfb3ef4

SHA1
1fcab14fdb0317603235fb571de6c8c0a206fd76

SHA256
887b455c853dff2fba41fe4dc5a31e90fcfa811d7e92f2879629966053133540

SHA512
3d3d7f4610b4d1b0162e3cd9735e940364100ae5f8e82d091e37537ca1b1339ab69629becc13dcd9593708eceec4eebe5634813d1b4848125ae2672b5b9328cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
396d9ec2a3d48d4bae3771a2846b6e09

SHA1
2d7fed8713fb9e799aa9d147a3bc17c507cd8e6c

SHA256
12c8d7565d60fd09d10874fd4c1f7f22e225c8b4607838e256f6a9ee0c6181ce

SHA512
6a2ff61992976cdebd978ed143f2cdb25392ed43af5a3ddaf5ddf23b81f34e88170c87fa015a2a9b90f07cd4b45be529601ef03fa2cff535c317780c647249ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c15149351bf9573cd489c90f29aabd37

SHA1
35709f3b5831cb5785824347ccfd81d48f6d7e32

SHA256
d2b1a2dc6af5d095495d3b4716044cbb94661113cff9a5761db05e33f8003d3e

SHA512
97acdc8083c0040af36e6a95a75fa85f1f16714fdf7c30f9be1c657d6de2a234deb33aa6f80d3c5aaf6e0ff21298df06e8dc64072689e5ae5ad52d15673a7dc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16d1d530ed5f11c144bcad2ae1aa2281

SHA1
178e0c4cf137edea48b39ca9a463a67a56f3cd0a

SHA256
9c0fc8b0d4c90f98edad9e370348a49eb92a4542e1bd57c350778c21e57ca264

SHA512
42f039157574988de12748749c81c396c45cf31ae64c39f27d3de45fa83041c5d5e87cda5c8e633f0c3e44a2b287e48c91021894ac41d0c5bd8273442df22faa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f57ffe7cb9577eadb95d7a4fa129d12f

SHA1
ab758927f0a2cc257b00a2e589746cde30dea3c1

SHA256
ec1bf172c6d91832522786ad20c208175754d483345838943b4c974d4dacb8a4

SHA512
0426e1790620c16f5e793c53072cccf8322875a5737501fe6a78aaed4c1b6ab5d3e96808283fba093eb55311192f8858504dba751f0316446a0f479f0eb084e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce6e054f8cd10098055ed1209f5b23fc

SHA1
cca8bb93a1aabd8568242d8f01f791f390bf56ee

SHA256
c65f7bef319245cfe3b53cf22985d81ea3d871efc7e95ab50fc0a7d345f31b61

SHA512
53ac6c306d3434b6230921d98978b61ce9b2c3632ecf434693e4734814dd80c59ec9a8d0da4fb105a46ffcc567d3b815729bc734578d3cc26b2f61b5159ed2c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00919fbc739f2058e5e2d852a4470bc0

SHA1
52d41f42ccb88df7e74e923ac86e035208d7467a

SHA256
1e1092d075b7d41ea98b3630d36c41979f6b4362be1ac73c702fc441aa47984b

SHA512
ac0202b9c39d63167053fc2dbf0a5b8bc83f738fac14b017c33235530b3036b64e10367b7068dccdf1c9599af215199216cdd8919da7510dd2a9abffe1223adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat

Filesize
193B

MD5
f24a5ca75f4820e7b30737ca089368da

SHA1
414577435e42af24e76cab1dcb5c39ed0bb7da14

SHA256
ca5a1627c23dce7546d678478cfa90b90fc9721d01481b81ec9523bfcb369df8

SHA512
52d6e86b9d8bbb75f3f245f8e99cc28a9b68230784bcc682efb11ddfaba284a414e3f5aa92d31952862569cfb31adeec980a6eedc79103077a95b51d09c89866

Download Submit
C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat

Filesize
193B

MD5
67b480fb444f549a228fec0e4ace5045

SHA1
45d2d77778e75abc8df849158f46d902567e42a5

SHA256
fe9d1cd67404e20991437c61153ceef11bdb96adcbbf125698979d07ece787be

SHA512
f118525caa798ac22cbbe34ab8112ee801fe7153b558b781c186f0f296991a8521a17861b32395034bb19278b1342bec7ea85f74a917c514dd5f0941538cd181

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat

Filesize
193B

MD5
5a01978081abd41109c9fa57fa36a8f9

SHA1
15e9778eb78adb0db787022e33fedea83b210b94

SHA256
09a95c44edb5227d6c48868c4124960e24df4d80f661d3c10d7a32fcb9090485

SHA512
aae17a28798e2ed5d03c1d8cb46c57a26b7219a6169fe7b6f1f331e4cf93f16e13caa54bd71dd01cde909076320f4c7284ab4c89007278109773ef826631261c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat

Filesize
193B

MD5
44154faca8730183f03588078b96bca2

SHA1
b64da4fade0e58f2526f7604ec54b1125d245017

SHA256
756ad47b2519eafb6bc5e851d31bc9d045d2bc7e49b0ffb55ac3f932184ef533

SHA512
976dc48381a21a0d245a765b93328764f98f65d6d1f7a589a81f7921bf48280662b1ed6fca26a4e491c2782a16599b3e0cf5251333736e49a0ebdc85d58e523d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3E1B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

Filesize
193B

MD5
6632d314d563158a8d8446e157e928fb

SHA1
5245c4420d1fbeccc262f079ea80140258d7abd1

SHA256
03408aea71ade7011da19474e42399050e9a94fffdb30eac6727b01a2b4ddcc9

SHA512
af0d37600753f80bc9f6247235b1fe202a79d8ef8a1e3fc50e7b1a4ac3ced63fd7aa11a5efcb6134699357b12d5bc011228dde2f31aad416a7e61673987b639a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat

Filesize
193B

MD5
3f1f29065158d2f6c7c3b418ef4804b6

SHA1
86e38f8962763a9bd0f6d6e0e0b8d58ead61f299

SHA256
8f359394c99ab2cb4838b6a130ddc3cce3352453996bdc1981d6cc0787add0cd

SHA512
1e4ae936d522d1ef356e037c3ba3b6a742ebb2af75999f6b5f05894e167f1be4e6b7e6ea814a9fc881b4be89d1f8f7342c5ee53272af3b82b468e6daf4fe4a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\KlTIOvRnY0.bat

Filesize
193B

MD5
329d0f42e46585e14719da1f5fcf11d6

SHA1
d30c6113bfd0bed5779a80ed4337b013994ebd07

SHA256
4de6a6365a2aa0ebf719f25a72d4143537a60e7ab4b563b6f33550f5700f4958

SHA512
f9b4f2b094c5a9c0b39e14c88f571fec5aa5c23d0bff91792c2555bbe010df37a0c69e15943a8877732156cbaa238e3c219e1e3ec8f1dfddd55103c28a9b976a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat

Filesize
193B

MD5
2f5907e607f7b7d00604f655b9f5cc5b

SHA1
6c899a97515de7c8c90390dde915d968e14b47ff

SHA256
e12f99c550aa782451475f0f740e7b8861c3d4ae9ea99c5e3ee8a5f5665b3f9b

SHA512
3b6a24d8d4264ddd1140af18add7ac0a904cae60a7beac046582bcda5aee61b7394fa15d3c155946f4048b548bc2f3484c1018526e30c87dda2fb530b4e9e3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3E1E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat

Filesize
193B

MD5
9d8e4c0e08add4b3f3d42579f449d173

SHA1
35659f19788e66eb67c5326e96bbfc0a9f425c32

SHA256
cded01200a25df9557f139ccc5799ea0419b0230a121d71327d93d28bd48909a

SHA512
f579a4c085810d6f57269da7cddde3d4c769d1d92670b1b9617c628649ff96d1cf48324f0f86f4d939bfa7a5d5a9b9bc9d34e09bbb724e035718ec5bc58daf78

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat

Filesize
193B

MD5
fbcfca83f7cdc2c8541831e7ca10f76b

SHA1
285915c125b197706a82f4b0d9eaacc2b534bbd9

SHA256
afb780831225483a82f9bcf142f52a7ddd1d84b02626666be9f456a7923e4df5

SHA512
008d686db2f23d7acdadb9fbf8dff944ce87ff2ca5ac1e8fe6c7bbc5d9155b63efa3b2e2e18b4c324bde52c0007f2b3cc341a199ae4e6ab31278ec86a90f1852

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat

Filesize
193B

MD5
df3ef722eb7311bf345d160cb3477f28

SHA1
f5ec02bacadc2315ba38c77a1f9ff961366a0056

SHA256
76e34aca5c3075847cb67f77526db7b0544c58b7f49ca08f6c6570470a98ed6a

SHA512
97d60602da4432065e5b88f9bdff17e7c627fc64bb42b7ad110fc7b889f7c2c02f97c120a158f2dbd31951a77947c33c4602e9e7ea02f87714e545c3afad285c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat

Filesize
193B

MD5
72d1d5777c30ddfc91fb353e8bde5864

SHA1
464f2d430203a62ca3676d73be1bc0d8115d95ae

SHA256
2176028f77be59eadbf083df190b5abde248e451410376d43b47454cab5b9309

SHA512
735361a6328f54d19ce7d04c78a6b8d7ce11fe8b7ee7654525bc0a9eaed94392df438b0f14d48a7b25fa6dc5b262d3296e54468d3f905c6bfc6baff945e5603b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4230cc672ae97c43434866264e27290d

SHA1
cf21b887a6b3751730c49817d954de0b8d298375

SHA256
dab1b2cc992cf39903688a545fdfca283b65f42ca47738549c609becfcee8a2b

SHA512
adbfe185fa2bf2b4ddd6fab664bd6c50a64840132200bd69f68389de0496a9c70fc3804cfbffb3b4c84306f19b88f2b6c829da361c3578792f73a598e5fbb1ed

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/300-48-0x000000001B450000-0x000000001B732000-memory.dmp

Filesize
2.9MB

Download
memory/664-647-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/1376-410-0x0000000001020000-0x0000000001130000-memory.dmp

Filesize
1.1MB

Download
memory/1388-230-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/1404-170-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1656-47-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/1972-350-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/2244-52-0x0000000000B80000-0x0000000000C90000-memory.dmp

Filesize
1.1MB

Download
memory/2364-290-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download
memory/2800-17-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2800-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2800-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2800-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2800-13-0x0000000000830000-0x0000000000940000-memory.dmp

Filesize
1.1MB

Download