dcrat | cf594e8b9c1a2ee38fe944bbb73e50669f0a3cc2412bb4735f7322e6682719e7

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_cf594e8b9c1a2ee38fe944bbb73e50669f0a3cc2412bb4735f7322e6682719e7.exe
Size

1.3MB
MD5

ac8a9355b4602069a03c15c8090c8980
SHA1

dc45e49e97553152ffedd57f2968081d4af95d81
SHA256

cf594e8b9c1a2ee38fe944bbb73e50669f0a3cc2412bb4735f7322e6682719e7
SHA512

fb0f4c5edb4c157d7b851cb5045f476f1f2bb21ea8471b20f2524791e4ffaa7da1a9c17da2b7bc3783149891ab8964e76a277a52a099335636c21955dcd7a577
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2372	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2372	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2372	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2372	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2372	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2372	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2372	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2372	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2372	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000186c8-9.dat	dcrat
behavioral1/memory/2740-13-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/2508-52-0x0000000000D00000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/memory/1948-171-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/544-231-0x0000000000A90000-0x0000000000BA0000-memory.dmp	dcrat
behavioral1/memory/772-291-0x0000000000AB0000-0x0000000000BC0000-memory.dmp	dcrat
behavioral1/memory/900-351-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat
behavioral1/memory/604-411-0x0000000000300000-0x0000000000410000-memory.dmp	dcrat
behavioral1/memory/544-471-0x00000000008A0000-0x00000000009B0000-memory.dmp	dcrat
behavioral1/memory/1772-531-0x0000000000E80000-0x0000000000F90000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1912	powershell.exe
1228	powershell.exe
1116	powershell.exe
2872	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2740	DllCommonsvc.exe
2508	spoolsv.exe
1204	spoolsv.exe
1948	spoolsv.exe
544	spoolsv.exe
772	spoolsv.exe
900	spoolsv.exe
604	spoolsv.exe
544	spoolsv.exe
1772	spoolsv.exe
1652	spoolsv.exe
1584	spoolsv.exe
1316	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2724	cmd.exe
2724	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com
40	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\56085415360792	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\en-US\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\en-US\spoolsv.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_cf594e8b9c1a2ee38fe944bbb73e50669f0a3cc2412bb4735f7322e6682719e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
852	schtasks.exe
2704	schtasks.exe
2312	schtasks.exe
1424	schtasks.exe
2628	schtasks.exe
2648	schtasks.exe
2272	schtasks.exe
2720	schtasks.exe
2768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2740	DllCommonsvc.exe
1116	powershell.exe
2872	powershell.exe
1228	powershell.exe
1912	powershell.exe
2508	spoolsv.exe
1204	spoolsv.exe
1948	spoolsv.exe
544	spoolsv.exe
772	spoolsv.exe
900	spoolsv.exe
604	spoolsv.exe
544	spoolsv.exe
1772	spoolsv.exe
1652	spoolsv.exe
1584	spoolsv.exe
1316	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	DllCommonsvc.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2508	spoolsv.exe
Token: SeDebugPrivilege	1204	spoolsv.exe
Token: SeDebugPrivilege	1948	spoolsv.exe
Token: SeDebugPrivilege	544	spoolsv.exe
Token: SeDebugPrivilege	772	spoolsv.exe
Token: SeDebugPrivilege	900	spoolsv.exe
Token: SeDebugPrivilege	604	spoolsv.exe
Token: SeDebugPrivilege	544	spoolsv.exe
Token: SeDebugPrivilege	1772	spoolsv.exe
Token: SeDebugPrivilege	1652	spoolsv.exe
Token: SeDebugPrivilege	1584	spoolsv.exe
Token: SeDebugPrivilege	1316	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2548	2580	JaffaCakes118_cf594e8b9c1a2ee38fe944bbb73e50669f0a3cc2412bb4735f7322e6682719e7.exe	30
PID 2580 wrote to memory of 2548	2580	JaffaCakes118_cf594e8b9c1a2ee38fe944bbb73e50669f0a3cc2412bb4735f7322e6682719e7.exe	30
PID 2580 wrote to memory of 2548	2580	JaffaCakes118_cf594e8b9c1a2ee38fe944bbb73e50669f0a3cc2412bb4735f7322e6682719e7.exe	30
PID 2580 wrote to memory of 2548	2580	JaffaCakes118_cf594e8b9c1a2ee38fe944bbb73e50669f0a3cc2412bb4735f7322e6682719e7.exe	30
PID 2548 wrote to memory of 2724	2548	WScript.exe	31
PID 2548 wrote to memory of 2724	2548	WScript.exe	31
PID 2548 wrote to memory of 2724	2548	WScript.exe	31
PID 2548 wrote to memory of 2724	2548	WScript.exe	31
PID 2724 wrote to memory of 2740	2724	cmd.exe	33
PID 2724 wrote to memory of 2740	2724	cmd.exe	33
PID 2724 wrote to memory of 2740	2724	cmd.exe	33
PID 2724 wrote to memory of 2740	2724	cmd.exe	33
PID 2740 wrote to memory of 1228	2740	DllCommonsvc.exe	44
PID 2740 wrote to memory of 1228	2740	DllCommonsvc.exe	44
PID 2740 wrote to memory of 1228	2740	DllCommonsvc.exe	44
PID 2740 wrote to memory of 1116	2740	DllCommonsvc.exe	45
PID 2740 wrote to memory of 1116	2740	DllCommonsvc.exe	45
PID 2740 wrote to memory of 1116	2740	DllCommonsvc.exe	45
PID 2740 wrote to memory of 1912	2740	DllCommonsvc.exe	46
PID 2740 wrote to memory of 1912	2740	DllCommonsvc.exe	46
PID 2740 wrote to memory of 1912	2740	DllCommonsvc.exe	46
PID 2740 wrote to memory of 2872	2740	DllCommonsvc.exe	47
PID 2740 wrote to memory of 2872	2740	DllCommonsvc.exe	47
PID 2740 wrote to memory of 2872	2740	DllCommonsvc.exe	47
PID 2740 wrote to memory of 1000	2740	DllCommonsvc.exe	52
PID 2740 wrote to memory of 1000	2740	DllCommonsvc.exe	52
PID 2740 wrote to memory of 1000	2740	DllCommonsvc.exe	52
PID 1000 wrote to memory of 2884	1000	cmd.exe	54
PID 1000 wrote to memory of 2884	1000	cmd.exe	54
PID 1000 wrote to memory of 2884	1000	cmd.exe	54
PID 1000 wrote to memory of 2508	1000	cmd.exe	56
PID 1000 wrote to memory of 2508	1000	cmd.exe	56
PID 1000 wrote to memory of 2508	1000	cmd.exe	56
PID 2508 wrote to memory of 2388	2508	spoolsv.exe	57
PID 2508 wrote to memory of 2388	2508	spoolsv.exe	57
PID 2508 wrote to memory of 2388	2508	spoolsv.exe	57
PID 2388 wrote to memory of 2240	2388	cmd.exe	59
PID 2388 wrote to memory of 2240	2388	cmd.exe	59
PID 2388 wrote to memory of 2240	2388	cmd.exe	59
PID 2388 wrote to memory of 1204	2388	cmd.exe	60
PID 2388 wrote to memory of 1204	2388	cmd.exe	60
PID 2388 wrote to memory of 1204	2388	cmd.exe	60
PID 1204 wrote to memory of 2864	1204	spoolsv.exe	61
PID 1204 wrote to memory of 2864	1204	spoolsv.exe	61
PID 1204 wrote to memory of 2864	1204	spoolsv.exe	61
PID 2864 wrote to memory of 2996	2864	cmd.exe	63
PID 2864 wrote to memory of 2996	2864	cmd.exe	63
PID 2864 wrote to memory of 2996	2864	cmd.exe	63
PID 2864 wrote to memory of 1948	2864	cmd.exe	64
PID 2864 wrote to memory of 1948	2864	cmd.exe	64
PID 2864 wrote to memory of 1948	2864	cmd.exe	64
PID 1948 wrote to memory of 1888	1948	spoolsv.exe	65
PID 1948 wrote to memory of 1888	1948	spoolsv.exe	65
PID 1948 wrote to memory of 1888	1948	spoolsv.exe	65
PID 1888 wrote to memory of 1692	1888	cmd.exe	67
PID 1888 wrote to memory of 1692	1888	cmd.exe	67
PID 1888 wrote to memory of 1692	1888	cmd.exe	67
PID 1888 wrote to memory of 544	1888	cmd.exe	68
PID 1888 wrote to memory of 544	1888	cmd.exe	68
PID 1888 wrote to memory of 544	1888	cmd.exe	68
PID 544 wrote to memory of 288	544	spoolsv.exe	69
PID 544 wrote to memory of 288	544	spoolsv.exe	69
PID 544 wrote to memory of 288	544	spoolsv.exe	69
PID 288 wrote to memory of 1608	288	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf594e8b9c1a2ee38fe944bbb73e50669f0a3cc2412bb4735f7322e6682719e7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf594e8b9c1a2ee38fe944bbb73e50669f0a3cc2412bb4735f7322e6682719e7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KlTIOvRnY0.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1000
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2884
      - C:\Windows\en-US\spoolsv.exe
        
        "C:\Windows\en-US\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2240
        
        C:\Windows\en-US\spoolsv.exe
        
        "C:\Windows\en-US\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2996
        
        C:\Windows\en-US\spoolsv.exe
        
        "C:\Windows\en-US\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1692
        
        C:\Windows\en-US\spoolsv.exe
        
        "C:\Windows\en-US\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1608
        
        C:\Windows\en-US\spoolsv.exe
        
        "C:\Windows\en-US\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"
        15⤵
        
        PID:3056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2888
        
        C:\Windows\en-US\spoolsv.exe
        
        "C:\Windows\en-US\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
        17⤵
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2004
        
        C:\Windows\en-US\spoolsv.exe
        
        "C:\Windows\en-US\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yJyIm7wr5G.bat"
        19⤵
        
        PID:2520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2728
        
        C:\Windows\en-US\spoolsv.exe
        
        "C:\Windows\en-US\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
        21⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1240
        
        C:\Windows\en-US\spoolsv.exe
        
        "C:\Windows\en-US\spoolsv.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat"
        23⤵
        
        PID:2660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2804
        
        C:\Windows\en-US\spoolsv.exe
        
        "C:\Windows\en-US\spoolsv.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"
        25⤵
        
        PID:648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:328
        
        C:\Windows\en-US\spoolsv.exe
        
        "C:\Windows\en-US\spoolsv.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"
        27⤵
        
        PID:1604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2540
        
        C:\Windows\en-US\spoolsv.exe
        
        "C:\Windows\en-US\spoolsv.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0e30c60efc5d59e1a2b0a5c86e02b0e

SHA1
e7a6b6afb582ef50049932468f0f7bdcbc8b5205

SHA256
dd3dd5be9edbcd6588614fc778e770ad47a0b5392d97ca9b5b1a7d9ed5fcb0fd

SHA512
b4fbb5b556d9828162703a6a8f693adf0c9ed232abbd2988701ccd4621e232f3b21d0a5c0d205cd2ce81759181953ecf7469f1365d722d03c10c39f7c0c4b51d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4cdf8d07d84a2795d6dd0ff6eb4494cf

SHA1
c25bc83b642efedca41bae78d92995fc1fe60e8a

SHA256
6bc880243d1adaca3adaa765e19899450475e793c3e341ba94e6ee7abd3762a3

SHA512
28a26fe18342fd8bed3bc7c9ba8e7037e49d733eaed379137ad6157a49c14145737cb3a999f2e070f80f81c41f94d69cfd4b4275d08a309c3a862f126f447d84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e70fd7be581aa2f7d4fe12e18e67a4f

SHA1
5b2c927c5285638c1582d185f4e6e1feb4fb7b56

SHA256
5015dd1d56a3eeecc9094c882a445a6c795b31bf9bb713ae6bbb4dfc391dbe53

SHA512
4af56023304a6be8c24729eb08224a513205aa3e8f1602fb231a6830f35e7f1409afc917bb83b14e5b1f7593dd8679ca6b8160499019ac5ca024128667bbc446

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c69d50d44e69e9d7a25026908b48861

SHA1
bf92339fba6b83626635a64f2a15738bed87f460

SHA256
6514edd0ec9b662cef799f064bd9265e34dff66df51bc52ee086f26c1dbed562

SHA512
facf47d222339f2321857b41040d879f40f31b2209691a510ccc00b35499611597825699f8dc15ffb24952198dafc6d54a31376639c8204247130fb0a47023c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb1534f1dc88c493e6ac43fdeaca2990

SHA1
2cae68da1c9b48db0e9aeba6d41a303c6407cac7

SHA256
2896c70b79eefc5ea4d851429ba24924bd1063a1ea4852beab02b3fd5d1573e2

SHA512
0dd8d177d8d9c6ccf1302c9ef8c0d209824dc1fb7d452a28472753be029afce0cd2c10d2ed6c9ffb0a31faeb2378cbd861865b6521c03ebb1716e31a3525b677

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13012db44da2f58e9be56501adf5e298

SHA1
07bbdeb0f9d0200d639c0a86f70a69fecf45f72c

SHA256
05ba1e45e4543011b066db3d4526ed9dfccb8150a0ef909faa014759a1461ae8

SHA512
2134c4c423e22004513429ab268395d7b56adde8e3d51b437c418209fd21ddf35bdc5fc86283742a0f2c1faa87aec8e5770dc87f0606b225ffce543d6ee8345f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b3718789bdf4ae561f449a0c97280e8

SHA1
c43293262f81386b31baf588622b2bb9e32b4cc9

SHA256
de4f88402f0afa50f069bcdaf52d127d02797bdacafdceb959e5c5844dd8068f

SHA512
523ff12b7e7613d4f846397b7d50002985464bd731112cc180bd66e14e2520b9a3fddf28a697d78aea1c8863cd417c954439194c95b47c4b4665cfb7a0457ad5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3738fe87af2b1847d74776e466754296

SHA1
553331e0903f8cd99e0c81d9e8ada344734bace1

SHA256
f8a52075d9a408397081495e60758458280fb17116c6c136cf6c5fa223b3887e

SHA512
886d9fd29075b387a246b4efd6bb9d9a05fd220464d243d4db316cb8dca3bc38d5929cad393d365a62989ec8f571c45b19d733d15d9339acec2f42a397ceb28e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a6f55f79f17a4a5e1513ee6aa55ad6b

SHA1
e6e8629b7939277f9e1b83561ce650d825f09bd4

SHA256
a25514ccdf5caec3e97914143f5bd6e6cd3c9d5ee003b04b27cc2a2a7db47a80

SHA512
af8a0c2c7886d56a7c1605ff1f418da309448bdd1d41a6c7ed8b2d3b6710573874afac0e78e11bef502e76c1d41e38a503d35ea6fb02a82c51c2f6e29fceb6fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e05ade077aa5caf7ce91ceabbb7dd033

SHA1
b08000e035df6a8c02d3fa4a89640d0f03834eeb

SHA256
f3ec052428eac76d83b98b75d1e3c501484d00ca515568d9ed805ab89ebd4007

SHA512
5d21ce424f87a537f67e8fa9a99dab0aa4e5fa0d2744dcd6f8690b3b69ab6fc196ff04c339947de408df50a3debf24674923f64008a61fd0acb94e2dae1f3e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat

Filesize
193B

MD5
48a035432ebde6a9f344ad24ab85a0f1

SHA1
882f6f5c2e04169a2379ae554dc01f10970d8eec

SHA256
79bcfa83f42a0639fbf8ce5a5ec6f12d7c8bd38a0778904844820b5fc0078b14

SHA512
7de338aff32757d2ddc4d80049436bc7710dd0a1f9eac2275fc0b918122cfe47ea2020330d813187989582742b152fb663c047bc507ad8e84646075818880204

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat

Filesize
193B

MD5
6a4db12235fb26fc7eaf6359a7a27c21

SHA1
f16513427485f4d389c4a60af1baabea6864bf55

SHA256
a6d389eb6fd7292b27351c68e6ea041e2aefe64f7bdeb6fb242b6b0d2677121c

SHA512
a98e0eab65eeff14ce371eb23b40c67dfc5f979a22a3205d312769503161aaed58a71f26a27ca359ac75f71d9e6bd5798225c3a41aaa194caccf0b1f13c5cd32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat

Filesize
193B

MD5
61ac5664baf07ee2eaba66f0b50655a3

SHA1
4406919ccf7a9dab5d8b3883b106e2f545d022f6

SHA256
8f6f413b0c9a172a58b9f82b206710fb77ff1cbec7d6b8b9032ee6a614e97a8a

SHA512
12a3c07534e83089058b05d2e2f54ff468375d30ff4dbd298157f3d51fee90bee78ced80878425bdbd048dcbd64e12a38aef91f4beea615fd06063d4fa9689d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat

Filesize
193B

MD5
25099600413750a57d587461ce997e43

SHA1
d1c90575bd19ddf5dad497ee1bce138f782ac1c5

SHA256
2edef2df4d7ab8ab5a54c6aa76ed30e0f4aa4b95791709fa742b98c340af8804

SHA512
7e3deda12198f527c772f4dafc86b825711b1ba7d95880b07d685212e3c519d2f67ec075bb44b497b0523d17f769c7af4884ef293d02aa40be5b2d1e37cbaef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE487.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat

Filesize
193B

MD5
98ac4db6dfe18d36b27608fdd99f1b81

SHA1
019ca3c01c79ca71368fa72bbb95a29beff22f4d

SHA256
ce15e208a4967185cdff78ca6becd26266e9fc454ea91630cbd938c45e09572d

SHA512
d12e38131c8a7fca65b688a3fed4dcbdf889b94b7f12554a00f2648d3ff83175ce8af92f3cb4cd4737097aa03404f5d302902a941d04d8deebb691c3fb690de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KlTIOvRnY0.bat

Filesize
193B

MD5
e8d73ad27be3b87388654a583046f2a9

SHA1
b7582cb4b542730b64061e3a90d8cb8fdbe15fe4

SHA256
1270ce35334a5f138d6664fa18987b51b3326e3aa1e0095ad6fa3422c0aa07d4

SHA512
61ca9c0ec49128987a93abc6ae3cc20aa62da61395fc1443878c1a234e629c75a233dd68c1c6d67d45e070226ff2fccfda99b21e48bddc946229182d7106ff43

Download Submit
C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

Filesize
193B

MD5
5f689a519f100703b7a91af202b304e0

SHA1
ecd3aa9a58eac041978e0b62640fa3ea7b4d6b26

SHA256
a93361240f95508508d53a4fa0139496c54dfd8546c30a03a5acf1e5d5e6fcb1

SHA512
f9d9601243fb9c32e6d137ef676af4ea3e978f91c3dea0ff7fe8a586e56a78e164b36463207b4312b58ea865e078762e74c655054d08db72a997e8cac764a9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE4A9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat

Filesize
193B

MD5
a871e94b437b30b68e32b9a2569705d0

SHA1
0ef40eebee36f128158c4f71206760edde6b0ca9

SHA256
4e334cecbf365f934081a8ffa4acc53201ba78cb6154522c7179665a1206150f

SHA512
9f228e1ace7f3b9b0acbe2ed63f000a69771e9ac95ae7e7725eb435363726b381c267d73da45600549d656efde12beedb6e2960d9539726226e2aaee5b4889a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat

Filesize
193B

MD5
88ac5faa4e4b6648fead567910eaeb92

SHA1
afe0df0b8302e4f2946729f9c92b9dee6964d8c0

SHA256
5620dbce7ea938e8582f333870f25140a6ba324977a65a2f557d70d0868dd3df

SHA512
c5db84c23cd993107d2140cdfcc9d4499e7df117e9ada7afe2ec3e906604cb3b3d3dd8168d2433805c8c2ada77aec13c4e94d37e2fcf9a8b5521d41bd830b387

Download Submit
C:\Users\Admin\AppData\Local\Temp\yJyIm7wr5G.bat

Filesize
193B

MD5
d34f7325522974a8ec5b3d84da65a256

SHA1
e9108d012eb54c0b3b3a2cbe468bd09b4efc0de3

SHA256
efb4907b46c8a432ff1f4f24ca69d4b6df3e98f64e88e69eeae530081ceb84ce

SHA512
27bae2e25a9b98099881011df37f4fec64d9bb4cc284e39ae91f60370ac1819019470cf6c1bd84ce7c18037516e70823bd78a014a87e76f04415d548e4376049

Download Submit
C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat

Filesize
193B

MD5
cbae17720577dc76f32f3a1d1eb3191e

SHA1
2a7d87805568b75ad68af20a3e410dc882b0e08e

SHA256
0efeb873f439b6fde0d1e02a1e160a734dde1c61cff897f7b529afbc001a97ff

SHA512
7fa3c9bbc13227cd29748e13055829be3e064c65769fcee094adb837921c74eb381a342dd4da7572ae23a2b3bd80f437c0c2fef0f1283e4b324746176b5c7af1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bf35a5ea05b7d3bc6ff74c3d3b460c05

SHA1
586a16acb9a186b722ee9e66b1c81bdaaa7cc1af

SHA256
6e9275fd0ac901bd6099abc1bf6e1a2c15ebeb5173feb5b5a80fe5e7b46262a4

SHA512
c0b8300aba3fff2d0115dbdb443573685648d71d5aed48a734fb72907b7da78538869d76a97479965b30ff4a39e2baaf1b7385d50bdb25745202866f814f78a6

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/544-471-0x00000000008A0000-0x00000000009B0000-memory.dmp

Filesize
1.1MB

Download
memory/544-231-0x0000000000A90000-0x0000000000BA0000-memory.dmp

Filesize
1.1MB

Download
memory/604-411-0x0000000000300000-0x0000000000410000-memory.dmp

Filesize
1.1MB

Download
memory/772-291-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

Filesize
1.1MB

Download
memory/900-351-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download
memory/1116-40-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/1116-39-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/1204-111-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1584-651-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1772-531-0x0000000000E80000-0x0000000000F90000-memory.dmp

Filesize
1.1MB

Download
memory/1772-532-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/1948-171-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/2508-52-0x0000000000D00000-0x0000000000E10000-memory.dmp

Filesize
1.1MB

Download
memory/2740-17-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2740-16-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2740-15-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2740-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2740-13-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download