dcrat | 65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8fd8ab8d6bffd83d24ec8c669958653.exe
Size

1.5MB
MD5

b8fd8ab8d6bffd83d24ec8c669958653
SHA1

7cf5979b3d3aa0a10d595f9a9db286b689a2d167
SHA256

65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a
SHA512

b258de30aebe40dd80112011827e23c569c776e90c79fb4d00ac25760c4ce9344d6f5104d9f79d78ea8884fb53b25ced0a12f1df5d4a232057686422611afb4a
SSDEEP

24576:U2G/nvxW3Ww0t6kS6gR4zPK3r0Y2bpq5vbf4w8IzRII4Wa6gSqJ8S:UbA306DRcIruWf7RII2vS+r

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	1320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	1320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	1320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	1320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	1320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	1320	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c82-10.dat	dcrat
behavioral2/memory/1632-13-0x0000000000F00000-0x0000000001036000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	serverperf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	b8fd8ab8d6bffd83d24ec8c669958653.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 15 IoCs

pid	Process
1632	serverperf.exe
2428	spoolsv.exe
1624	spoolsv.exe
216	spoolsv.exe
4536	spoolsv.exe
2756	spoolsv.exe
2964	spoolsv.exe
2748	spoolsv.exe
1980	spoolsv.exe
2476	spoolsv.exe
1240	spoolsv.exe
2992	spoolsv.exe
1020	spoolsv.exe
3624	spoolsv.exe
4452	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
25	pastebin.com
43	pastebin.com
48	pastebin.com
55	pastebin.com
56	pastebin.com
24	pastebin.com
42	pastebin.com
49	pastebin.com
59	pastebin.com
33	pastebin.com
47	pastebin.com
57	pastebin.com
58	pastebin.com
60	pastebin.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\TextInputHost.exe	serverperf.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\TextInputHost.exe	serverperf.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\22eafd247d37c3	serverperf.exe
File created	C:\Program Files\Microsoft Office\spoolsv.exe	serverperf.exe
File created	C:\Program Files\Microsoft Office\f3b6ecef712a24	serverperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8fd8ab8d6bffd83d24ec8c669958653.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	serverperf.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	b8fd8ab8d6bffd83d24ec8c669958653.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2620	schtasks.exe
1148	schtasks.exe
1652	schtasks.exe
3676	schtasks.exe
1584	schtasks.exe
3244	schtasks.exe
4924	schtasks.exe
3272	schtasks.exe
4244	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1632	serverperf.exe
1632	serverperf.exe
1632	serverperf.exe
2428	spoolsv.exe
1624	spoolsv.exe
216	spoolsv.exe
4536	spoolsv.exe
2756	spoolsv.exe
2964	spoolsv.exe
2748	spoolsv.exe
1980	spoolsv.exe
2476	spoolsv.exe
1240	spoolsv.exe
2992	spoolsv.exe
1020	spoolsv.exe
3624	spoolsv.exe
4452	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	serverperf.exe
Token: SeDebugPrivilege	2428	spoolsv.exe
Token: SeDebugPrivilege	1624	spoolsv.exe
Token: SeDebugPrivilege	216	spoolsv.exe
Token: SeDebugPrivilege	4536	spoolsv.exe
Token: SeDebugPrivilege	2756	spoolsv.exe
Token: SeDebugPrivilege	2964	spoolsv.exe
Token: SeDebugPrivilege	2748	spoolsv.exe
Token: SeDebugPrivilege	1980	spoolsv.exe
Token: SeDebugPrivilege	2476	spoolsv.exe
Token: SeDebugPrivilege	1240	spoolsv.exe
Token: SeDebugPrivilege	2992	spoolsv.exe
Token: SeDebugPrivilege	1020	spoolsv.exe
Token: SeDebugPrivilege	3624	spoolsv.exe
Token: SeDebugPrivilege	4452	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3492	2240	b8fd8ab8d6bffd83d24ec8c669958653.exe	83
PID 2240 wrote to memory of 3492	2240	b8fd8ab8d6bffd83d24ec8c669958653.exe	83
PID 2240 wrote to memory of 3492	2240	b8fd8ab8d6bffd83d24ec8c669958653.exe	83
PID 3492 wrote to memory of 2184	3492	WScript.exe	85
PID 3492 wrote to memory of 2184	3492	WScript.exe	85
PID 3492 wrote to memory of 2184	3492	WScript.exe	85
PID 2184 wrote to memory of 1632	2184	cmd.exe	87
PID 2184 wrote to memory of 1632	2184	cmd.exe	87
PID 1632 wrote to memory of 1756	1632	serverperf.exe	101
PID 1632 wrote to memory of 1756	1632	serverperf.exe	101
PID 1756 wrote to memory of 3628	1756	cmd.exe	103
PID 1756 wrote to memory of 3628	1756	cmd.exe	103
PID 1756 wrote to memory of 2428	1756	cmd.exe	110
PID 1756 wrote to memory of 2428	1756	cmd.exe	110
PID 2428 wrote to memory of 3904	2428	spoolsv.exe	116
PID 2428 wrote to memory of 3904	2428	spoolsv.exe	116
PID 3904 wrote to memory of 3620	3904	cmd.exe	118
PID 3904 wrote to memory of 3620	3904	cmd.exe	118
PID 3904 wrote to memory of 1624	3904	cmd.exe	120
PID 3904 wrote to memory of 1624	3904	cmd.exe	120
PID 1624 wrote to memory of 3928	1624	spoolsv.exe	126
PID 1624 wrote to memory of 3928	1624	spoolsv.exe	126
PID 3928 wrote to memory of 2272	3928	cmd.exe	128
PID 3928 wrote to memory of 2272	3928	cmd.exe	128
PID 3928 wrote to memory of 216	3928	cmd.exe	131
PID 3928 wrote to memory of 216	3928	cmd.exe	131
PID 216 wrote to memory of 540	216	spoolsv.exe	135
PID 216 wrote to memory of 540	216	spoolsv.exe	135
PID 540 wrote to memory of 4292	540	cmd.exe	137
PID 540 wrote to memory of 4292	540	cmd.exe	137
PID 540 wrote to memory of 4536	540	cmd.exe	139
PID 540 wrote to memory of 4536	540	cmd.exe	139
PID 4536 wrote to memory of 2024	4536	spoolsv.exe	142
PID 4536 wrote to memory of 2024	4536	spoolsv.exe	142
PID 2024 wrote to memory of 4916	2024	cmd.exe	144
PID 2024 wrote to memory of 4916	2024	cmd.exe	144
PID 2024 wrote to memory of 2756	2024	cmd.exe	147
PID 2024 wrote to memory of 2756	2024	cmd.exe	147
PID 2756 wrote to memory of 5104	2756	spoolsv.exe	151
PID 2756 wrote to memory of 5104	2756	spoolsv.exe	151
PID 5104 wrote to memory of 1348	5104	cmd.exe	153
PID 5104 wrote to memory of 1348	5104	cmd.exe	153
PID 5104 wrote to memory of 2964	5104	cmd.exe	155
PID 5104 wrote to memory of 2964	5104	cmd.exe	155
PID 2964 wrote to memory of 4628	2964	spoolsv.exe	158
PID 2964 wrote to memory of 4628	2964	spoolsv.exe	158
PID 4628 wrote to memory of 1812	4628	cmd.exe	160
PID 4628 wrote to memory of 1812	4628	cmd.exe	160
PID 4628 wrote to memory of 2748	4628	cmd.exe	162
PID 4628 wrote to memory of 2748	4628	cmd.exe	162
PID 2748 wrote to memory of 1824	2748	spoolsv.exe	166
PID 2748 wrote to memory of 1824	2748	spoolsv.exe	166
PID 1824 wrote to memory of 2184	1824	cmd.exe	168
PID 1824 wrote to memory of 2184	1824	cmd.exe	168
PID 1824 wrote to memory of 1980	1824	cmd.exe	170
PID 1824 wrote to memory of 1980	1824	cmd.exe	170
PID 1980 wrote to memory of 1056	1980	spoolsv.exe	173
PID 1980 wrote to memory of 1056	1980	spoolsv.exe	173
PID 1056 wrote to memory of 2252	1056	cmd.exe	175
PID 1056 wrote to memory of 2252	1056	cmd.exe	175
PID 1056 wrote to memory of 2476	1056	cmd.exe	177
PID 1056 wrote to memory of 2476	1056	cmd.exe	177
PID 2476 wrote to memory of 512	2476	spoolsv.exe	180
PID 2476 wrote to memory of 512	2476	spoolsv.exe	180

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b8fd8ab8d6bffd83d24ec8c669958653.exe
"C:\Users\Admin\AppData\Local\Temp\b8fd8ab8d6bffd83d24ec8c669958653.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\refhostperf\YDUzd2DburnkxzGba.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\refhostperf\24yvIrFqc9yigx6x0kwB7b7gqXz7Pn.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\refhostperf\serverperf.exe
      "C:\refhostperf\serverperf.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\90GaWBlSGQ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3628
      - C:\Program Files\Microsoft Office\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\spoolsv.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3620
        
        C:\Program Files\Microsoft Office\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\spoolsv.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2272
        
        C:\Program Files\Microsoft Office\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\spoolsv.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4292
        
        C:\Program Files\Microsoft Office\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\spoolsv.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4916
        
        C:\Program Files\Microsoft Office\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\spoolsv.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1348
        
        C:\Program Files\Microsoft Office\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\spoolsv.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1812
        
        C:\Program Files\Microsoft Office\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\spoolsv.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jhJpXqSaXt.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2184
        
        C:\Program Files\Microsoft Office\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\spoolsv.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2252
        
        C:\Program Files\Microsoft Office\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\spoolsv.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pdW26R6SPG.bat"
        23⤵
        
        PID:512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3800
        
        C:\Program Files\Microsoft Office\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\spoolsv.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
        25⤵
        
        PID:3108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2776
        
        C:\Program Files\Microsoft Office\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\spoolsv.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"
        27⤵
        
        PID:880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4616
        
        C:\Program Files\Microsoft Office\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\spoolsv.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat"
        29⤵
        
        PID:3040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:4796
        
        C:\Program Files\Microsoft Office\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\spoolsv.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"
        31⤵
        
        PID:5076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:4184
        
        C:\Program Files\Microsoft Office\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\spoolsv.exe"
        32⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat

Filesize
210B

MD5
6dbe5bb34cf93d91c99a7a05008126aa

SHA1
41449a8a94a38a25b0ad33283b687aaeb72cceff

SHA256
e5f7d05ec2b95515383ddbd1d123e87fa7762cb0236c126227e7b7841dbb61f0

SHA512
7e22c75784383b39b0b3022a68afc434732a88b8c1a73d65812b9ab0a23dcaf25b06d2ed268ccf130efac7515f86893b8c95a06b38d27239379d504132583ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

Filesize
210B

MD5
3dc307b7e7284f88fbd556ee6d039fe5

SHA1
baa906cba48e5f49cbb83dd52fa006979cde6c6f

SHA256
0b87cbb9d372f63fc94170672a16f89482415cf9a2d5b420054541ed58640b4a

SHA512
ed91310ac43501d7e62075c006395e1ecb9b9b49d89549cd19e61b5f426308f619381db8e9bb0f0546fbfb1e34888ca63017decb2e5cd93ec8616be49d9249d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\90GaWBlSGQ.bat

Filesize
210B

MD5
bec08eef36b8f53b0d69cdc07db40267

SHA1
c942c4ab1f8ab075f4b0643cdc35c0a1c3e287f0

SHA256
a42341fd74886760e3aaa90c23f126c12659d8cccf7489129a27f747c4227167

SHA512
ff0ba9412a770986aa2bc919409d72ce9cfcd9890384cce603dd4e4a11d9e14a88d7f93da2dd7321b7063293eebc3311b30b66a24c28d33d922d089a265a4582

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat

Filesize
210B

MD5
32de3cbce2cae8fbe25e91b6b194a9d7

SHA1
18aa67cdaa3277df407cc2734051044f791ecaf5

SHA256
491a0868e359c314d75a69441190b3637f7c4f7238791df47b90e1c58bc45277

SHA512
b0e128b8ca38e602cdbc533ac84417d19f49b6a6b93a5a08adfa1b96a4302782ef2a03077d18fa31f92003d09b390e7c7810362f5abe1635ff3b91ed6f70e3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat

Filesize
210B

MD5
ed0c3a7f3da8bb4207e3fd4745a4be64

SHA1
a21a993c33e80dc145429776cb0c2fc4d95199b5

SHA256
2cfc499f22977d3f97a3aecfdb19711a7279b1a6bb9564f4d1f443e795af5fab

SHA512
d469618d5ef247a1a8ec2f4e2a3dcd589e576d1d8c352b372d329a69fdfcaa2736dbb106e87cf04aebbbd3e2e210629717261ec639c14398c11b4e8386a36df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat

Filesize
210B

MD5
9fbafb83a10994bc5b5cdae8f0640389

SHA1
3aa9f3b61907baba1680eb7cc2681c7b25cd7a21

SHA256
4746357ff499206e80a0a501856920a83bbabc5cf2761be57cd8b51fd82b4602

SHA512
327fb372d7389cc5fb1d18132a016f8f4fe0f3a3ad63dcc8de6f387f034f15e1035505e18578f3eb00aa0660b62610e11b2d466a88b49f350d31735b78fe4c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat

Filesize
210B

MD5
d99f5917c05ccedcf681aa19c55ed5c3

SHA1
1e85854c370b8a85c1b43056fda48df6b294b054

SHA256
ade1c724f1d7a1056caff758c3455e8c77143f27c4ae8ef36029aab2f3f30fcb

SHA512
20f4dadf2403d14eb0c19ede0ab5be1488a0d435ba7a6e03f9b34b87c19b4cd89836b66850cacccee7bb20cc8e2229debecf1a0377980adc5167ed0dea9371c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat

Filesize
210B

MD5
1311268da1d561d1af44684bf9b2c069

SHA1
b4f2aa470ae9b0e0afe41b90f7172e48dc1343a5

SHA256
5aa4d28186b96620f8ec75e5af6a2394f289cd1d6fc0a404c94d5a8d3fdc3e0f

SHA512
d0ff46102fa80b32b4c170ae8df4e3bcf4024fd22d0a5460302fa84cb23cb5ae7240a7a2639a2c248de953e8c3635fe0ca3c7f4cb57f818d2029439e615ea873

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhJpXqSaXt.bat

Filesize
210B

MD5
8bc0a5ad648861bb95f6cbbbc46c80a4

SHA1
c130b0def502343df53052d96792d46c865680c1

SHA256
dd3b367a0052e0892d03967d7b74d60bad0b1b80cae7002c3704d73df027ef23

SHA512
1ce803ed80d42a54756b4e928e020d9ed1df129e139578d84117ea7d8f1d5282d4545ebf1b5cec67cf99561060414650236286e9ae81a7e0e7f9b56a91bbe3bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat

Filesize
210B

MD5
453a00d71bf0c6c72d292178e060fd4e

SHA1
f3d7951445aac278c348041d1d3079a549b14a21

SHA256
9b4ee16d2df67defede7ad7eb045f9c89d53fdac78adeffe6747e98123692014

SHA512
ab92007b016416e60f581c810891b309b737ee0cbe7be1a2658206318f2dd4705ba5ba4a54dd0a5713e23ed0e0f04b0ee7186a0a4be47b42967b8ed241670fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat

Filesize
210B

MD5
a9de80d33b318ce4b8903a182941f4cf

SHA1
9a7b7697985ad688ec4b3fc5ff2932c6d319dfe4

SHA256
715f5f1e416546536a68b6fc301e851f66532ef2d9198781d04c0106865d7e63

SHA512
d36f86c13ea2c6e5712f5a079d35a796196b0b1a1d12215accc5a311b047de1a31f8dc7b7c71278344072dc5ea8f733ab73608ec7e20d6621991f7f32c2356c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdW26R6SPG.bat

Filesize
210B

MD5
51a1c9a7e4f0d58bb4cf52f0c042ae37

SHA1
b26247063a5e450d996b0b8267ed2df1954dc345

SHA256
6593ec83b14eea666d17288a7cc9a2600e829326fd44a38ce8409f590e1a6291

SHA512
44897fd61e993a3055e6019f7032059b5086433b30f234dd21b4e26e8c897daf35a98a3144ee5ff4d4526f1736d291950d43a07eb7525ca54fdaa5c2beafc962

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

Filesize
210B

MD5
afd561eb7ec102be5c2b5f4422d67081

SHA1
11cb0e50d55fe9f9d5063d168087db0b20acffe1

SHA256
334a6dad16e4106d5702f06972f18ae30483b76b78e402167b7ea5310c41c826

SHA512
411e933f0b25c926c01830a8cabee537af833b1c9d0c8ed9f14e6d3d0d59d142dae7be08eda06af292f4a2461fd0870943ead03d9fb4d3c81481c498f07b0e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat

Filesize
210B

MD5
2a84a8d7236f466e6a6c8bc51873a4bc

SHA1
3fc03a467399ccc18fc6edc85382be8b6425dde1

SHA256
f1bfbb487eb185db6793f2f480f6529657359381b442fdcccba12b742b478562

SHA512
6042f9e091c106f73a9a3d9b2be740ec168edac489fe104cf5cc035ebae43293a93f71f788b1990b7fbf0f40028514a2ced41fdd2549170a5f06aedb6e50fbb8

Download Submit
C:\refhostperf\24yvIrFqc9yigx6x0kwB7b7gqXz7Pn.bat

Filesize
31B

MD5
659397b18711665774947ed6189e91ae

SHA1
73006ef2a02a72132f180e873324e8a6e4c593df

SHA256
a939eb9c97b5aad7a4aa9cc522e93a81399fffc03b7536f603175a90d3fc6130

SHA512
f68315f1f2aad292176dc1f845da4fa4acb59bedf4f446130edc73481bf6bcc2e765258fbc558b1b3b3a08590e25e6937e9046adf4f00eb2afbb172646298c30

Download Submit
C:\refhostperf\YDUzd2DburnkxzGba.vbe

Filesize
218B

MD5
693da7c1e4c7e39bb88041ca03bbf61e

SHA1
87ff5e77258e4ff5833a04ce4168d287510d32d6

SHA256
3ea997020623cbd40f68cff156f5ede16b0a4c2418b07ee5dacf64770a7fff99

SHA512
f64a9f10099e9cc009160ead27a6c6420a78a7265ffeb754fc3819f418bc02ccea0be2c3b24dd9849b90a7423e850ae4fb5253958ccd5cc92867e094508da837

Download Submit
C:\refhostperf\serverperf.exe

Filesize
1.2MB

MD5
7fec3eebd710313f7b35254d792228fc

SHA1
e55a429782c6f78e6fc8c80d6fb71a85ce1d01aa

SHA256
3d32ef71bff87e2ac881484cea6b82bd52090a7252c8719f11fb73bb8f63a405

SHA512
83932d7ac29af18c3a0f1424d2cd3e2a1810e908c828377f5c0d6e72240820c3778378c9c3f0c7b86ca94a8265d9c7c0e2b9460de288f07b62c98cd89d699af4

Download Submit
memory/1632-17-0x0000000003290000-0x000000000329E000-memory.dmp

Filesize
56KB

Download
memory/1632-12-0x00007FFB75A53000-0x00007FFB75A55000-memory.dmp

Filesize
8KB

Download
memory/1632-13-0x0000000000F00000-0x0000000001036000-memory.dmp

Filesize
1.2MB

Download
memory/1632-14-0x0000000003140000-0x000000000315C000-memory.dmp

Filesize
112KB

Download
memory/1632-15-0x00000000032E0000-0x0000000003330000-memory.dmp

Filesize
320KB

Download
memory/1632-16-0x0000000003160000-0x0000000003176000-memory.dmp

Filesize
88KB

Download