dcrat | 7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f

max time kernel
1776s
max time network
1792s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
26/08/2023, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YammiBeta.exe
Size

1.1MB
MD5

6b5050c12abc27bad622f9af8ed7ebe3
SHA1

506be642a7d276c783bfd32a754a9bd1373abaea
SHA256

7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f
SHA512

22ffa4c6afd0661307ca1a3a349e19f9fbb8739e382e2fea7b1ec59200c3d7ca06241b2f5154246ce2b8165da26eac31e70f2a0f4ff586e5b09cf0c993b2d319
SSDEEP

24576:348l0DlMFVPNpQiWq5KMsEINq4pXCxTRg/9QyGTlouInmUf/6ix5GWZ:35yeVPRWq5KMspBpX+wLEojnm3RE

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	3424	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	3424	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	200	3424	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	3424	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	3424	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	3424	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	3424	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	3424	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	3424	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	3424	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	3424	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	3424	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	3424	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	3424	schtasks.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	3424	schtasks.exe	74

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000800000001af46-11.dat	dcrat
behavioral2/files/0x000800000001af46-14.dat	dcrat
behavioral2/files/0x000700000001afcf-32.dat	dcrat
behavioral2/files/0x000700000001afcf-33.dat	dcrat
behavioral2/memory/3740-34-0x00000000003F0000-0x0000000000570000-memory.dmp	dcrat
behavioral2/files/0x000600000001afd6-48.dat	dcrat
behavioral2/files/0x000600000001afd2-72.dat	dcrat
behavioral2/files/0x000600000001afd2-70.dat	dcrat

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4460	Loader.exe
3740	MsServerfont.exe
456	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ipinfo.io
11	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4288	YammiBeta.exe
4288	YammiBeta.exe
4288	YammiBeta.exe
4288	YammiBeta.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\spoolsv.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\f3b6ecef712a24	MsServerfont.exe
File created	C:\Program Files (x86)\Windows Mail\spoolsv.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Windows Mail\f3b6ecef712a24	MsServerfont.exe
File created	C:\Program Files (x86)\Windows Portable Devices\sihost.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Windows Portable Devices\66fc9ff0ee96c2	MsServerfont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2288	schtasks.exe
2172	schtasks.exe
3540	schtasks.exe
3884	schtasks.exe
4544	schtasks.exe
4172	schtasks.exe
4888	schtasks.exe
1416	schtasks.exe
200	schtasks.exe
2020	schtasks.exe
4872	schtasks.exe
3588	schtasks.exe
1364	schtasks.exe
3708	schtasks.exe
3944	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings	Loader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3740	MsServerfont.exe
3740	MsServerfont.exe
3740	MsServerfont.exe
456	spoolsv.exe
456	spoolsv.exe
3344	powershell.exe
3344	powershell.exe
2244	powershell.exe
2244	powershell.exe
4200	powershell.exe
4200	powershell.exe
4932	powershell.exe
4932	powershell.exe
1428	powershell.exe
1428	powershell.exe
4272	powershell.exe
4272	powershell.exe
1440	powershell.exe
1440	powershell.exe
4984	powershell.exe
4984	powershell.exe
3124	powershell.exe
3124	powershell.exe
4364	powershell.exe
4364	powershell.exe
4220	powershell.exe
4220	powershell.exe
2892	powershell.exe
2892	powershell.exe
3344	powershell.exe
3124	powershell.exe
4200	powershell.exe
2244	powershell.exe
1428	powershell.exe
4932	powershell.exe
3344	powershell.exe
4272	powershell.exe
4984	powershell.exe
1440	powershell.exe
4364	powershell.exe
4220	powershell.exe
2892	powershell.exe
4200	powershell.exe
3124	powershell.exe
2244	powershell.exe
4932	powershell.exe
1440	powershell.exe
2892	powershell.exe
4220	powershell.exe
4364	powershell.exe
1428	powershell.exe
4984	powershell.exe
4272	powershell.exe
4272	powershell.exe
456	spoolsv.exe
456	spoolsv.exe
456	spoolsv.exe
456	spoolsv.exe
456	spoolsv.exe
456	spoolsv.exe
456	spoolsv.exe
456	spoolsv.exe
456	spoolsv.exe
456	spoolsv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
456	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4288	YammiBeta.exe
Token: SeDebugPrivilege	3740	MsServerfont.exe
Token: SeDebugPrivilege	456	spoolsv.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeIncreaseQuotaPrivilege	3344	powershell.exe
Token: SeSecurityPrivilege	3344	powershell.exe
Token: SeTakeOwnershipPrivilege	3344	powershell.exe
Token: SeLoadDriverPrivilege	3344	powershell.exe
Token: SeSystemProfilePrivilege	3344	powershell.exe
Token: SeSystemtimePrivilege	3344	powershell.exe
Token: SeProfSingleProcessPrivilege	3344	powershell.exe
Token: SeIncBasePriorityPrivilege	3344	powershell.exe
Token: SeCreatePagefilePrivilege	3344	powershell.exe
Token: SeBackupPrivilege	3344	powershell.exe
Token: SeRestorePrivilege	3344	powershell.exe
Token: SeShutdownPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeSystemEnvironmentPrivilege	3344	powershell.exe
Token: SeRemoteShutdownPrivilege	3344	powershell.exe
Token: SeUndockPrivilege	3344	powershell.exe
Token: SeManageVolumePrivilege	3344	powershell.exe
Token: 33	3344	powershell.exe
Token: 34	3344	powershell.exe
Token: 35	3344	powershell.exe
Token: 36	3344	powershell.exe
Token: SeIncreaseQuotaPrivilege	4200	powershell.exe
Token: SeSecurityPrivilege	4200	powershell.exe
Token: SeTakeOwnershipPrivilege	4200	powershell.exe
Token: SeLoadDriverPrivilege	4200	powershell.exe
Token: SeSystemProfilePrivilege	4200	powershell.exe
Token: SeSystemtimePrivilege	4200	powershell.exe
Token: SeProfSingleProcessPrivilege	4200	powershell.exe
Token: SeIncBasePriorityPrivilege	4200	powershell.exe
Token: SeCreatePagefilePrivilege	4200	powershell.exe
Token: SeBackupPrivilege	4200	powershell.exe
Token: SeRestorePrivilege	4200	powershell.exe
Token: SeShutdownPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeSystemEnvironmentPrivilege	4200	powershell.exe
Token: SeRemoteShutdownPrivilege	4200	powershell.exe
Token: SeUndockPrivilege	4200	powershell.exe
Token: SeManageVolumePrivilege	4200	powershell.exe
Token: 33	4200	powershell.exe
Token: 34	4200	powershell.exe
Token: 35	4200	powershell.exe
Token: 36	4200	powershell.exe
Token: SeIncreaseQuotaPrivilege	3124	powershell.exe
Token: SeSecurityPrivilege	3124	powershell.exe
Token: SeTakeOwnershipPrivilege	3124	powershell.exe
Token: SeLoadDriverPrivilege	3124	powershell.exe
Token: SeSystemProfilePrivilege	3124	powershell.exe
Token: SeSystemtimePrivilege	3124	powershell.exe
Token: SeProfSingleProcessPrivilege	3124	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4288	YammiBeta.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 4460	4288	YammiBeta.exe	69
PID 4288 wrote to memory of 4460	4288	YammiBeta.exe	69
PID 4288 wrote to memory of 4460	4288	YammiBeta.exe	69
PID 4460 wrote to memory of 2536	4460	Loader.exe	70
PID 4460 wrote to memory of 2536	4460	Loader.exe	70
PID 4460 wrote to memory of 2536	4460	Loader.exe	70
PID 2536 wrote to memory of 2692	2536	WScript.exe	71
PID 2536 wrote to memory of 2692	2536	WScript.exe	71
PID 2536 wrote to memory of 2692	2536	WScript.exe	71
PID 2692 wrote to memory of 3740	2692	cmd.exe	73
PID 2692 wrote to memory of 3740	2692	cmd.exe	73
PID 3740 wrote to memory of 3344	3740	MsServerfont.exe	90
PID 3740 wrote to memory of 3344	3740	MsServerfont.exe	90
PID 3740 wrote to memory of 4984	3740	MsServerfont.exe	91
PID 3740 wrote to memory of 4984	3740	MsServerfont.exe	91
PID 3740 wrote to memory of 4932	3740	MsServerfont.exe	92
PID 3740 wrote to memory of 4932	3740	MsServerfont.exe	92
PID 3740 wrote to memory of 4272	3740	MsServerfont.exe	93
PID 3740 wrote to memory of 4272	3740	MsServerfont.exe	93
PID 3740 wrote to memory of 4220	3740	MsServerfont.exe	94
PID 3740 wrote to memory of 4220	3740	MsServerfont.exe	94
PID 3740 wrote to memory of 4200	3740	MsServerfont.exe	95
PID 3740 wrote to memory of 4200	3740	MsServerfont.exe	95
PID 3740 wrote to memory of 4364	3740	MsServerfont.exe	96
PID 3740 wrote to memory of 4364	3740	MsServerfont.exe	96
PID 3740 wrote to memory of 3124	3740	MsServerfont.exe	97
PID 3740 wrote to memory of 3124	3740	MsServerfont.exe	97
PID 3740 wrote to memory of 1428	3740	MsServerfont.exe	98
PID 3740 wrote to memory of 1428	3740	MsServerfont.exe	98
PID 3740 wrote to memory of 2892	3740	MsServerfont.exe	99
PID 3740 wrote to memory of 2892	3740	MsServerfont.exe	99
PID 3740 wrote to memory of 1440	3740	MsServerfont.exe	113
PID 3740 wrote to memory of 1440	3740	MsServerfont.exe	113
PID 3740 wrote to memory of 2244	3740	MsServerfont.exe	112
PID 3740 wrote to memory of 2244	3740	MsServerfont.exe	112
PID 3740 wrote to memory of 456	3740	MsServerfont.exe	114
PID 3740 wrote to memory of 456	3740	MsServerfont.exe	114

C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe
"C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3740
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3344
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4272
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3124
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
      - C:\Users\Admin\Cookies\spoolsv.exe
        
        "C:\Users\Admin\Cookies\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\sihost.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cc5263f588f47d3e49ac2cd00a8a0535

SHA1
ef2fc4af6b634cea62999c57e4fdbf1fa877f620

SHA256
d2c9c6a1a8b3d5acee8a3142f2d375ee9b4e4a61edacfe2926bd7951c368947d

SHA512
d45ad104ac32a88fd883506a821a93eed0b33f04ddb4a447421439b6a7f675a93d234748c3ce28c34bf3b2c600f4cd77d77bb662d4bc24b15e1945b995640cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6c94a40b3cdb24202a53b6bbc3451f0a

SHA1
f034762856970cac087f5613f1ee74f10ac94420

SHA256
7e5e57300e1875f7f60f1af171ea7fd04e8469b66765c3c1829df77b3c41343d

SHA512
dc4c80c93c671b7ad5485c462e915806e273968615778ef1977bc2e671fd1b9772e9ed846da472691ed11200df2ffef6af55283d7e6bee3307d856a1bdb72702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6c94a40b3cdb24202a53b6bbc3451f0a

SHA1
f034762856970cac087f5613f1ee74f10ac94420

SHA256
7e5e57300e1875f7f60f1af171ea7fd04e8469b66765c3c1829df77b3c41343d

SHA512
dc4c80c93c671b7ad5485c462e915806e273968615778ef1977bc2e671fd1b9772e9ed846da472691ed11200df2ffef6af55283d7e6bee3307d856a1bdb72702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
164e9c8bb2db74c2d1f49cdd4849bb36

SHA1
e57a88255d02bf48d654c223af7097b6562b024e

SHA256
903c67b2d08237aa1790ea3362ffcb9a536cf461fade9beffd5aff6b7d44d514

SHA512
d765d6e0dcf7a61ade2c91c28cce80d0ca5bfa7a50b21fa852979d4cf25ba06ab4710d837233420c00ec29548ded7f4f1cffa977b5fc7dd087640256ef52ff0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
92733c7bd675b04ac21ad415ece0c0a8

SHA1
57000c4f3ac3c612042775fa18f4905f0713b851

SHA256
fd07a562730f5c300a9e92122074a054c33f584eee55ef8c7bc06e5de343ff9d

SHA512
15847b5b0c5b7de0901721d0daa4e3d6d638c0d7cadb2c7004e23df2c9a81b790ecf55aba7e14356ae3448073972d95629795b7b350e156ccd6295eaea8e9af9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
608b83ce9ef93b381221f39cc3f3c34e

SHA1
705b62534a78c2806a2285b697c13b6c22d025f5

SHA256
d2b66207c26d19ce03366961d9a75af554857bf31115e90358720e133fa46d74

SHA512
a7c9d608427ba0b5a898f64e2894e802e375231b65b9dd13df2f989299161a595df40ce72fef2ef65f05dcaa56b35d7e3dc57c663793f38936de4aa97b798237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca922d9a392d25805fa73cc6c2085439

SHA1
a6e1385fd68a1a7a12ba171db7f716b29586849d

SHA256
2b55db40baca96eecc499c8047c1c34a060311294834ac86f0b456ab5c9862c2

SHA512
616d116d85d62ce9ee0baac9edb571257b0675a8c7dfbdb1c91134b11ebc149d454379c449d54edd0d49ee1f6f09f8141ee5594fcf18d57420aa2a1a428dca98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e7358962705fd0dbe4a44f0aaabf963c

SHA1
7d795579ffd8c41fba78c9a188c2886911333147

SHA256
a2bc257a1e0f46e69b0e391d5076fd3e2247b765838b6a156bb20b29d74f71a0

SHA512
ccd7d308cdc91159a82529025023070eb7c3e24f79dab4e000f5d9286dc9c496fb85ca511c0e2699ab09aa0d6b8c4da4e5f82c26209392d04d25cbdd8d1a80da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
361371abca5de9517ca78d5acb4b997b

SHA1
b90d9c6301e1cd0af2ea23a517948a7ee3ecd98f

SHA256
ee6c6a8eb09f5403f93e999f8e7d0c033849bfd29e2fdf090f46828b01e11406

SHA512
834bd30f40963f038fb3cd75a5705ff6208156ef2f960bc3f434cee41ea66bd27a50b6fc08e145b7fc162bf8d09a74628e4f63e0f8a408c8b877cea202a40820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
941c3267e6949856e71329a92cc0811c

SHA1
b2afa3b49e4ca2455dd652ccdbd46d95f4c27a71

SHA256
7ce2475f2fc9e98ef35a79aa0cfbf24d7ee6b5f440c4f0378225e4056def89ae

SHA512
dbee0c4ed856b77976fb779efd23da60763bc019c0e7ff370dbba47cbbbcf7193ab8c7ac19b682472257923dab81e2d3300edfd669ca7a65267718136a1cc560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
941c3267e6949856e71329a92cc0811c

SHA1
b2afa3b49e4ca2455dd652ccdbd46d95f4c27a71

SHA256
7ce2475f2fc9e98ef35a79aa0cfbf24d7ee6b5f440c4f0378225e4056def89ae

SHA512
dbee0c4ed856b77976fb779efd23da60763bc019c0e7ff370dbba47cbbbcf7193ab8c7ac19b682472257923dab81e2d3300edfd669ca7a65267718136a1cc560

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe

Filesize
214B

MD5
f246d91170758c560dcc804e79b689ce

SHA1
8e9820729c33e492c5d76722607a38379b1cbd38

SHA256
8558d7ec61aa5e0e6162d9f59103a6d3340cc359ee0526e765a061c6673a9665

SHA512
dcc48971a6a4a1b3af13a420a8de6ddfd765c780bfe76cbf1a459a855c14f0ca6510994fc988dfecd92257b99b41e2caf68025991ca80663331ce1c61110e5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat

Filesize
37B

MD5
c87d31ff7b6bc8e971808bc819561137

SHA1
000f77a2d2596c87d3e2085ad74794b0627c034a

SHA256
738675ead6e7e54b7f0298824578cdfb659584a16f4f0cc2a0bdba654a482872

SHA512
34d995cf1fd3908a190aac08cefae4fb0d4fae7fd0cef2fb625a5e2d76864ce99724a2da4d1f05327bad80dab08f08038e17785e23c49087968e6c569964ffde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qe2v0gmv.gdf.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Cookies\spoolsv.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
memory/456-131-0x000000001B8F0000-0x000000001B900000-memory.dmp

Filesize
64KB

Download
memory/456-108-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/1428-123-0x00000201F0C70000-0x00000201F0C80000-memory.dmp

Filesize
64KB

Download
memory/1428-122-0x00000201F0C70000-0x00000201F0C80000-memory.dmp

Filesize
64KB

Download
memory/1428-98-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/1440-139-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/1440-125-0x000001ABFF750000-0x000001ABFF760000-memory.dmp

Filesize
64KB

Download
memory/1440-126-0x000001ABFF750000-0x000001ABFF760000-memory.dmp

Filesize
64KB

Download
memory/2244-140-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/2244-119-0x000001D6430E0000-0x000001D6430F0000-memory.dmp

Filesize
64KB

Download
memory/2244-118-0x000001D6430E0000-0x000001D6430F0000-memory.dmp

Filesize
64KB

Download
memory/2892-146-0x000001F13CC50000-0x000001F13CC60000-memory.dmp

Filesize
64KB

Download
memory/2892-138-0x000001F13CC50000-0x000001F13CC60000-memory.dmp

Filesize
64KB

Download
memory/2892-129-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/3124-135-0x00000184698F0000-0x0000018469900000-memory.dmp

Filesize
64KB

Download
memory/3124-134-0x00000184698F0000-0x0000018469900000-memory.dmp

Filesize
64KB

Download
memory/3124-120-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/3344-153-0x0000023CE3740000-0x0000023CE37B6000-memory.dmp

Filesize
472KB

Download
memory/3344-198-0x0000023CCB2C0000-0x0000023CCB2D0000-memory.dmp

Filesize
64KB

Download
memory/3344-65-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/3344-128-0x0000023CE3590000-0x0000023CE35B2000-memory.dmp

Filesize
136KB

Download
memory/3740-39-0x000000001B170000-0x000000001B186000-memory.dmp

Filesize
88KB

Download
memory/3740-43-0x000000001B6C0000-0x000000001B6CE000-memory.dmp

Filesize
56KB

Download
memory/3740-42-0x000000001B6B0000-0x000000001B6BE000-memory.dmp

Filesize
56KB

Download
memory/3740-41-0x000000001B190000-0x000000001B19C000-memory.dmp

Filesize
48KB

Download
memory/3740-40-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/3740-84-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/3740-36-0x000000001B1A0000-0x000000001B1B0000-memory.dmp

Filesize
64KB

Download
memory/3740-35-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/3740-34-0x00000000003F0000-0x0000000000570000-memory.dmp

Filesize
1.5MB

Download
memory/3740-38-0x000000001B700000-0x000000001B750000-memory.dmp

Filesize
320KB

Download
memory/3740-37-0x0000000002760000-0x000000000277C000-memory.dmp

Filesize
112KB

Download
memory/3740-44-0x000000001B6D0000-0x000000001B6DA000-memory.dmp

Filesize
40KB

Download
memory/3740-45-0x000000001B6E0000-0x000000001B6EC000-memory.dmp

Filesize
48KB

Download
memory/4200-223-0x000002156BC50000-0x000002156BC60000-memory.dmp

Filesize
64KB

Download
memory/4200-111-0x000002156BC50000-0x000002156BC60000-memory.dmp

Filesize
64KB

Download
memory/4200-113-0x000002156BC50000-0x000002156BC60000-memory.dmp

Filesize
64KB

Download
memory/4200-74-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/4220-136-0x0000019EE1550000-0x0000019EE1560000-memory.dmp

Filesize
64KB

Download
memory/4220-137-0x0000019EE1550000-0x0000019EE1560000-memory.dmp

Filesize
64KB

Download
memory/4220-127-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/4272-143-0x000002CDB3BE0000-0x000002CDB3BF0000-memory.dmp

Filesize
64KB

Download
memory/4272-130-0x000002CDB3BE0000-0x000002CDB3BF0000-memory.dmp

Filesize
64KB

Download
memory/4272-141-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/4288-25-0x0000000006C70000-0x0000000006D02000-memory.dmp

Filesize
584KB

Download
memory/4288-28-0x00000000010C0000-0x000000000143E000-memory.dmp

Filesize
3.5MB

Download
memory/4288-1-0x00000000010C0000-0x000000000143E000-memory.dmp

Filesize
3.5MB

Download
memory/4288-2-0x0000000073480000-0x0000000073B6E000-memory.dmp

Filesize
6.9MB

Download
memory/4288-0-0x00000000010C0000-0x000000000143E000-memory.dmp

Filesize
3.5MB

Download
memory/4288-3-0x0000000005C60000-0x0000000005C70000-memory.dmp

Filesize
64KB

Download
memory/4288-4-0x00000000010C0000-0x000000000143E000-memory.dmp

Filesize
3.5MB

Download
memory/4288-6-0x0000000073480000-0x0000000073B6E000-memory.dmp

Filesize
6.9MB

Download
memory/4288-7-0x0000000005C60000-0x0000000005C70000-memory.dmp

Filesize
64KB

Download
memory/4288-24-0x0000000007080000-0x000000000757E000-memory.dmp

Filesize
5.0MB

Download
memory/4288-29-0x0000000073480000-0x0000000073B6E000-memory.dmp

Filesize
6.9MB

Download
memory/4364-124-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/4364-144-0x0000018784BB0000-0x0000018784BC0000-memory.dmp

Filesize
64KB

Download
memory/4364-145-0x0000018784BB0000-0x0000018784BC0000-memory.dmp

Filesize
64KB

Download
memory/4932-85-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/4932-121-0x000001B5F5440000-0x000001B5F5450000-memory.dmp

Filesize
64KB

Download
memory/4932-142-0x000001B5F5440000-0x000001B5F5450000-memory.dmp

Filesize
64KB

Download
memory/4984-132-0x000001E2AF400000-0x000001E2AF410000-memory.dmp

Filesize
64KB

Download
memory/4984-133-0x000001E2AF400000-0x000001E2AF410000-memory.dmp

Filesize
64KB

Download
memory/4984-117-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download