dcrat | 5395e93ec3e4f0eadfd201ff31d81602aab865840752f0b7407ef061f331a555

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5395e93ec3e4f0eadfd201ff31d81602aab865840752f0b7407ef061f331a555.exe
Size

1.3MB
MD5

7e83bd0b3bd7af7027451ea6a5d36741
SHA1

6641581601fe7d6475ed5bc9a14f42333957ea63
SHA256

5395e93ec3e4f0eadfd201ff31d81602aab865840752f0b7407ef061f331a555
SHA512

daf2bb3df2240a7dbda29d192932530c4b8e7f1f7e62def4bec51b74954e8ddf3cc4f1095d9b001dc75198eca3064eb40e5c6006f173f605551c29efde176f84
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2824	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2824	schtasks.exe	33

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0009000000018b05-9.dat	dcrat
behavioral1/memory/2408-13-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/2420-59-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/780-117-0x0000000000C80000-0x0000000000D90000-memory.dmp	dcrat
behavioral1/memory/2808-177-0x0000000000CD0000-0x0000000000DE0000-memory.dmp	dcrat
behavioral1/memory/2248-237-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/memory/340-474-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3036	powershell.exe
3068	powershell.exe
2180	powershell.exe
2200	powershell.exe
2300	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2408	DllCommonsvc.exe
2420	System.exe
780	System.exe
2808	System.exe
2248	System.exe
680	System.exe
2988	System.exe
2684	System.exe
340	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2864	cmd.exe
2864	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5395e93ec3e4f0eadfd201ff31d81602aab865840752f0b7407ef061f331a555.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2596	schtasks.exe
2304	schtasks.exe
1484	schtasks.exe
2224	schtasks.exe
2888	schtasks.exe
2744	schtasks.exe
2832	schtasks.exe
900	schtasks.exe
2612	schtasks.exe
2068	schtasks.exe
832	schtasks.exe
2800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2408	DllCommonsvc.exe
2180	powershell.exe
3036	powershell.exe
3068	powershell.exe
2200	powershell.exe
2300	powershell.exe
2420	System.exe
780	System.exe
2808	System.exe
2248	System.exe
680	System.exe
2988	System.exe
2684	System.exe
340	System.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	DllCommonsvc.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2420	System.exe
Token: SeDebugPrivilege	780	System.exe
Token: SeDebugPrivilege	2808	System.exe
Token: SeDebugPrivilege	2248	System.exe
Token: SeDebugPrivilege	680	System.exe
Token: SeDebugPrivilege	2988	System.exe
Token: SeDebugPrivilege	2684	System.exe
Token: SeDebugPrivilege	340	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2296	2660	JaffaCakes118_5395e93ec3e4f0eadfd201ff31d81602aab865840752f0b7407ef061f331a555.exe	29
PID 2660 wrote to memory of 2296	2660	JaffaCakes118_5395e93ec3e4f0eadfd201ff31d81602aab865840752f0b7407ef061f331a555.exe	29
PID 2660 wrote to memory of 2296	2660	JaffaCakes118_5395e93ec3e4f0eadfd201ff31d81602aab865840752f0b7407ef061f331a555.exe	29
PID 2660 wrote to memory of 2296	2660	JaffaCakes118_5395e93ec3e4f0eadfd201ff31d81602aab865840752f0b7407ef061f331a555.exe	29
PID 2296 wrote to memory of 2864	2296	WScript.exe	30
PID 2296 wrote to memory of 2864	2296	WScript.exe	30
PID 2296 wrote to memory of 2864	2296	WScript.exe	30
PID 2296 wrote to memory of 2864	2296	WScript.exe	30
PID 2864 wrote to memory of 2408	2864	cmd.exe	32
PID 2864 wrote to memory of 2408	2864	cmd.exe	32
PID 2864 wrote to memory of 2408	2864	cmd.exe	32
PID 2864 wrote to memory of 2408	2864	cmd.exe	32
PID 2408 wrote to memory of 3036	2408	DllCommonsvc.exe	46
PID 2408 wrote to memory of 3036	2408	DllCommonsvc.exe	46
PID 2408 wrote to memory of 3036	2408	DllCommonsvc.exe	46
PID 2408 wrote to memory of 3068	2408	DllCommonsvc.exe	47
PID 2408 wrote to memory of 3068	2408	DllCommonsvc.exe	47
PID 2408 wrote to memory of 3068	2408	DllCommonsvc.exe	47
PID 2408 wrote to memory of 2180	2408	DllCommonsvc.exe	48
PID 2408 wrote to memory of 2180	2408	DllCommonsvc.exe	48
PID 2408 wrote to memory of 2180	2408	DllCommonsvc.exe	48
PID 2408 wrote to memory of 2200	2408	DllCommonsvc.exe	49
PID 2408 wrote to memory of 2200	2408	DllCommonsvc.exe	49
PID 2408 wrote to memory of 2200	2408	DllCommonsvc.exe	49
PID 2408 wrote to memory of 2300	2408	DllCommonsvc.exe	50
PID 2408 wrote to memory of 2300	2408	DllCommonsvc.exe	50
PID 2408 wrote to memory of 2300	2408	DllCommonsvc.exe	50
PID 2408 wrote to memory of 436	2408	DllCommonsvc.exe	56
PID 2408 wrote to memory of 436	2408	DllCommonsvc.exe	56
PID 2408 wrote to memory of 436	2408	DllCommonsvc.exe	56
PID 436 wrote to memory of 2504	436	cmd.exe	58
PID 436 wrote to memory of 2504	436	cmd.exe	58
PID 436 wrote to memory of 2504	436	cmd.exe	58
PID 436 wrote to memory of 2420	436	cmd.exe	59
PID 436 wrote to memory of 2420	436	cmd.exe	59
PID 436 wrote to memory of 2420	436	cmd.exe	59
PID 2420 wrote to memory of 1620	2420	System.exe	60
PID 2420 wrote to memory of 1620	2420	System.exe	60
PID 2420 wrote to memory of 1620	2420	System.exe	60
PID 780 wrote to memory of 2148	780	System.exe	64
PID 780 wrote to memory of 2148	780	System.exe	64
PID 780 wrote to memory of 2148	780	System.exe	64
PID 2148 wrote to memory of 2968	2148	cmd.exe	66
PID 2148 wrote to memory of 2968	2148	cmd.exe	66
PID 2148 wrote to memory of 2968	2148	cmd.exe	66
PID 2148 wrote to memory of 2808	2148	cmd.exe	67
PID 2148 wrote to memory of 2808	2148	cmd.exe	67
PID 2148 wrote to memory of 2808	2148	cmd.exe	67
PID 2808 wrote to memory of 2492	2808	System.exe	68
PID 2808 wrote to memory of 2492	2808	System.exe	68
PID 2808 wrote to memory of 2492	2808	System.exe	68
PID 2492 wrote to memory of 1552	2492	cmd.exe	70
PID 2492 wrote to memory of 1552	2492	cmd.exe	70
PID 2492 wrote to memory of 1552	2492	cmd.exe	70
PID 2492 wrote to memory of 2248	2492	cmd.exe	71
PID 2492 wrote to memory of 2248	2492	cmd.exe	71
PID 2492 wrote to memory of 2248	2492	cmd.exe	71
PID 2248 wrote to memory of 1748	2248	System.exe	72
PID 2248 wrote to memory of 1748	2248	System.exe	72
PID 2248 wrote to memory of 1748	2248	System.exe	72
PID 1748 wrote to memory of 2564	1748	cmd.exe	74
PID 1748 wrote to memory of 2564	1748	cmd.exe	74
PID 1748 wrote to memory of 2564	1748	cmd.exe	74
PID 1748 wrote to memory of 680	1748	cmd.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5395e93ec3e4f0eadfd201ff31d81602aab865840752f0b7407ef061f331a555.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5395e93ec3e4f0eadfd201ff31d81602aab865840752f0b7407ef061f331a555.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XfWEItxuzP.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:436
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2504
      - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"
        7⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2124
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2968
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1552
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2564
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"
        15⤵
        
        PID:1704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2868
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGj9C4kLBH.bat"
        17⤵
        
        PID:2772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2452
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"
        19⤵
        
        PID:956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1512
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83949ea887d2024cdb1c091458200388

SHA1
debf2051d34a42f8c807e81ff410e2b9c8cc4708

SHA256
094937b851fdfcfd13fa25ed2a995198446333200584ad746dc0d6d84f4773d1

SHA512
e1ec908651c02357864bf72f4643416498f77268db5abb24922454b37f77a429d576eef82b31ca728f7978bbf0b2ecc80d12413004ab099c4035c3ee28b9e5ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c2be36bd7db43ba25578e22174ed3bf

SHA1
53aaf4692285dfdaf938728b74aa96b552332136

SHA256
761867abd6ca24e01bd84c6ce632eb71d4c04eb347c1825a3a7e777adc12362c

SHA512
1700c1d55bce8a636ed09a3fdca4f7943e3ba9dd8233a08fecbaf2fb673ad4d93aa0d1c0aee53e2cc00fb6274e10eb0783d2a4e29fff5c97570329b574048865

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f842795bce7b63ba449de8e88645ac85

SHA1
777d7d21a7b649f74eab56b6b731364acb04af61

SHA256
0db0dd3e7a32d4117a865b0385fa4c148c42bd06a3a794a0d5938f47c69b7d5b

SHA512
d5042f7ff6dc61cb4d8cc42a96032f2d3c9510566b55cceba42f0afbd4032371936c20477a95ec2bce249d3ae78198cde3514d020759e6041f5e687b32d47764

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
446aae71cc78cf27dd23911ac062fe32

SHA1
cbe1ab4ec6746c7d47b7e34da4274c5c9c326380

SHA256
80398f4ef911e59cd0f07498b1ff2c2550f81aada36676ef675ad8a33a8573c1

SHA512
b70b871070f6971e77b9a028d1a4982864ee157d41f51d82507562cdf819adee6c9990a40c445f5c99f15c786c90d9b362d44501caaa6eddcc7631c7721c3301

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7dc92cf1adb450b328baf1753dc218fa

SHA1
7ee52088b9650c84def3c17e7ee04a0d69131222

SHA256
bfc16a31a822d95cf761f22a5972634ad19e557788711cedb2360427015bc1f8

SHA512
bc3f31971ffe287a6820c0208813350538fdfa037a178551f643c72f19ed42a5261b8bd155ede5ee2cee7365152ce10625bb7ad807a9b8bb293b87a72ecb6aec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b5aeaebd4bcda72876a367d93c655d0

SHA1
2a5c157218a5d8d460405c1c6ebeedcb4817dded

SHA256
292f972539be8388a48083b76b09ddf4ca090989d77468cf193aee66871bc638

SHA512
4c9db8290f0c5660148e0a3374ac95860d3848229a3fe9b82faade881f0963d35fa5297a96fd198108a031559338dfd5fdf7e7fe2fbaa2fbef10f0b750029157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42f61a13ac887fd033703e240e865c84

SHA1
b9b3b12242c88734c09747e69c1e3326fa655971

SHA256
c34d3836614aab24aa2e2587fff6614cc9e3d5e371eeb4613ecb717224527759

SHA512
6865b167a279e460da61c1242d54b243538fc3a565a757e725040abe4abfcbc95bf4f60c423e6458861a85c930b41706700aa2c2c1ce7fd95d622b1bdf00a168

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab93F8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat

Filesize
224B

MD5
d5f46f5dfeca2239f4a3f11d47c32b8b

SHA1
6536de962676b256b7b7c64099aeb304fe6e9021

SHA256
79eb4a568761cdc91ed4e7e1a28f4b0d0a074e87c7292288adce51a9937f8b38

SHA512
3fdc9cea1865208aa9eccbf19232d630d3998403ffc4cb1889c69e9fe67677779dd1e0c7ed0a82d76ae6ff9e005ab8e4bebbc4fa33f0c26dd4022e45406293fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat

Filesize
224B

MD5
ba95d61a751ab21f6846bddb34f98847

SHA1
3ec5206f26694251f941cc494c5e10bf30acddbe

SHA256
ad2fa809881cb32a14c02c1db1cece9d391f4f2fc5bba2745e0b801ea24cb144

SHA512
40ff703f7455de707218752442c45b3f5ea6d443090d3d6849e40e55b9c01f267e41d518a7513587a20ad02a7a51869cdf95728ba2d0a786047da2e5495b988b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9439.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat

Filesize
224B

MD5
279045f4df75bc8ba0869e7f989e5b0b

SHA1
7c2b7b3d5aa125b539d50d1ca4cfbe21d96c9b5b

SHA256
e06396a7181a0fbad2f442de8e5efd6d5be6436fe21b4c72a72df61f20430137

SHA512
35eafa7a99b107384b140d9e19199e00773dba9b47c00e47c46b0e8d4752e4ae66cac1a5adce2597de3d93b7cce98e51d70f168fd24ced5016c6b24add80744f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XfWEItxuzP.bat

Filesize
224B

MD5
f9504bdd2b91da0c2bbf1979a6529c92

SHA1
90389dcf46bf30bf86e7a6ae755d758ffde87972

SHA256
ac81ca9e24b48f25df274f9918fc87dd5608c72d7e06761380cd3ac808b9fbea

SHA512
8eddcfefabacff8e79fc4aaaa1fe6c44030cf51287e62d19d407e4364bf9a6c15527f918f0da6109e3b293dc3d1c63197db88372d2c0855b44c42141b5195817

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGj9C4kLBH.bat

Filesize
224B

MD5
17aac0f225bd48cfd4fb8e7640538384

SHA1
338cfb55c22159ab0b2d6ffed71b46930f7aecc6

SHA256
f8a0d6121c0c2e0e3fc2ff4b533e0a6d57827b72ca88c54c44ee971cd39114dc

SHA512
3e90a4e3f831b593fc13c06b7e98c3497d8e70e0a94896e38c8542ae23e4189aeccae8594a93c161ff46e70563738b6206d6f9a34cb272713b5d399aeb3895d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat

Filesize
224B

MD5
8ab2a3077c466e61fa3eed383ad23c7b

SHA1
48aca8c0538c0e7768d5974645c34f4b1284422e

SHA256
414311f704d8668ea5dbbe8a8c5359b0b001491e5ec30b38ec8942c903011280

SHA512
04e02536bbd47414373407fdafff2006ef3676aad9bfc6c8e8fac02824468955befc6e377d782cec0b080a0b2e3a8ccec2119bdf1ddaec931caeac05d6b59d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat

Filesize
224B

MD5
ec602b2d146e62dfdce5fa9ec316ae79

SHA1
b68948bb37e8e932f64d6d6dbd1854fb8f567b44

SHA256
584be0b5d6dbfe7d9fd7915b003af5aaacd4103d729fbd52c373921c498db4bc

SHA512
d7e13f166a7a7cef2a33785c019a1716f222f26824c752ecd744b32c6cddb381494ea88decee4bd6f9697eabbf612f7105e765fda09757906a4b1963e45db5a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1d9fec061d73793a36be3a3e00336161

SHA1
7aaca673b426759d7472a5138802b672e3fd30ec

SHA256
6aca55e64a7c6ad0e990841a9112c3886151dc6da946e6437862655599abf708

SHA512
78c05d27dac0ec39af32d5c700d8d91879027cfeacc954e7a53fd3efd1ed308548d2475515abd6ca74efd013282beee7d27915270aae2d67b1a2d80add8baf52

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/340-474-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/340-475-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/780-117-0x0000000000C80000-0x0000000000D90000-memory.dmp

Filesize
1.1MB

Download
memory/2180-35-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/2180-36-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/2248-237-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/2408-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2408-17-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2408-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2408-13-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/2408-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2420-59-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/2808-177-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

Filesize
1.1MB

Download