dcrat | cd1645ce66fa9706f19387bb054693e09247f5b3b665746ed3c25dbefcdfc22b

Analysis

max time kernel
118s
max time network
114s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd1645ce66fa9706f19387bb054693e09247f5b3b665746ed3c25dbefcdfc22bN.exe
Size

1.3MB
MD5

1323bfd5193c0637c1aba82cb6d9f0e0
SHA1

d7984f26ba391588ffd2c31540e98d503f6d2a23
SHA256

cd1645ce66fa9706f19387bb054693e09247f5b3b665746ed3c25dbefcdfc22b
SHA512

74412633546c8f5d93d576a74e07b8dc6d99f8092f065d689268c2aa7db1739a66ed6014acb80a08a5a0c699fe728265636218ba263aff33fd1abf463bcd5ad2
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2576	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001932d-12.dat	dcrat
behavioral1/memory/2872-13-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/1900-52-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/2508-111-0x0000000000A20000-0x0000000000B30000-memory.dmp	dcrat
behavioral1/memory/2436-172-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/1648-232-0x0000000000980000-0x0000000000A90000-memory.dmp	dcrat
behavioral1/memory/2148-351-0x0000000000C00000-0x0000000000D10000-memory.dmp	dcrat
behavioral1/memory/540-411-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat
behavioral1/memory/2268-530-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2052	powershell.exe
2460	powershell.exe
1884	powershell.exe
904	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2872	DllCommonsvc.exe
1900	spoolsv.exe
2508	spoolsv.exe
2436	spoolsv.exe
1648	spoolsv.exe
2092	spoolsv.exe
2148	spoolsv.exe
540	spoolsv.exe
2840	spoolsv.exe
2268	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
1364	cmd.exe
1364	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
12	raw.githubusercontent.com
25	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Defender\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd1645ce66fa9706f19387bb054693e09247f5b3b665746ed3c25dbefcdfc22bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1844	schtasks.exe
3056	schtasks.exe
1520	schtasks.exe
2752	schtasks.exe
2260	schtasks.exe
1356	schtasks.exe
1240	schtasks.exe
1876	schtasks.exe
2648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2872	DllCommonsvc.exe
2460	powershell.exe
904	powershell.exe
2052	powershell.exe
1884	powershell.exe
1900	spoolsv.exe
2508	spoolsv.exe
2436	spoolsv.exe
1648	spoolsv.exe
2092	spoolsv.exe
2148	spoolsv.exe
540	spoolsv.exe
2840	spoolsv.exe
2268	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	DllCommonsvc.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	1900	spoolsv.exe
Token: SeDebugPrivilege	2508	spoolsv.exe
Token: SeDebugPrivilege	2436	spoolsv.exe
Token: SeDebugPrivilege	1648	spoolsv.exe
Token: SeDebugPrivilege	2092	spoolsv.exe
Token: SeDebugPrivilege	2148	spoolsv.exe
Token: SeDebugPrivilege	540	spoolsv.exe
Token: SeDebugPrivilege	2840	spoolsv.exe
Token: SeDebugPrivilege	2268	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2732	2264	cd1645ce66fa9706f19387bb054693e09247f5b3b665746ed3c25dbefcdfc22bN.exe	30
PID 2264 wrote to memory of 2732	2264	cd1645ce66fa9706f19387bb054693e09247f5b3b665746ed3c25dbefcdfc22bN.exe	30
PID 2264 wrote to memory of 2732	2264	cd1645ce66fa9706f19387bb054693e09247f5b3b665746ed3c25dbefcdfc22bN.exe	30
PID 2264 wrote to memory of 2732	2264	cd1645ce66fa9706f19387bb054693e09247f5b3b665746ed3c25dbefcdfc22bN.exe	30
PID 2732 wrote to memory of 1364	2732	WScript.exe	31
PID 2732 wrote to memory of 1364	2732	WScript.exe	31
PID 2732 wrote to memory of 1364	2732	WScript.exe	31
PID 2732 wrote to memory of 1364	2732	WScript.exe	31
PID 1364 wrote to memory of 2872	1364	cmd.exe	33
PID 1364 wrote to memory of 2872	1364	cmd.exe	33
PID 1364 wrote to memory of 2872	1364	cmd.exe	33
PID 1364 wrote to memory of 2872	1364	cmd.exe	33
PID 2872 wrote to memory of 2052	2872	DllCommonsvc.exe	44
PID 2872 wrote to memory of 2052	2872	DllCommonsvc.exe	44
PID 2872 wrote to memory of 2052	2872	DllCommonsvc.exe	44
PID 2872 wrote to memory of 2460	2872	DllCommonsvc.exe	45
PID 2872 wrote to memory of 2460	2872	DllCommonsvc.exe	45
PID 2872 wrote to memory of 2460	2872	DllCommonsvc.exe	45
PID 2872 wrote to memory of 1884	2872	DllCommonsvc.exe	46
PID 2872 wrote to memory of 1884	2872	DllCommonsvc.exe	46
PID 2872 wrote to memory of 1884	2872	DllCommonsvc.exe	46
PID 2872 wrote to memory of 904	2872	DllCommonsvc.exe	47
PID 2872 wrote to memory of 904	2872	DllCommonsvc.exe	47
PID 2872 wrote to memory of 904	2872	DllCommonsvc.exe	47
PID 2872 wrote to memory of 2836	2872	DllCommonsvc.exe	52
PID 2872 wrote to memory of 2836	2872	DllCommonsvc.exe	52
PID 2872 wrote to memory of 2836	2872	DllCommonsvc.exe	52
PID 2836 wrote to memory of 332	2836	cmd.exe	54
PID 2836 wrote to memory of 332	2836	cmd.exe	54
PID 2836 wrote to memory of 332	2836	cmd.exe	54
PID 2836 wrote to memory of 1900	2836	cmd.exe	55
PID 2836 wrote to memory of 1900	2836	cmd.exe	55
PID 2836 wrote to memory of 1900	2836	cmd.exe	55
PID 1900 wrote to memory of 2224	1900	spoolsv.exe	56
PID 1900 wrote to memory of 2224	1900	spoolsv.exe	56
PID 1900 wrote to memory of 2224	1900	spoolsv.exe	56
PID 2224 wrote to memory of 1284	2224	cmd.exe	58
PID 2224 wrote to memory of 1284	2224	cmd.exe	58
PID 2224 wrote to memory of 1284	2224	cmd.exe	58
PID 2224 wrote to memory of 2508	2224	cmd.exe	59
PID 2224 wrote to memory of 2508	2224	cmd.exe	59
PID 2224 wrote to memory of 2508	2224	cmd.exe	59
PID 2508 wrote to memory of 3068	2508	spoolsv.exe	60
PID 2508 wrote to memory of 3068	2508	spoolsv.exe	60
PID 2508 wrote to memory of 3068	2508	spoolsv.exe	60
PID 3068 wrote to memory of 1564	3068	cmd.exe	62
PID 3068 wrote to memory of 1564	3068	cmd.exe	62
PID 3068 wrote to memory of 1564	3068	cmd.exe	62
PID 3068 wrote to memory of 2436	3068	cmd.exe	63
PID 3068 wrote to memory of 2436	3068	cmd.exe	63
PID 3068 wrote to memory of 2436	3068	cmd.exe	63
PID 2436 wrote to memory of 2956	2436	spoolsv.exe	64
PID 2436 wrote to memory of 2956	2436	spoolsv.exe	64
PID 2436 wrote to memory of 2956	2436	spoolsv.exe	64
PID 2956 wrote to memory of 2448	2956	cmd.exe	66
PID 2956 wrote to memory of 2448	2956	cmd.exe	66
PID 2956 wrote to memory of 2448	2956	cmd.exe	66
PID 2956 wrote to memory of 1648	2956	cmd.exe	67
PID 2956 wrote to memory of 1648	2956	cmd.exe	67
PID 2956 wrote to memory of 1648	2956	cmd.exe	67
PID 1648 wrote to memory of 2284	1648	spoolsv.exe	68
PID 1648 wrote to memory of 2284	1648	spoolsv.exe	68
PID 1648 wrote to memory of 2284	1648	spoolsv.exe	68
PID 2284 wrote to memory of 1592	2284	cmd.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cd1645ce66fa9706f19387bb054693e09247f5b3b665746ed3c25dbefcdfc22bN.exe
"C:\Users\Admin\AppData\Local\Temp\cd1645ce66fa9706f19387bb054693e09247f5b3b665746ed3c25dbefcdfc22bN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lKhhpQ3tH5.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:332
      - C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1284
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1564
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2448
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1592
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V61H6ynXXY.bat"
        15⤵
        
        PID:2512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:316
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"
        17⤵
        
        PID:848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2168
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
        19⤵
        
        PID:2660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3012
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat"
        21⤵
        
        PID:2772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1540
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6bb0dc71db79c2fea4358021acdc505

SHA1
57ddef182547dc827fbe15def684293fbe46d9ad

SHA256
eca010a2fad7ce75fb5f072c2578dfb27e87bad6376087356e27c169e83217c2

SHA512
3e21228f8f2a971def94afb0edb7f279bb7e98c1fc5b772b82136fd9559c98469add2ed7bec3e53b454571eebf9af4c605c12f7c92896dbf7761fd62b793dfdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c55cb392341cad03f7ba49df09979bf

SHA1
3d3da5fddc5587ed9cdb56d2e0ea73db298f4dde

SHA256
3160b619e1ca3301064f982154374ad62e7ae6c7a5060dbb0422b6e8c46323ae

SHA512
6151cb71a99365660ecb1975503a74c4f5bfb4c52293d46b2494025303e62ba8e13d742b0d0d23748f0d8f5028f8c0c692bfdc85b65a049f48e3e78b89dd4073

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
055bfb13d4dadd57aa01937332939bf5

SHA1
92a2091139da64c0bbaba0f551f4e830dfd14731

SHA256
bf4c14d22c338af6454e9a9a762c8092c7811598efc662ee717b2d8c1b2fc73b

SHA512
49f79608290e642231193619bfab51240da9fa1c61a3124ce78363f5f8c1059433b61e8591905de0d7ac4b0ec79c028526c5d61a3da3e25c4123b9e716d5d43e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52e8af1f86ac885c869c9cc77eba6cbd

SHA1
b07646a580f8e5e05a629ed8f7787eb9317b3ba5

SHA256
9415316d896aab413307aed153dadba8503dede39eb1edbc4190ce8188918d45

SHA512
0e8a5cd8f1c11eb34071db7e2998efe1e722f0f63c3048801ad60d5c9399592ea0b286c2e75b6773bcb2f7144b82ad4d06b288d8ae0dcd0227192a45f800f9ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f43dec19bbc0de9c7c0cad34c45c78d6

SHA1
e920415f67cbb79357edb71325ccb1e0d4230446

SHA256
dee6b57e84581e326ffa3031c71a92505ca2b783ffd43885989a70795d85a8e8

SHA512
2f7d4845d8226be24190d5d1df396ef4afebaa689df4c1c9140fc4249d912c8ce9aa9d2963634a7666017f02eaca5c062d8bb64dff27699348b17e698a641ba1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88f40769081825205f08839bc015818a

SHA1
d13251e9e9b241402685aec828b7664f7d32f56f

SHA256
c2a7ae25a81fc8cb33bdd97cf809f8f0aac4b7966ebb05f5cf61358eee3910db

SHA512
01d907a6f2c1683e6a080f9760173ec5d462c75531ca17d3c1938967ed22a83b4c6d43d555c36955e08fd020143bb12f9ee455ae8e9be9ccf8b1c42b9e6cd326

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e6e39e9507646d421bd1593b12ecd0b

SHA1
c4ba188a7b45e8b1e62b22e3ceb0a2299477a593

SHA256
ac35116c6250d9253a3dbe46931f913a6a9beb5c4c401d63675587e605827fc5

SHA512
9d77b187eff7cc51d1c08df64b1f7e50072176bb7a1cb3bee80edbdd022bd5b318510cd76a273c43633bb3b021116203e9b9623bfd3825de0fbc8773b738c702

Download Submit
C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat

Filesize
194B

MD5
a35c814d1382b957e9574315fb3bcb7f

SHA1
6b2617ec541923385aaf971b35028c3346239bf4

SHA256
96734368abe8d3f966fc1cf93f2ab0debecf42262200fc58df8be77f1fdbcd26

SHA512
dbf83fd1266ca23b92a6782654a1663e171fa7d09ba0644a2d9995920e3fda093934d331af1755643c10ed59033e310959d7b6e74cabb041293bab813ff82511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5FCE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat

Filesize
194B

MD5
a7bf9a5410d968c6fbbdb37b9baee18d

SHA1
73f53167bba397dc4f8a0c89addef5de75e226aa

SHA256
3f68684e4c406b8d0018a1bf9ac340b00458203ce8a447f85d62d1a298fb5d19

SHA512
3458ed1aa645b0738c40f46d84b0bb3f4d584cc597c81e6fbeca761fa0521993703ad18e381fbbe29be74c721b98e29e9ddb235881fd2f9f95146578ad9ec4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat

Filesize
194B

MD5
e9d1ce57f72d0d3209c2efbc6c5bb549

SHA1
0f566b82a4e0223b3181cc26a80ae7a475b5792f

SHA256
ad013f9f5e138d57a16185192db9f95e802dbf42e5c626f5383b6f9570ed0380

SHA512
e2cc53a6dfdf678d9fdc39b01f4a6a9af2a7c34bdadd93de931a92a2abb92f9cd74db0ad598e1f15045d1fcfe2dbf23c2873ba536b0f1cd7843ecc3756f95cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5FE1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\V61H6ynXXY.bat

Filesize
194B

MD5
5c88e5d538d6c6b3002f8d2de4d37f24

SHA1
5214568538dcf8ece396cfe1947d087ef3c0663e

SHA256
4d8e4460ee954018d107f613531e5c583f58d01b1169982fd172cd25d656563c

SHA512
adb43d9fb639f8ec0f5cffec205547b2353dd870583371b24dd6ac31f878399625d5d1090ae1708c669451804435f5deb047882db0fb718a2cb660f2197a3c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat

Filesize
194B

MD5
79f2ea6028fecebc3cf596ab040e0c49

SHA1
827bbb8157482649785518af9865e1f2117e4b32

SHA256
700c236069fb362a2a49739f9736b557e51ce031907a081bb0cd3594a6d69805

SHA512
9f5c74e3807d466785fd2045120bc0c9c86d29177fbe5b01a0ba713440724b57251921875ab7559c8f671f3456f43ce74e56f9a32c392421b7112def5985237b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat

Filesize
194B

MD5
9e4fb83cddaa2fb60453069e77c94360

SHA1
4d76582cebd89783f658f5ba6c3869f3f12c48ed

SHA256
15d62238ea435db9e08ec8d4d8da40476a9afb9768c6d7faae55628451e0ad56

SHA512
b412a1d542ef1ccc414b453712bce9be0f8aaa30941b516fecc8885bbed544f944534bcfeeed9c265015cd3e930d35183cd624bbf6dbd2b36372e8b25fb73ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat

Filesize
194B

MD5
fc346f00ea435a1de45d0cc18c7135db

SHA1
897fef248da1b34093fab72500019b4c2b40366b

SHA256
0c82bd9ec4430fa38398c7a8138852386f0639d8d40963951b6d15c2fba6c387

SHA512
b833563f6282b64fd076a9e1b02187f881c71f93300d228faebf8cb6fde47c382d7690fd594b94987fa640c571e82e1ec2767b4709750a62fd04064311782fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lKhhpQ3tH5.bat

Filesize
194B

MD5
7dc0558624b7967ba9e38edbb968e184

SHA1
e4c19469a8380b3d609a15d80f8016a210941af9

SHA256
4417f9e24d82b00d7b25d52be56244ba67bf1301cb1f180d0949efe3a82772d8

SHA512
6fc3210dbe8a486a1d9f0b1363596cf8e6bf6ef958349de018150cd82a930827fd4027683218b4bc4ae9a6d6b2d98505449af836f8dcddd64c1c757928351950

Download Submit
C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat

Filesize
194B

MD5
1e5d09babb81bf4411d261d3a4220125

SHA1
3b50bc99b8b7e3b37aa8db5611df2912781906d3

SHA256
5920f4afb235852485c9640d1e11526b037d05776acbacf2fc551e3909ce5835

SHA512
281a7243c975362085b7b889476b1a85f9524aea38a7c26a0f382b391cc9f7b3d3b50b568a9f3c777e1586486a3bddb9071a81f5af66ff90758fa486f1bf07b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dedb86314bdafcabf108e6a7f32ac414

SHA1
4aed04704e776b432f2fd46585cc4576b8762ab3

SHA256
740e5a2aac402a516d267abab8c4fe0376d3b55d29fa862d03d9fb9aed423afd

SHA512
cd3ae91ee43599fd6c9d2fd79a85055ca671eccf6b27aecb88a0ef7ebdf1bfc087c0db9c4bd1a8697cb441177b957cc271bf2c0ece71b87515dfbf68a9c35acd

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/540-411-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download
memory/1648-232-0x0000000000980000-0x0000000000A90000-memory.dmp

Filesize
1.1MB

Download
memory/1900-52-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/2148-351-0x0000000000C00000-0x0000000000D10000-memory.dmp

Filesize
1.1MB

Download
memory/2268-530-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/2268-531-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2436-172-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/2460-39-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/2460-37-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2508-112-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2508-111-0x0000000000A20000-0x0000000000B30000-memory.dmp

Filesize
1.1MB

Download
memory/2872-13-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/2872-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2872-15-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2872-16-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2872-17-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download