dcrat | fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2025 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
Size

2.0MB
MD5

15af6864baf346e9b5fa1430a056e1a8
SHA1

5ad0dfff7f611bb92ee3d3f24323f4dd9c7d5562
SHA256

fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f
SHA512

aa9c756d9112da082f097f54d0e49b6229639a0e35277dbd560f7623aa01603b542db06d50bfea298e45b66212b32b7677d5d1ab20c75c275e32f743c26bf495
SSDEEP

24576:BhnLIfy0Y3sDsvEeuXKWdd0wrT8aF/2FFL64FHFEVI1PYAXFeTiEHyG0GieYAOe/:fgNPZdzkaFO7WeYgFeGESG01eYAU7Y

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	4036	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4036	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	4036	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	4036	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	4036	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	4036	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4036	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4036	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	4036	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	4036	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	4036	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	4036	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	4036	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	4036	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	4036	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	4036	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	4036	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	4036	schtasks.exe	83

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ipinfo.io
16	ipinfo.io
47	ipinfo.io
48	ipinfo.io

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Download\e6c9b481da804f	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
File created	C:\Program Files (x86)\Windows Portable Devices\upfc.exe	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ea1d8f6d871115	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
File created	C:\Program Files (x86)\Google\Update\Download\OfficeClickToRun.exe	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\OfficeClickToRun.exe	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\CSC\Registry.exe	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
File created	C:\Windows\Logs\CBS\sihost.exe	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
File created	C:\Windows\Logs\CBS\66fc9ff0ee96c2	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
File created	C:\Windows\schemas\EAPHost\dwm.exe	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4824	schtasks.exe
4688	schtasks.exe
2248	schtasks.exe
3604	schtasks.exe
3104	schtasks.exe
1756	schtasks.exe
1484	schtasks.exe
1320	schtasks.exe
1004	schtasks.exe
4032	schtasks.exe
448	schtasks.exe
680	schtasks.exe
4332	schtasks.exe
1556	schtasks.exe
216	schtasks.exe
1992	schtasks.exe
208	schtasks.exe
4040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
620	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
Token: SeDebugPrivilege	620	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 4384	4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe	103
PID 4736 wrote to memory of 4384	4736	fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe	103
PID 4384 wrote to memory of 2824	4384	cmd.exe	105
PID 4384 wrote to memory of 2824	4384	cmd.exe	105
PID 4384 wrote to memory of 3456	4384	cmd.exe	106
PID 4384 wrote to memory of 3456	4384	cmd.exe	106
PID 4384 wrote to memory of 620	4384	cmd.exe	113
PID 4384 wrote to memory of 620	4384	cmd.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
"C:\Users\Admin\AppData\Local\Temp\fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\miKLhpZ63d.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2824
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3456
- - C:\Users\Admin\AppData\Local\Temp\fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe
    "C:\Users\Admin\AppData\Local\Temp\fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\CBS\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\Logs\CBS\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877ff" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f" /sc ONLOGON /tr "'C:\Users\Public\Downloads\fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877ff" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\Download\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Download\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877ff" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877ff" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\upfc.exe

Filesize
2.0MB

MD5
15af6864baf346e9b5fa1430a056e1a8

SHA1
5ad0dfff7f611bb92ee3d3f24323f4dd9c7d5562

SHA256
fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f

SHA512
aa9c756d9112da082f097f54d0e49b6229639a0e35277dbd560f7623aa01603b542db06d50bfea298e45b66212b32b7677d5d1ab20c75c275e32f743c26bf495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fc7c1ae206763de95cdfd31d847ca4a6ecdcd0ee4d1fa30dc6c9e29d6f85877f.exe.log

Filesize
1KB

MD5
cb4338b342d00bfe6111ffee5cbfc2ed

SHA1
fc16673b6833ad3cb00743a32868b859e90aa536

SHA256
343ed6661687e81c9615dcaea42fb1a98b70572bb9fe07e16f020108725dbbe9

SHA512
4bcea1366b8be00d08eb15cfd78c87e1c8f3aea140a4ea30efb3c0511cd3de21b7ce8c933c7478fb06a356573ecb928e50df23d340fbd9a6e6c156a004d2a77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\miKLhpZ63d.bat

Filesize
278B

MD5
d43d4ec7385b67fceb163ac691d3aef7

SHA1
0d9a652d2eae1b0ff2b3f35dbe9462c224eb9bc2

SHA256
6171273bfcbf56a7be26ed20da69d1bc3701ac1761717f2e4373edcceffa9367

SHA512
d3352decffa803595b2a62021bd515a6422c8443664f27969e2ff5a6df841e75cd211f21874ed5dc68b246e7bbd0b00ace49bda52c30841e4e925f36e110c439

Download Submit
memory/620-61-0x000000001B550000-0x000000001B61D000-memory.dmp

Filesize
820KB

Download
memory/4736-18-0x000000001B5F0000-0x000000001B5FE000-memory.dmp

Filesize
56KB

Download
memory/4736-26-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-7-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-9-0x000000001B5B0000-0x000000001B5CC000-memory.dmp

Filesize
112KB

Download
memory/4736-10-0x000000001B940000-0x000000001B990000-memory.dmp

Filesize
320KB

Download
memory/4736-12-0x000000001B5D0000-0x000000001B5E8000-memory.dmp

Filesize
96KB

Download
memory/4736-14-0x000000001B590000-0x000000001B59E000-memory.dmp

Filesize
56KB

Download
memory/4736-21-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/4736-23-0x000000001B610000-0x000000001B61C000-memory.dmp

Filesize
48KB

Download
memory/4736-19-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-0-0x00007FFB76543000-0x00007FFB76545000-memory.dmp

Filesize
8KB

Download
memory/4736-16-0x000000001B5A0000-0x000000001B5AC000-memory.dmp

Filesize
48KB

Download
memory/4736-24-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-6-0x000000001B580000-0x000000001B58E000-memory.dmp

Filesize
56KB

Download
memory/4736-33-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-4-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-38-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-39-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-40-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-41-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-42-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-43-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-51-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-3-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-49-0x000000001BBD0000-0x000000001BC9D000-memory.dmp

Filesize
820KB

Download
memory/4736-2-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-1-0x0000000000680000-0x000000000087C000-memory.dmp

Filesize
2.0MB

Download