dcrat | d8d8e2bd36c25798e8243ccb42440baf3f49559a1e251f2f29e70b3d46f597ed

Resubmissions

23-06-2024 06:12

240623-gyd2psscqf 10

16-07-2023 19:09

230716-xt4pkahc8t 10

Analysis

max time kernel
135s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
Size

880KB
MD5

d5af7b4e4aa554542307474645208ce1
SHA1

aaf49c2518fb31dccdd6b8ae383b21cc6de0a430
SHA256

0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85
SHA512

785e01b295ac3a12045df777d8cd5fe86a76f06d5bab2ab77c07ca049c27119f43a1928724452339f90660ba379d74c080f810c74cb732274956ff68cc578310
SSDEEP

12288:/mcnG6zEGU6Iq2jCrYQQsbeLmFDgJzEhFP92MpgtK3IoRA7+JQEKVWk:ZnGSrU6IqQCr1KJzEhFPWtxoR12/

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	8	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	8	schtasks.exe	90

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral19/memory/4732-1-0x0000000000F40000-0x0000000001024000-memory.dmp	dcrat
behavioral19/files/0x0007000000023390-12.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3588	powershell.exe
3348	powershell.exe
4816	powershell.exe
4580	powershell.exe
1824	powershell.exe
756	powershell.exe
4924	powershell.exe
3236	powershell.exe
4032	powershell.exe
1796	powershell.exe
2312	powershell.exe
3664	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe

Executes dropped EXE 1 IoCs

pid	Process
640	csrss.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
File created	C:\Program Files (x86)\Google\CrashReports\MusNotification.exe	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
File created	C:\Program Files (x86)\Google\CrashReports\aa97147c4c782d	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\5940a34987c991	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
File created	C:\Program Files (x86)\Google\CrashReports\msedge.exe	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
File created	C:\Program Files (x86)\Google\CrashReports\61a52ddc9dd915	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\cc11b995f2a76d	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
File created	C:\Windows\de-DE\winlogon.exe	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1388	schtasks.exe
2184	schtasks.exe
1252	schtasks.exe
4744	schtasks.exe
4992	schtasks.exe
232	schtasks.exe
1752	schtasks.exe
1156	schtasks.exe
3092	schtasks.exe
2364	schtasks.exe
4936	schtasks.exe
4204	schtasks.exe
4336	schtasks.exe
3524	schtasks.exe
1448	schtasks.exe
4752	schtasks.exe
5064	schtasks.exe
5084	schtasks.exe
4012	schtasks.exe
1636	schtasks.exe
2376	schtasks.exe
1124	schtasks.exe
4812	schtasks.exe
2384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
3664	powershell.exe
3664	powershell.exe
4032	powershell.exe
4032	powershell.exe
4580	powershell.exe
4580	powershell.exe
2312	powershell.exe
2312	powershell.exe
756	powershell.exe
756	powershell.exe
1796	powershell.exe
1796	powershell.exe
3236	powershell.exe
3236	powershell.exe
4924	powershell.exe
4924	powershell.exe
3588	powershell.exe
3588	powershell.exe
1824	powershell.exe
1824	powershell.exe
4580	powershell.exe
4816	powershell.exe
4816	powershell.exe
3348	powershell.exe
3348	powershell.exe
4924	powershell.exe
4816	powershell.exe
4032	powershell.exe
3664	powershell.exe
2312	powershell.exe
1796	powershell.exe
756	powershell.exe
1824	powershell.exe
3588	powershell.exe
3236	powershell.exe
3348	powershell.exe
640	csrss.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	640	csrss.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 756	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	115
PID 4732 wrote to memory of 756	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	115
PID 4732 wrote to memory of 3664	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	116
PID 4732 wrote to memory of 3664	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	116
PID 4732 wrote to memory of 3588	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	117
PID 4732 wrote to memory of 3588	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	117
PID 4732 wrote to memory of 4924	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	118
PID 4732 wrote to memory of 4924	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	118
PID 4732 wrote to memory of 3236	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	119
PID 4732 wrote to memory of 3236	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	119
PID 4732 wrote to memory of 4032	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	120
PID 4732 wrote to memory of 4032	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	120
PID 4732 wrote to memory of 1824	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	121
PID 4732 wrote to memory of 1824	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	121
PID 4732 wrote to memory of 2312	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	122
PID 4732 wrote to memory of 2312	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	122
PID 4732 wrote to memory of 1796	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	123
PID 4732 wrote to memory of 1796	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	123
PID 4732 wrote to memory of 4580	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	125
PID 4732 wrote to memory of 4580	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	125
PID 4732 wrote to memory of 4816	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	127
PID 4732 wrote to memory of 4816	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	127
PID 4732 wrote to memory of 3348	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	128
PID 4732 wrote to memory of 3348	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	128
PID 4732 wrote to memory of 820	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	139
PID 4732 wrote to memory of 820	4732	0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe	139
PID 820 wrote to memory of 1652	820	cmd.exe	141
PID 820 wrote to memory of 1652	820	cmd.exe	141
PID 820 wrote to memory of 640	820	cmd.exe	144
PID 820 wrote to memory of 640	820	cmd.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe
"C:\Users\Admin\AppData\Local\Temp\0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wnInqINynF.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1652
- - C:\Recovery\WindowsRE\csrss.exe
    "C:\Recovery\WindowsRE\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\CrashReports\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\odt\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5348 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\csrss.exe

Filesize
880KB

MD5
d5af7b4e4aa554542307474645208ce1

SHA1
aaf49c2518fb31dccdd6b8ae383b21cc6de0a430

SHA256
0dd32a3e7e27a6cc87ab60dc8a1117956b6eb07a455c2996a43edf71cfa64b85

SHA512
785e01b295ac3a12045df777d8cd5fe86a76f06d5bab2ab77c07ca049c27119f43a1928724452339f90660ba379d74c080f810c74cb732274956ff68cc578310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
360B

MD5
41769e591478b6c2db188b2cadb491e6

SHA1
d23a6c2bd5285d803832240d1113a49e4d1c5c09

SHA256
503546407ee387affb1a26e01a8a893f79cd78b6dfc73f9e2768fd712520e447

SHA512
ca5ebd48992c3dab1a557b6cd47c0a6f516a10bfb9cd019a3f459075dee1115dc696243d202e5dc45de64b2a15d64c1a6e4a277ae511b5603933ddc44262dba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h2duqnum.azi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wnInqINynF.bat

Filesize
196B

MD5
49162beb76f857569a5af148d7a825e8

SHA1
e4f40627379b3ca753913920918e43a423fdc7ee

SHA256
5815b97281dbafce30ec535baf00d3166890ef6a4391efb3c41ca72e35d4e72c

SHA512
d58fab7865aa9b70c3323ed790b475ee16e15a257219673f55ce01bf870dfbb8a90e11bdb1054b3bf8f3fd7f80205268477bd027a8e68f6fd5cff1932b4018b7

Download Submit
memory/4032-29-0x00000191B1330000-0x00000191B1352000-memory.dmp

Filesize
136KB

Download
memory/4732-80-0x00007FFD3FDC0000-0x00007FFD40881000-memory.dmp

Filesize
10.8MB

Download
memory/4732-3-0x00000000017F0000-0x00000000017FC000-memory.dmp

Filesize
48KB

Download
memory/4732-2-0x00007FFD3FDC0000-0x00007FFD40881000-memory.dmp

Filesize
10.8MB

Download
memory/4732-1-0x0000000000F40000-0x0000000001024000-memory.dmp

Filesize
912KB

Download
memory/4732-0-0x00007FFD3FDC3000-0x00007FFD3FDC5000-memory.dmp

Filesize
8KB

Download