dcrat | bb8b3acb02f86a5c9db1d935ee81c832330c8ff9d76971dd712737a6330947e6

Analysis

max time kernel
129s
max time network
152s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb8b3acb02f86a5c9db1d935ee81c832330c8ff9d76971dd712737a6330947e6.exe
Size

1.1MB
MD5

3d97c3832d9f34826e934d44f844380b
SHA1

120bc22ff7d32eed0254fa9e9878d67785a18af3
SHA256

bb8b3acb02f86a5c9db1d935ee81c832330c8ff9d76971dd712737a6330947e6
SHA512

466042508428a4685454f2c7d5f2ab837a08e800fbf555d20e672ace9b384cf769788d218e70960332eb7586c5a2e54221121e9f685a918ac72034d3141ed81a
SSDEEP

24576:U2G/nvxW3Ww0tM3Imo/UAPcmorg3LSjBBQ6qJ/Nx1:UbA30uI+3rgSWV

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	1292	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	1292	schtasks.exe	32

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d20-9.dat	dcrat
behavioral1/memory/1416-13-0x0000000000250000-0x0000000000326000-memory.dmp	dcrat
behavioral1/memory/1152-44-0x00000000011D0000-0x00000000012A6000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
1416	providerbrokerSvc.exe
1152	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2944	cmd.exe
2944	cmd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\fr-FR\6203df4a6bafc7	providerbrokerSvc.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\lsass.exe	providerbrokerSvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\it-IT\7a0fd90576e088	providerbrokerSvc.exe
File created	C:\Windows\debug\services.exe	providerbrokerSvc.exe
File created	C:\Windows\debug\c5b4cb5e9653cc	providerbrokerSvc.exe
File created	C:\Windows\it-IT\explorer.exe	providerbrokerSvc.exe
File opened for modification	C:\Windows\it-IT\explorer.exe	providerbrokerSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1776	schtasks.exe
2864	schtasks.exe
2728	schtasks.exe
2620	schtasks.exe
2520	schtasks.exe
2500	schtasks.exe
1444	schtasks.exe
2804	schtasks.exe
2064	schtasks.exe
2860	schtasks.exe
2800	schtasks.exe
1980	schtasks.exe
1076	schtasks.exe
1804	schtasks.exe
568	schtasks.exe
588	schtasks.exe
2104	schtasks.exe
2652	schtasks.exe
2992	schtasks.exe
3032	schtasks.exe
2904	schtasks.exe
1296	schtasks.exe
2968	schtasks.exe
1084	schtasks.exe
3008	schtasks.exe
2780	schtasks.exe
2760	schtasks.exe
1268	schtasks.exe
2028	schtasks.exe
2148	schtasks.exe
1764	schtasks.exe
2724	schtasks.exe
2632	schtasks.exe
1992	schtasks.exe
1216	schtasks.exe
2116	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1416	providerbrokerSvc.exe
1416	providerbrokerSvc.exe
1416	providerbrokerSvc.exe
1152	services.exe
1152	services.exe
1152	services.exe
1152	services.exe
1152	services.exe
1152	services.exe
1152	services.exe
1152	services.exe
1152	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1152	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	providerbrokerSvc.exe
Token: SeDebugPrivilege	1152	services.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2264	1368	bb8b3acb02f86a5c9db1d935ee81c832330c8ff9d76971dd712737a6330947e6.exe	28
PID 1368 wrote to memory of 2264	1368	bb8b3acb02f86a5c9db1d935ee81c832330c8ff9d76971dd712737a6330947e6.exe	28
PID 1368 wrote to memory of 2264	1368	bb8b3acb02f86a5c9db1d935ee81c832330c8ff9d76971dd712737a6330947e6.exe	28
PID 1368 wrote to memory of 2264	1368	bb8b3acb02f86a5c9db1d935ee81c832330c8ff9d76971dd712737a6330947e6.exe	28
PID 2264 wrote to memory of 2944	2264	WScript.exe	29
PID 2264 wrote to memory of 2944	2264	WScript.exe	29
PID 2264 wrote to memory of 2944	2264	WScript.exe	29
PID 2264 wrote to memory of 2944	2264	WScript.exe	29
PID 2944 wrote to memory of 1416	2944	cmd.exe	31
PID 2944 wrote to memory of 1416	2944	cmd.exe	31
PID 2944 wrote to memory of 1416	2944	cmd.exe	31
PID 2944 wrote to memory of 1416	2944	cmd.exe	31
PID 1416 wrote to memory of 1152	1416	providerbrokerSvc.exe	69
PID 1416 wrote to memory of 1152	1416	providerbrokerSvc.exe	69
PID 1416 wrote to memory of 1152	1416	providerbrokerSvc.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bb8b3acb02f86a5c9db1d935ee81c832330c8ff9d76971dd712737a6330947e6.exe
"C:\Users\Admin\AppData\Local\Temp\bb8b3acb02f86a5c9db1d935ee81c832330c8ff9d76971dd712737a6330947e6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Serverperf\0ENRHICCWGvu6jCnNqfEKZiPT.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Serverperf\1MCuRxFvF9jAaT.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Serverperf\providerbrokerSvc.exe
      "C:\Serverperf\providerbrokerSvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1416
    - - C:\Windows\debug\services.exe
        
        "C:\Windows\debug\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\debug\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Serverperf\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Serverperf\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Serverperf\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerbrokerSvcp" /sc MINUTE /mo 8 /tr "'C:\Users\Default\providerbrokerSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerbrokerSvc" /sc ONLOGON /tr "'C:\Users\Default\providerbrokerSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerbrokerSvcp" /sc MINUTE /mo 11 /tr "'C:\Users\Default\providerbrokerSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Saved Games\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Serverperf\0ENRHICCWGvu6jCnNqfEKZiPT.vbe

Filesize
201B

MD5
ff40fe6d00738e080dabeb064c70c5c5

SHA1
81582b411df1f2a10dd9800ff1279032a57bed0d

SHA256
a99bb1c8e426b3fe5ffc0904744f62275d3220c1f0ed90257ea78e7b79fc4295

SHA512
d7ea6d5174f27abca0342c087e9b28ecdb51ca9438d675c20003cd13901fc817c59dc3609ed379697b9b9f1e1b626e6db804f4a800ea779296fefc05f3532f26

Download Submit
C:\Serverperf\1MCuRxFvF9jAaT.bat

Filesize
37B

MD5
0babdd8d598753148f2318b90882a92e

SHA1
1e00d8196309c258222ed1d6f2f41ca7b530b617

SHA256
dbba33ee956c4a797771ecc6bb81dcc5c3729b158accca4613406f5f53bf14d5

SHA512
29c7551459404c90cb5c1b2016bad2f840dc7878502cda2cf56da3808c285571a4d92a206dc080be06b3df0eb27e00cac6a1a48e90b707e04ef6342ed5ce5773

Download Submit
\Serverperf\providerbrokerSvc.exe

Filesize
827KB

MD5
c87a6e86673c2a8a9a1df5e905dc8aac

SHA1
93ede95025a2c757fd4d96b8821834a0c72b8de8

SHA256
0e755808c922026531766ce3647e7468ddaeae951ead8f6f862ef00783375bb4

SHA512
fd368d00684720cef0085853532a220e2d7f3e9daf00d1951536aa4ad8f9c6515366c874ea769e229385de51d48e7e6df0c48c65375914dc3d3beef988ec1929

Download Submit
memory/1152-44-0x00000000011D0000-0x00000000012A6000-memory.dmp

Filesize
856KB

Download
memory/1416-13-0x0000000000250000-0x0000000000326000-memory.dmp

Filesize
856KB

Download