dcrat | c0d51cad38cd578ac0f62737185d0e15184843b8a118bb978d11d9e86998eef3

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0d51cad38cd578ac0f62737185d0e15184843b8a118bb978d11d9e86998eef3.exe
Size

1.1MB
MD5

11da048860021b6c22e171032e48b023
SHA1

b3b636a8bd17223454b4522fdbdb4863e0c4a565
SHA256

c0d51cad38cd578ac0f62737185d0e15184843b8a118bb978d11d9e86998eef3
SHA512

09b8bc3f1fa034d28a14e0fc5e44722ee84cfd9b32dc7887674100d967b3c9232d7ae42156c8d45050ea781ba87a3ee29a54bfc04bef98c6e5f6d9123444509f
SSDEEP

24576:U2G/nvxW3Ww0tpI7rd5XFM2cxARnZ0S/J1:UbA30pILXZjv

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2628	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2628	schtasks.exe	35

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001659b-11.dat	dcrat
behavioral1/memory/2768-13-0x0000000000980000-0x0000000000A56000-memory.dmp	dcrat
behavioral1/memory/1400-43-0x00000000009F0000-0x0000000000AC6000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2768	chainMonitor.exe
1400	chainMonitor.exe

Loads dropped DLL 2 IoCs

pid	Process
2268	cmd.exe
2268	cmd.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\lsm.exe	chainMonitor.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\lsm.exe	chainMonitor.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\101b941d020240	chainMonitor.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\System.exe	chainMonitor.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\27d1bcfc3c54e0	chainMonitor.exe
File created	C:\Program Files (x86)\Google\CrashReports\WMIADAP.exe	chainMonitor.exe
File created	C:\Program Files (x86)\Google\CrashReports\75a57c1bdf437c	chainMonitor.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\WMIADAP.exe	chainMonitor.exe
File created	C:\Windows\ja-JP\75a57c1bdf437c	chainMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0d51cad38cd578ac0f62737185d0e15184843b8a118bb978d11d9e86998eef3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2648	schtasks.exe
2300	schtasks.exe
1200	schtasks.exe
1544	schtasks.exe
2740	schtasks.exe
2608	schtasks.exe
1224	schtasks.exe
2720	schtasks.exe
1292	schtasks.exe
1040	schtasks.exe
2904	schtasks.exe
2132	schtasks.exe
2196	schtasks.exe
2932	schtasks.exe
2656	schtasks.exe
2640	schtasks.exe
1088	schtasks.exe
1724	schtasks.exe
2996	schtasks.exe
2288	schtasks.exe
2792	schtasks.exe
1472	schtasks.exe
2000	schtasks.exe
2992	schtasks.exe
2008	schtasks.exe
444	schtasks.exe
1536	schtasks.exe
1764	schtasks.exe
1840	schtasks.exe
684	schtasks.exe
1348	schtasks.exe
1528	schtasks.exe
316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2768	chainMonitor.exe
2768	chainMonitor.exe
2768	chainMonitor.exe
1400	chainMonitor.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	chainMonitor.exe
Token: SeDebugPrivilege	1400	chainMonitor.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2344	2372	c0d51cad38cd578ac0f62737185d0e15184843b8a118bb978d11d9e86998eef3.exe	30
PID 2372 wrote to memory of 2344	2372	c0d51cad38cd578ac0f62737185d0e15184843b8a118bb978d11d9e86998eef3.exe	30
PID 2372 wrote to memory of 2344	2372	c0d51cad38cd578ac0f62737185d0e15184843b8a118bb978d11d9e86998eef3.exe	30
PID 2372 wrote to memory of 2344	2372	c0d51cad38cd578ac0f62737185d0e15184843b8a118bb978d11d9e86998eef3.exe	30
PID 2344 wrote to memory of 2268	2344	WScript.exe	32
PID 2344 wrote to memory of 2268	2344	WScript.exe	32
PID 2344 wrote to memory of 2268	2344	WScript.exe	32
PID 2344 wrote to memory of 2268	2344	WScript.exe	32
PID 2268 wrote to memory of 2768	2268	cmd.exe	34
PID 2268 wrote to memory of 2768	2268	cmd.exe	34
PID 2268 wrote to memory of 2768	2268	cmd.exe	34
PID 2268 wrote to memory of 2768	2268	cmd.exe	34
PID 2768 wrote to memory of 2176	2768	chainMonitor.exe	69
PID 2768 wrote to memory of 2176	2768	chainMonitor.exe	69
PID 2768 wrote to memory of 2176	2768	chainMonitor.exe	69
PID 2176 wrote to memory of 1052	2176	cmd.exe	71
PID 2176 wrote to memory of 1052	2176	cmd.exe	71
PID 2176 wrote to memory of 1052	2176	cmd.exe	71
PID 2176 wrote to memory of 1400	2176	cmd.exe	72
PID 2176 wrote to memory of 1400	2176	cmd.exe	72
PID 2176 wrote to memory of 1400	2176	cmd.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c0d51cad38cd578ac0f62737185d0e15184843b8a118bb978d11d9e86998eef3.exe
"C:\Users\Admin\AppData\Local\Temp\c0d51cad38cd578ac0f62737185d0e15184843b8a118bb978d11d9e86998eef3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\blockrefSessionBrokerDll\5sVJrvWE.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\blockrefSessionBrokerDll\jNiINMcACfpGfudqTH4IxZpVWTbF.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\blockrefSessionBrokerDll\chainMonitor.exe
      "C:\blockrefSessionBrokerDll\chainMonitor.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J965cvD3ui.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1052
      - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\chainMonitor.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\chainMonitor.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\blockrefSessionBrokerDll\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\blockrefSessionBrokerDll\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\blockrefSessionBrokerDll\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\blockrefSessionBrokerDll\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\blockrefSessionBrokerDll\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\blockrefSessionBrokerDll\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainMonitorc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\chainMonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainMonitor" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\chainMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainMonitorc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\chainMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\J965cvD3ui.bat

Filesize
230B

MD5
4fc3b9a195296989d98309f5b222e0b6

SHA1
f82af0dac7a5390384f229c14b70ccc6c42eaee3

SHA256
5172b6f52de45450da4d3fcfc9775eb56d1690e21dae14ba47a4dd5b980bf879

SHA512
23fead1b7727b454fb94a4d875e52da6ebf23f4f332490933b2b59c0304cb0b1c0382f68a7df1df2793c9b975e7dc61ca0b0a46fa5182bfaea987807f4cc2a58

Download Submit
C:\blockrefSessionBrokerDll\5sVJrvWE.vbe

Filesize
229B

MD5
7533c94864b144aa157dbd00f03e9871

SHA1
807bad6d8cb143e2fac7ec32a6e07a4016af308d

SHA256
1dceabad90f9b4e74e59d62eebbc86662708d2c28761074e8b4fd73aa73f60aa

SHA512
3d536e931dadb7d6efc079fc9ff336ee4f2c7a291fcd1df7139c565e74d73e4c12745b886dbb746f060cd46c36cb3d774bc2b9f3a5407a737cb94ac44ed70f8c

Download Submit
C:\blockrefSessionBrokerDll\jNiINMcACfpGfudqTH4IxZpVWTbF.bat

Filesize
46B

MD5
6f0b3744c91bc8641c6cef0ae9be66b5

SHA1
5e45aef1422d839f27a9e73b395c58eeab7ae476

SHA256
6442de1cdf0bf9500de8b74c00506a7d84193b3780f9242f55497335526aad5c

SHA512
97089e966a4969391aa2fa10d0693c103a16eea70bfbc01481ecda46ae6953e3a25abf3034500e275cc60e0e8de6f95435b2ba2c9df2cda5bf58685af4cba8e0

Download Submit
\blockrefSessionBrokerDll\chainMonitor.exe

Filesize
828KB

MD5
f6b809fa6bd0e72435fab78e9744ccd7

SHA1
52749158484cf20a6511fcd36fda0e8100ebe316

SHA256
af8a81f4387ba5ebe96f5111d56b65585c194602e5bd147997eab1b6e28ae7b2

SHA512
12c63edcd1f347b519da80c814fcf3640294fdbd2482a7be4da4d20f8f5d785d2e97f784df39ad28b317d2db3cc43d904c5584fc9eea2c1f1df01b999362adf9

Download Submit
memory/1400-43-0x00000000009F0000-0x0000000000AC6000-memory.dmp

Filesize
856KB

Download
memory/2768-13-0x0000000000980000-0x0000000000A56000-memory.dmp

Filesize
856KB

Download