dcrat | 54c52e6462d9cfd1a54b3c84fa21a9a2e2132b38af9ea6e6dc7a82a6fb3e4ace

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54c52e6462d9cfd1a54b3c84fa21a9a2e2132b38af9ea6e6dc7a82a6fb3e4ace.exe
Size

1.3MB
MD5

38d5a8797e4da3916824a02eb0a22254
SHA1

9865952c57da319285a9e254d4bb49a192f86479
SHA256

54c52e6462d9cfd1a54b3c84fa21a9a2e2132b38af9ea6e6dc7a82a6fb3e4ace
SHA512

221bb02d0b95c36192b083f992edd826334c43620482367718f1f09bee1073bb06ab2b3bb09d72d4de6ebfd7af2134d38a6e83b23bcd10d22f062d5cdd5bd865
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2500	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001927a-9.dat	dcrat
behavioral1/memory/2892-13-0x0000000000E80000-0x0000000000F90000-memory.dmp	dcrat
behavioral1/memory/1896-52-0x0000000000DC0000-0x0000000000ED0000-memory.dmp	dcrat
behavioral1/memory/2852-289-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/2884-350-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/2240-410-0x0000000001060000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/2200-470-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat
behavioral1/memory/960-530-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/2436-590-0x00000000008E0000-0x00000000009F0000-memory.dmp	dcrat
behavioral1/memory/340-650-0x0000000000B80000-0x0000000000C90000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
592	powershell.exe
1732	powershell.exe
2036	powershell.exe
1956	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2892	DllCommonsvc.exe
1896	explorer.exe
2992	explorer.exe
1708	explorer.exe
1984	explorer.exe
2852	explorer.exe
2884	explorer.exe
2240	explorer.exe
2200	explorer.exe
960	explorer.exe
2436	explorer.exe
340	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2604	cmd.exe
2604	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\smss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Defender\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54c52e6462d9cfd1a54b3c84fa21a9a2e2132b38af9ea6e6dc7a82a6fb3e4ace.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3024	schtasks.exe
1344	schtasks.exe
2240	schtasks.exe
852	schtasks.exe
1532	schtasks.exe
2552	schtasks.exe
2220	schtasks.exe
1964	schtasks.exe
2388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2892	DllCommonsvc.exe
592	powershell.exe
2036	powershell.exe
1956	powershell.exe
1732	powershell.exe
1896	explorer.exe
2992	explorer.exe
1708	explorer.exe
1984	explorer.exe
2852	explorer.exe
2884	explorer.exe
2240	explorer.exe
2200	explorer.exe
960	explorer.exe
2436	explorer.exe
340	explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	DllCommonsvc.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1896	explorer.exe
Token: SeDebugPrivilege	2992	explorer.exe
Token: SeDebugPrivilege	1708	explorer.exe
Token: SeDebugPrivilege	1984	explorer.exe
Token: SeDebugPrivilege	2852	explorer.exe
Token: SeDebugPrivilege	2884	explorer.exe
Token: SeDebugPrivilege	2240	explorer.exe
Token: SeDebugPrivilege	2200	explorer.exe
Token: SeDebugPrivilege	960	explorer.exe
Token: SeDebugPrivilege	2436	explorer.exe
Token: SeDebugPrivilege	340	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2720	2676	54c52e6462d9cfd1a54b3c84fa21a9a2e2132b38af9ea6e6dc7a82a6fb3e4ace.exe	30
PID 2676 wrote to memory of 2720	2676	54c52e6462d9cfd1a54b3c84fa21a9a2e2132b38af9ea6e6dc7a82a6fb3e4ace.exe	30
PID 2676 wrote to memory of 2720	2676	54c52e6462d9cfd1a54b3c84fa21a9a2e2132b38af9ea6e6dc7a82a6fb3e4ace.exe	30
PID 2676 wrote to memory of 2720	2676	54c52e6462d9cfd1a54b3c84fa21a9a2e2132b38af9ea6e6dc7a82a6fb3e4ace.exe	30
PID 2720 wrote to memory of 2604	2720	WScript.exe	31
PID 2720 wrote to memory of 2604	2720	WScript.exe	31
PID 2720 wrote to memory of 2604	2720	WScript.exe	31
PID 2720 wrote to memory of 2604	2720	WScript.exe	31
PID 2604 wrote to memory of 2892	2604	cmd.exe	33
PID 2604 wrote to memory of 2892	2604	cmd.exe	33
PID 2604 wrote to memory of 2892	2604	cmd.exe	33
PID 2604 wrote to memory of 2892	2604	cmd.exe	33
PID 2892 wrote to memory of 1732	2892	DllCommonsvc.exe	44
PID 2892 wrote to memory of 1732	2892	DllCommonsvc.exe	44
PID 2892 wrote to memory of 1732	2892	DllCommonsvc.exe	44
PID 2892 wrote to memory of 2036	2892	DllCommonsvc.exe	45
PID 2892 wrote to memory of 2036	2892	DllCommonsvc.exe	45
PID 2892 wrote to memory of 2036	2892	DllCommonsvc.exe	45
PID 2892 wrote to memory of 1956	2892	DllCommonsvc.exe	46
PID 2892 wrote to memory of 1956	2892	DllCommonsvc.exe	46
PID 2892 wrote to memory of 1956	2892	DllCommonsvc.exe	46
PID 2892 wrote to memory of 592	2892	DllCommonsvc.exe	47
PID 2892 wrote to memory of 592	2892	DllCommonsvc.exe	47
PID 2892 wrote to memory of 592	2892	DllCommonsvc.exe	47
PID 2892 wrote to memory of 1884	2892	DllCommonsvc.exe	52
PID 2892 wrote to memory of 1884	2892	DllCommonsvc.exe	52
PID 2892 wrote to memory of 1884	2892	DllCommonsvc.exe	52
PID 1884 wrote to memory of 2268	1884	cmd.exe	54
PID 1884 wrote to memory of 2268	1884	cmd.exe	54
PID 1884 wrote to memory of 2268	1884	cmd.exe	54
PID 1884 wrote to memory of 1896	1884	cmd.exe	55
PID 1884 wrote to memory of 1896	1884	cmd.exe	55
PID 1884 wrote to memory of 1896	1884	cmd.exe	55
PID 1896 wrote to memory of 2364	1896	explorer.exe	56
PID 1896 wrote to memory of 2364	1896	explorer.exe	56
PID 1896 wrote to memory of 2364	1896	explorer.exe	56
PID 2364 wrote to memory of 2984	2364	cmd.exe	58
PID 2364 wrote to memory of 2984	2364	cmd.exe	58
PID 2364 wrote to memory of 2984	2364	cmd.exe	58
PID 2364 wrote to memory of 2992	2364	cmd.exe	59
PID 2364 wrote to memory of 2992	2364	cmd.exe	59
PID 2364 wrote to memory of 2992	2364	cmd.exe	59
PID 2992 wrote to memory of 296	2992	explorer.exe	60
PID 2992 wrote to memory of 296	2992	explorer.exe	60
PID 2992 wrote to memory of 296	2992	explorer.exe	60
PID 296 wrote to memory of 876	296	cmd.exe	62
PID 296 wrote to memory of 876	296	cmd.exe	62
PID 296 wrote to memory of 876	296	cmd.exe	62
PID 296 wrote to memory of 1708	296	cmd.exe	63
PID 296 wrote to memory of 1708	296	cmd.exe	63
PID 296 wrote to memory of 1708	296	cmd.exe	63
PID 1708 wrote to memory of 1364	1708	explorer.exe	64
PID 1708 wrote to memory of 1364	1708	explorer.exe	64
PID 1708 wrote to memory of 1364	1708	explorer.exe	64
PID 1364 wrote to memory of 2064	1364	cmd.exe	66
PID 1364 wrote to memory of 2064	1364	cmd.exe	66
PID 1364 wrote to memory of 2064	1364	cmd.exe	66
PID 1364 wrote to memory of 1984	1364	cmd.exe	67
PID 1364 wrote to memory of 1984	1364	cmd.exe	67
PID 1364 wrote to memory of 1984	1364	cmd.exe	67
PID 1984 wrote to memory of 916	1984	explorer.exe	68
PID 1984 wrote to memory of 916	1984	explorer.exe	68
PID 1984 wrote to memory of 916	1984	explorer.exe	68
PID 916 wrote to memory of 2156	916	cmd.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\54c52e6462d9cfd1a54b3c84fa21a9a2e2132b38af9ea6e6dc7a82a6fb3e4ace.exe
"C:\Users\Admin\AppData\Local\Temp\54c52e6462d9cfd1a54b3c84fa21a9a2e2132b38af9ea6e6dc7a82a6fb3e4ace.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lKhhpQ3tH5.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1884
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2268
      - C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2984
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:876
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0SbqORFfit.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2064
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2156
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"
        15⤵
        
        PID:2640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2580
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat"
        17⤵
        
        PID:2344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2428
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat"
        19⤵
        
        PID:1888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:616
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"
        21⤵
        
        PID:2764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2484
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"
        23⤵
        
        PID:2836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2060
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"
        25⤵
        
        PID:692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1484
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b16f32bee24c63787c5c4b257a64461e

SHA1
b63ed6e4fd27239040006ee5cfe246df0d78eb87

SHA256
26f592d2e76615d7c8936442d1d6663f6c6effd6f9f340776be93daa4bf61ca7

SHA512
744fe4777496d9f979711ca0e0d5f28bbf9a2de4c42c0e93b846eebfabc1ad50ca0f5eec8190941ec2bbe5d0abf4f96ae093137aac52b7ee03ecb2decb79d940

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d94e76fe7ac83a7949bfeb339ce7e847

SHA1
0f38380e25928329e36592aad392327b2da958d0

SHA256
1a124209a678474ac46833db7434a23825d4514c1da987d66fda672ca71026e5

SHA512
6b77f68640a7ac804316798fa1301c805e62084ac7c8eea6d86cc535d9e3ce5fc9ae8f40907aab08789af76e0c247375f13ddc4a49330bc540f61b8ebec835ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37b4ec1a91db9afd6694f0d39ec4a592

SHA1
81f7e9c54ecd2fda31090a1b6b3259149e2b45bd

SHA256
a80090699c45e740dc75f525ad958cc699d2b5720b5d7716bb6e241eeb7f0e68

SHA512
6e6d56064d2bb1d01f194e4abab0e2702e2369e70141efd8ae3778015c95a2320bd87cbae7434c3d8a21b7aaac5013fa95a9ec159033b1abae59adeb95fcaa50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2c66f30331e77f892fea18b921dab89

SHA1
495e98977ebf6277025bb96cef5011d99eda0132

SHA256
c1f55cd9d69c26787dfbf2a64ec0467b628acc032e1ef14f6e8a1fa54ee4dd07

SHA512
2e60a5a866e8af3fe707464cc669297801b25df7ae1c3ff1176c65777529928ba009cf4ecb12710e33d89d25a1ef7705ee19da6fab99ac617c77f695a050c1df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fb75dcbb0b058a81ec5ecb118e7bf1f

SHA1
a77813dcb19df7858eaa975a1dd2538438eb8f36

SHA256
d987ab32bf93ed399b802faa88018d083f9d5617fd0cfdcf92c305c1c29cf6c7

SHA512
13bb5e79866af9439a2a99ea8f7d30bd6ef3b6e5ed68d3915c21403612709a75d031fd146fcb81da74d6926190de35743787cfe375a966b6ef9fb05e6049cbb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4d72507b761376e816410e91671d718

SHA1
747011db9f3f86cbed1b3c6693a22994825f3b25

SHA256
c5f5fabe6878b159f749335bf94009ec641e4dfe2b2444e8167b467634a994e5

SHA512
1052d3e4e26cd459eed4aa4ffa6f542cdca3419c8750ea7d0229c775c1c7427b1accf4052069d7d59fe0e592e3b6f9a2b32691cc7f79a9a328d203a4f8e1d1aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4812837d9bf7a01571ffef499535a33e

SHA1
44efb01a5530f415277ff90d6f77de9071b02381

SHA256
1c31b5f86921be26a5f318edb8d9cbdecbf884737bcc85af0acf3e4c73dc40f9

SHA512
23a832b227b1fb01f1ffb69aae7fea9466e7d1293720681c626f6e80c06dd3ec5d2d4e443685d06703915fca10d0ae7f470607ec6552b56f0d303fdc5b633a1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6a8c6273a70c23682c6686d95db8c27

SHA1
d838dc59c8778699b5d82dd09d2722a1f1484d1e

SHA256
ad8df635507e5c255ba1e4beb335516f60b3a3b1aa5746f5864c4f6a9b0f33c7

SHA512
7a6861baeeba58e21ed06ef1fa8a6dd6c74f5c0d29f2efaf6e1675ed2051b4dffbab076e4b9f53465682abebb18f290ba64e512a2ee43df39602f6f3cd4103af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3151b61e003aa25c48038716ead78d0b

SHA1
d36e0b0230eb24c397e24d3de0edb9efb8bca634

SHA256
c9a1828e459b4ac4c0925b400413dcf97e38838da2a49d6ae9149a0fcf7bd252

SHA512
95913b55eb6b7208dbc4bfd42bff0d6e3c6f2b087cffe3884c20f41857a506416cc44f04237a6f87940e82e0ed44ea6e8c1b8856b54a2c0f6636a69981bc3c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0SbqORFfit.bat

Filesize
195B

MD5
e5d76fb6b7cce74cf9528f3f5bd475a2

SHA1
2c5cacbc5107037c6bb31c9486f6d9f6a2e59a94

SHA256
6b011c006c9db4c29d7d678aebc201006d04e9bee155ee9f6b66444b027a7845

SHA512
01c9294a6b0e5e90459dadd666534a6aef3aeae8253bca10f4dd12018428372657ce7e2b46b0a38f66c174952f99753f2b935e8f1eee4b4b1dfa185b914f9288

Download Submit
C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat

Filesize
195B

MD5
f208bf7a6e2baf768e87b879da622e85

SHA1
9c628e9c03c2484e39c9b8238520bc68019ca763

SHA256
b2a87a43d41da5cdc3977ab3bef79776ad05a6798df7457179fab4e0ad7556dc

SHA512
9af6890d100b61a9a475eb7c8c3e4cf70bef8a92ca5b839ac5c8951fbc91d6db49169f1df54557e49d67eb9aaadb0b8666a1b374809f932ba14f90cc62e1a42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat

Filesize
195B

MD5
244f75a26c382567448e3c09268bba6f

SHA1
e44c785d878887e5e9c7e141a078765beb8db751

SHA256
b7d2a4b3a82ba792097b5da8cf4d05280b3aaf636cd77c498ccfc44336fe1b86

SHA512
eec3a6f0b901ebd36a239965417966766b43d4b6543458398f3b68712ee42c7ca56ff1f3e3967615357ba4cd52798aa73151df043a24ebc421ecf60f04eefd13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat

Filesize
195B

MD5
2413816fe6a9f9aaf2b3800de42d2084

SHA1
2667ffe65a36f76750791bc9b8b6aebd1156c7fd

SHA256
f32c8acf063a4fae3d4e1f73a86e2d2082b20bc395f2f0270ae792a4c3ffc51f

SHA512
9f9581d45151095c89dab5ce021eaab66942ac64ba63c45af23fa23a1eff81aaebeea1a050e0e4f2343db6931ecfe83038a26914fc8861c75c105c3bdf269412

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat

Filesize
195B

MD5
72515b21c379f1e9887bda3858263b23

SHA1
66583303ca718dd31b1435210413b669f7d16ab0

SHA256
b9fdaf6087b31ad779eb61304901f865a1fb6518aeaae559a13748ee803738b6

SHA512
4c8547a4353ef769ed2699cd73efca063f2426d383e48a1fb74000d2d9093ec37cc460c3f8d11b9dc98bb2a47fe435cbac1cdd0d46caab5ebd9b21c744cf30a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab74A5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat

Filesize
195B

MD5
7d97afbd7ba0fea1d615d205595b3ccf

SHA1
e32aac653782953f7163510acc4aaf7dba9b9d03

SHA256
cdf45cf3a34b70d707d5285448cef1b5ca131e4cfee3bd8237e5e7583bf910bf

SHA512
806e27810bace65081097c19666903011c0c172065b4406c624f3988b0a2adb6187c5526577f1b62d148e21fc7aac849033c938cd023277477aa2d1189b2bcb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat

Filesize
195B

MD5
52a52369502eb9f21949ec1f40771a2d

SHA1
fc4e4163a35151d58b84737610ec7f79c5843db2

SHA256
1a5f1e6899691c3163f4516ae6dd902054131281f3926374b743e979fa40b3ab

SHA512
581be156f9971d95eeafa52d2b2b80200e46ff51785f6644fd84c8d7b2159846721f9066aeee080cf51d89c06212863bd9664c544f8bdd610275f6d2cfe07938

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar74B8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat

Filesize
195B

MD5
477fa680bdd9ef8f55fdedda6119d5b4

SHA1
e0353e425e0eee6e45d57f84ac262d1ea1e16d07

SHA256
4e6c1f16a9ab918e44949f2171f2f6e3928604553e3165c4fde3072995f13a1f

SHA512
aee12a63ef47e425349a4f97cf56430ef3f5a5c4414658363ccb24bb8b38ab15a3913f9ba8fe5e20418d7c202a1513e3ab74b3a66189828d7a70573114f4438b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat

Filesize
195B

MD5
fea3c34cd7e72b3901f2b7ef1cfcf5cc

SHA1
d67ae06e1ed86428c6c2bc6f2518ee4e61f46a7a

SHA256
67a86aa61f9b64e799d2d502c52737a1cba4858657bf16aee3edf7c0622a0513

SHA512
836fe46c3f3b7b17748635a2578271c8d1055c20206e2ed76bdc4b5f19176dd4557d4654bc9603b04ed7edc31c79e2fb110d6f6daecc6886a1c509ab22c588b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lKhhpQ3tH5.bat

Filesize
195B

MD5
2cb7b4454ada1b583dbd0cf89389abd7

SHA1
4e822b2b715f1fc29e4de94781a6fc62667e55e1

SHA256
bbdfa0b73ee118e8f31795b226a456ccd399a5b97ba4fd71e452b3215208932b

SHA512
e264981f212a48bbe5c9c1a968e44e1bf3f0d8e3a3a3e2cb77f82843c80540723bdbb5a81e3e00617ba1291a69441ab40ed079b99e2068d02b6056920891315d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat

Filesize
195B

MD5
bb7899a62c9eeeead6a191873076b15c

SHA1
164554d984fca1837bcd37802381aeb0b22a6590

SHA256
ba8b5be345007d282c377bba6825eb1936021e6546e1708001f6599981ce4ebe

SHA512
22742dc6fc7344a4fa4783075e5e94ce13ec8d8df5b02999d6583c25481200f718a454a25df7fca8f03ace3f5133eaca9a7bdb30924a173c9d40def49f1ed141

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
916e59212600a5417d3a0c38048c599e

SHA1
aa03d7f70bd49f92cbbd172ba156ff267d39ff02

SHA256
fbc479898e3ea8436c216a37717474a09c7398734193061e1acad22d4c3453c5

SHA512
1123960d97db424dbc91b278d0518432cdd0292125df51263689a5511fac9b7695f2a1c287750dedd365417afd493ae82c4764bbbcc270494b479b5c437c70f3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/340-650-0x0000000000B80000-0x0000000000C90000-memory.dmp

Filesize
1.1MB

Download
memory/592-48-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/592-47-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/960-530-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/1896-53-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1896-52-0x0000000000DC0000-0x0000000000ED0000-memory.dmp

Filesize
1.1MB

Download
memory/2200-470-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/2240-410-0x0000000001060000-0x0000000001170000-memory.dmp

Filesize
1.1MB

Download
memory/2436-590-0x00000000008E0000-0x00000000009F0000-memory.dmp

Filesize
1.1MB

Download
memory/2852-289-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/2852-290-0x0000000002080000-0x0000000002092000-memory.dmp

Filesize
72KB

Download
memory/2884-350-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/2892-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2892-16-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2892-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2892-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2892-13-0x0000000000E80000-0x0000000000F90000-memory.dmp

Filesize
1.1MB

Download