dcrat | 95ec03e44cb5cd94e5ba40a4ed149714f1899b1899bbd579cb935e12bd3ce841

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95ec03e44cb5cd94e5ba40a4ed149714f1899b1899bbd579cb935e12bd3ce841.exe
Size

1.3MB
MD5

4175afbbd752cb48d7e25bcecd46e2fe
SHA1

af6db6cd55f9dd9d66ff60b23e71289e6d07fbeb
SHA256

95ec03e44cb5cd94e5ba40a4ed149714f1899b1899bbd579cb935e12bd3ce841
SHA512

4a2dd35ff9c29aaccf03fdc05a56b7f4b7955fd99f4fd4bf5bb905fe6f0fff6ad9c2c88ee22ded12677236e19db9d58bed74d220b5c374d7fabd52f141200b7d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjCT:UbA30GnzV/q+DnsXgF

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2620	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015f96-9.dat	dcrat
behavioral1/memory/2844-13-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/972-45-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/2728-115-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/1708-175-0x0000000000B20000-0x0000000000C30000-memory.dmp	dcrat
behavioral1/memory/896-294-0x0000000000F50000-0x0000000001060000-memory.dmp	dcrat
behavioral1/memory/1500-354-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/2776-414-0x0000000000D30000-0x0000000000E40000-memory.dmp	dcrat
behavioral1/memory/1224-475-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/2900-535-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1088	powershell.exe
2816	powershell.exe
1056	powershell.exe
1684	powershell.exe
1884	powershell.exe
1368	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2844	DllCommonsvc.exe
972	lsm.exe
2728	lsm.exe
1708	lsm.exe
468	lsm.exe
896	lsm.exe
1500	lsm.exe
2776	lsm.exe
1224	lsm.exe
2900	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2304	cmd.exe
2304	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
24	raw.githubusercontent.com
31	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95ec03e44cb5cd94e5ba40a4ed149714f1899b1899bbd579cb935e12bd3ce841.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1164	schtasks.exe
3048	schtasks.exe
1980	schtasks.exe
1160	schtasks.exe
1236	schtasks.exe
1668	schtasks.exe
2096	schtasks.exe
2648	schtasks.exe
1732	schtasks.exe
2636	schtasks.exe
1976	schtasks.exe
1676	schtasks.exe
2724	schtasks.exe
2756	schtasks.exe
2584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2844	DllCommonsvc.exe
1368	powershell.exe
1088	powershell.exe
1056	powershell.exe
2816	powershell.exe
1684	powershell.exe
1884	powershell.exe
972	lsm.exe
2728	lsm.exe
1708	lsm.exe
468	lsm.exe
896	lsm.exe
1500	lsm.exe
2776	lsm.exe
1224	lsm.exe
2900	lsm.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	DllCommonsvc.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	972	lsm.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	2728	lsm.exe
Token: SeDebugPrivilege	1708	lsm.exe
Token: SeDebugPrivilege	468	lsm.exe
Token: SeDebugPrivilege	896	lsm.exe
Token: SeDebugPrivilege	1500	lsm.exe
Token: SeDebugPrivilege	2776	lsm.exe
Token: SeDebugPrivilege	1224	lsm.exe
Token: SeDebugPrivilege	2900	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2252	2896	95ec03e44cb5cd94e5ba40a4ed149714f1899b1899bbd579cb935e12bd3ce841.exe	31
PID 2896 wrote to memory of 2252	2896	95ec03e44cb5cd94e5ba40a4ed149714f1899b1899bbd579cb935e12bd3ce841.exe	31
PID 2896 wrote to memory of 2252	2896	95ec03e44cb5cd94e5ba40a4ed149714f1899b1899bbd579cb935e12bd3ce841.exe	31
PID 2896 wrote to memory of 2252	2896	95ec03e44cb5cd94e5ba40a4ed149714f1899b1899bbd579cb935e12bd3ce841.exe	31
PID 2252 wrote to memory of 2304	2252	WScript.exe	32
PID 2252 wrote to memory of 2304	2252	WScript.exe	32
PID 2252 wrote to memory of 2304	2252	WScript.exe	32
PID 2252 wrote to memory of 2304	2252	WScript.exe	32
PID 2304 wrote to memory of 2844	2304	cmd.exe	34
PID 2304 wrote to memory of 2844	2304	cmd.exe	34
PID 2304 wrote to memory of 2844	2304	cmd.exe	34
PID 2304 wrote to memory of 2844	2304	cmd.exe	34
PID 2844 wrote to memory of 1684	2844	DllCommonsvc.exe	51
PID 2844 wrote to memory of 1684	2844	DllCommonsvc.exe	51
PID 2844 wrote to memory of 1684	2844	DllCommonsvc.exe	51
PID 2844 wrote to memory of 1088	2844	DllCommonsvc.exe	52
PID 2844 wrote to memory of 1088	2844	DllCommonsvc.exe	52
PID 2844 wrote to memory of 1088	2844	DllCommonsvc.exe	52
PID 2844 wrote to memory of 1884	2844	DllCommonsvc.exe	54
PID 2844 wrote to memory of 1884	2844	DllCommonsvc.exe	54
PID 2844 wrote to memory of 1884	2844	DllCommonsvc.exe	54
PID 2844 wrote to memory of 1368	2844	DllCommonsvc.exe	55
PID 2844 wrote to memory of 1368	2844	DllCommonsvc.exe	55
PID 2844 wrote to memory of 1368	2844	DllCommonsvc.exe	55
PID 2844 wrote to memory of 1056	2844	DllCommonsvc.exe	56
PID 2844 wrote to memory of 1056	2844	DllCommonsvc.exe	56
PID 2844 wrote to memory of 1056	2844	DllCommonsvc.exe	56
PID 2844 wrote to memory of 2816	2844	DllCommonsvc.exe	59
PID 2844 wrote to memory of 2816	2844	DllCommonsvc.exe	59
PID 2844 wrote to memory of 2816	2844	DllCommonsvc.exe	59
PID 2844 wrote to memory of 972	2844	DllCommonsvc.exe	63
PID 2844 wrote to memory of 972	2844	DllCommonsvc.exe	63
PID 2844 wrote to memory of 972	2844	DllCommonsvc.exe	63
PID 972 wrote to memory of 2068	972	lsm.exe	64
PID 972 wrote to memory of 2068	972	lsm.exe	64
PID 972 wrote to memory of 2068	972	lsm.exe	64
PID 2068 wrote to memory of 2044	2068	cmd.exe	66
PID 2068 wrote to memory of 2044	2068	cmd.exe	66
PID 2068 wrote to memory of 2044	2068	cmd.exe	66
PID 2068 wrote to memory of 2728	2068	cmd.exe	67
PID 2068 wrote to memory of 2728	2068	cmd.exe	67
PID 2068 wrote to memory of 2728	2068	cmd.exe	67
PID 2728 wrote to memory of 1512	2728	lsm.exe	68
PID 2728 wrote to memory of 1512	2728	lsm.exe	68
PID 2728 wrote to memory of 1512	2728	lsm.exe	68
PID 1512 wrote to memory of 2912	1512	cmd.exe	70
PID 1512 wrote to memory of 2912	1512	cmd.exe	70
PID 1512 wrote to memory of 2912	1512	cmd.exe	70
PID 1512 wrote to memory of 1708	1512	cmd.exe	71
PID 1512 wrote to memory of 1708	1512	cmd.exe	71
PID 1512 wrote to memory of 1708	1512	cmd.exe	71
PID 1708 wrote to memory of 1028	1708	lsm.exe	72
PID 1708 wrote to memory of 1028	1708	lsm.exe	72
PID 1708 wrote to memory of 1028	1708	lsm.exe	72
PID 1028 wrote to memory of 2996	1028	cmd.exe	74
PID 1028 wrote to memory of 2996	1028	cmd.exe	74
PID 1028 wrote to memory of 2996	1028	cmd.exe	74
PID 1028 wrote to memory of 468	1028	cmd.exe	75
PID 1028 wrote to memory of 468	1028	cmd.exe	75
PID 1028 wrote to memory of 468	1028	cmd.exe	75
PID 468 wrote to memory of 2268	468	lsm.exe	76
PID 468 wrote to memory of 2268	468	lsm.exe	76
PID 468 wrote to memory of 2268	468	lsm.exe	76
PID 2268 wrote to memory of 2520	2268	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\95ec03e44cb5cd94e5ba40a4ed149714f1899b1899bbd579cb935e12bd3ce841.exe
"C:\Users\Admin\AppData\Local\Temp\95ec03e44cb5cd94e5ba40a4ed149714f1899b1899bbd579cb935e12bd3ce841.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
    - - C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:972
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2044
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2912
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2996
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2520
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"
        14⤵
        
        PID:1832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2780
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat"
        16⤵
        
        PID:2464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3008
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat"
        18⤵
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:108
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"
        20⤵
        
        PID:2376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:344
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61b1034c6652e63f4ae4973131da382b

SHA1
7e5f0e86af2782360d20e1cc39c817bc68a0c9c4

SHA256
82d6ac7079fdf087cdc09ff323712f82686be2b6c8efed58fc25f54a1f7e6ac1

SHA512
0efc42760d561c741475c447add062ab78c1cda2f8d98900634f670ce53c46d1130144a80dd5d7ea8a974a330253b7258f237e08028e87ebe54d1d5160595db1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f71c53f9daef790005cea9927d3b08b

SHA1
f22bfba29cf523b4457a2878d947f9d301fd76d8

SHA256
e837874f3274d6d290b983b667dd1745f3b479d9868c559d7553078373f5bf41

SHA512
1c65ecf275b695ca89bac937dafec98f5c1b88efae162b823acde455b3b7a13eb7029a8cae0dd497b8a681dff5399ee913832a4c193d57efcb5236375caf1390

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
575ca5c15bc1f3fbb82ede2992ae920a

SHA1
b2583b2d819688133ba691ef43f350d0a9efcd78

SHA256
eb4306561d925ecc199cfdf9fa13143f238463d067fcda7f7a740aa986bbab1c

SHA512
fe7c4463660cabfa62cbcc5256f85da97f8997b805b8772162122550b3040c9b56ef84dedacdf4b1a5bdda1e27f4e5d10bfed25624d14c95a1f61bf1d22aaeac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
376e670335eb5b330008f762b68ebaa5

SHA1
c13847c6d6a037a9b478c6e3bf678b139488fbe8

SHA256
6f92828c598266d66a9ec719e7b4da0f34bbc634d070844bd41083ef05a5a21a

SHA512
a3b6c137ada67a053e406c5974924bfdc7b834fbd6acb84c7fee444c54212c41a817c48a4b1b4dbfd76909b74fe503823a6ddbda7abb8f9a28cc40f47dee7287

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33f49b22495d0d9dae53cc93de0de732

SHA1
905bfdfd4ccb67ac1f89e78101d250091f622ed3

SHA256
545d10aff8e7c2db8b6466fd25cf09aecbe507f1c79313f90be407542abe5091

SHA512
6bfb74db311fc9ffb468f9e78eae59131c15cbafb989be06d0658ae0d6f2007ca44829b65bea4caacce5f0ee79bc01b8d44363ba9c14983e7f66dfaa675cd8f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac01a770d0bae78103267a94d922b88f

SHA1
7f5f79cbecc643e68aef0eea5c46ff0265a77fd6

SHA256
124cfe1163e2d0a1caf6223fd54220c80f83160feb905a880f734b3310312817

SHA512
5c3fb200d6b26511db859444cd69d40063fc851b89ba2c55a5db2c45fa5aefa39c36fc05caa2b102544d79d3f549b6029099bbd88eebdd12ece2e5eec3a30247

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50a32984489f0df86bde5f6911d57cca

SHA1
88a4a2733d32f9a4c9b9597cf13a07eb012b478e

SHA256
dfeeb559965082d6fa3b8d6b848cf3988c08590cfd6388b950d17503d76afb38

SHA512
0e33272ad3192eb0abac404978d35ca2862158155659f282a23ca9520d0c62c282a26f405e32dbb2eb43c71eb9cd1e22aeefe4fb4d5c02371794230da66847ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat

Filesize
194B

MD5
593b407330b6c00e8955bc4ab6664c01

SHA1
3392abfe471a5a78c50894da0f30b062399e2fd7

SHA256
fa75fbd4ca057ae77b09883412200e82eebfab0072b39609c1bb6d2a90fa69ac

SHA512
51c8f8ddec957b11b0781c82f8aa7e995037135862789a9e112e86f08d3e10063946c2a2fb506f42ed02e52500e15d4ed64d90d7a85ac2843a3aaf74731f4a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab206.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat

Filesize
194B

MD5
e20cf62d82b4e5f3621c77b58cecb85e

SHA1
764564945505c282f84073b994af9e6f9c9b6665

SHA256
a445805a53b4fae2655dab2b8fb5b51a4082bfb3fadb10ad0b5a5f2963e645db

SHA512
0e0e70f5aa8a5c4017b0f59503739cdc6402d9683d5ff7a38be7b9effc64eac505dd220626bc0882acbf61344017b22ccc190862734586bde2ba36af894c04a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat

Filesize
194B

MD5
d9f841331948f9b50f34326b61608695

SHA1
7483192aa5d1f60be35b0c755988a33a3e0f174c

SHA256
2a73de5fa6f2bedb11eafc3af55114c9e64684a1d502e420dd2ad1762b6d9496

SHA512
d687446943ec1d92d42ad4b9aa2d633bc52dc5140ca5e5390b6e7aa245348ce431a0bdf8645a7644efb2d1b217f05fc1903c2f418ed9db1c9f49e45f29d78a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat

Filesize
194B

MD5
88bf7efdfaa5879b98b744f27ecd3d7f

SHA1
a3e49a415bf11e918a5ad5031bc35efa1007857d

SHA256
58d4e7f067ebd47f56c5ee7109142416d067a134e7408580731ccb0a91baaf5d

SHA512
a380f97ef2db9ede675a03ee17e7cb73d9c2e8c8c87eb5004f8239bca1173dbd719647317345cfbbfa1edc33ed9245d93576038ab9b1616df930e5b1bd494597

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar218.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat

Filesize
194B

MD5
3904068367d269ee88db5f3afd785d27

SHA1
f274f774fa48d7701dc169e8518382b7a0a3e5db

SHA256
5f43f3d905c228bec65413c34b30d84ec22bb7f9b29b25f6a96f80375b03caf1

SHA512
00efdc12facd3c1e758f9b4f4309f8ea1b3911bea543471b42e97923e523196bd709956cffba9663caa7004dcf33fb671fe0938abc1afa86999357339198af3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat

Filesize
194B

MD5
86048499730d452a4ff4a1776adc9ea7

SHA1
79bb7810e9f3d3ecdcea18fd793ee9cc90fa8781

SHA256
30779cbc6f7a2893c69b7226a171a98778f388948052ddc97ecdad17b7628eab

SHA512
c4d619d4283fb2d6b4dc7c99b47ca11393b2fc65ef996a573ec2261498797a000d99e0c8f78ee31181957d51f0929e44a74aae28b683ed71a88a9d137cec05f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat

Filesize
194B

MD5
4fe0acc10359215d05e5815c1de1d263

SHA1
e85ce3b1baa2911e62bf4f9794c326f612f0a564

SHA256
f787cbdfaa26cf4dad57fb56892c84bbd4ab665633d0282ba82c57c1a527db64

SHA512
4a4754427370c3d2f6670b622864cce728ee17ee0a40a33e6e6896c94b669c5dc4d505d04b5734ba8f75edf1d0df86053a233fe785abb267c99e20581ec3068e

Download Submit
C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat

Filesize
194B

MD5
853733a23fe09c092d1f602da5d66ecc

SHA1
57f24e4cf70e7aaf2c2a6859a254ed8ef77c3a01

SHA256
ee5d419748a2376aa4299d56f9715c078cad417c310ac64d2227e1f56bc0e973

SHA512
40d9f820359116d670822c22ef301772af306667aa9a844faa2864314ca832ef4f61402228a6e523537152dfed410887770cb6e41926e0095e8324d58ec082e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C4M66NVNBKQ7QHAKH7X0.temp

Filesize
7KB

MD5
ae3fb42f9efc4606532dde103b2efe83

SHA1
14819c6edfcb1070780365ff199943ca2539b49b

SHA256
82ef7645cff9049c10c99c87959aa18f5c8a412a9eb1fda09d9ca83242ec0888

SHA512
56f331ab1763f4783055f8457c0520d770513e514cd747e457847ea30675ada309ba11e28e19c5e439d738142c05290bcf291cfa1ab97fd4f7c91da738c09d27

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/896-294-0x0000000000F50000-0x0000000001060000-memory.dmp

Filesize
1.1MB

Download
memory/972-45-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/1056-40-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/1088-46-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/1224-475-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/1500-354-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/1708-175-0x0000000000B20000-0x0000000000C30000-memory.dmp

Filesize
1.1MB

Download
memory/2728-115-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2776-414-0x0000000000D30000-0x0000000000E40000-memory.dmp

Filesize
1.1MB

Download
memory/2776-415-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2844-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2844-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2844-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2844-13-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/2844-17-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2900-535-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download