dcrat | 5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
Size

1.7MB
MD5

4c5cdbe993419be6ff5d2608e01f7620
SHA1

0f9cddc4a321cd1641d5c207f7223f61de0c54dd
SHA256

5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987
SHA512

cae371309fda6b5fee01284ca445be72c47ab0816a2451835e8da5c9ba8bd741eab2160602d62b8064b80220a713d1d89a5371bcb2f6aaafba7f7c10150696d9
SSDEEP

24576:t3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:tgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2832	schtasks.exe	30

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1788-1-0x00000000013B0000-0x0000000001566000-memory.dmp	dcrat
behavioral1/files/0x0008000000012102-29.dat	dcrat
behavioral1/files/0x0006000000019c38-48.dat	dcrat
behavioral1/memory/1784-121-0x0000000000070000-0x0000000000226000-memory.dmp	dcrat
behavioral1/memory/3044-133-0x0000000001230000-0x00000000013E6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2396	powershell.exe
2180	powershell.exe
1912	powershell.exe
2400	powershell.exe
1472	powershell.exe
1956	powershell.exe
1936	powershell.exe
672	powershell.exe
688	powershell.exe
1284	powershell.exe
956	powershell.exe
1776	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe

Executes dropped EXE 2 IoCs

pid	Process
1784	WmiPrvSE.exe
3044	WmiPrvSE.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\de-DE\RCXB010.tmp	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
File created	C:\Windows\de-DE\WmiPrvSE.exe	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
File opened for modification	C:\Windows\de-DE\WmiPrvSE.exe	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
File created	C:\Windows\de-DE\24dbde2999530e	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
File opened for modification	C:\Windows\de-DE\RCXB00F.tmp	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2896	schtasks.exe
2784	schtasks.exe
1276	schtasks.exe
2900	schtasks.exe
2712	schtasks.exe
2912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
1956	powershell.exe
672	powershell.exe
1284	powershell.exe
956	powershell.exe
1776	powershell.exe
2180	powershell.exe
1472	powershell.exe
2396	powershell.exe
688	powershell.exe
1936	powershell.exe
2400	powershell.exe
1912	powershell.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
1784	WmiPrvSE.exe
3044	WmiPrvSE.exe
3044	WmiPrvSE.exe
3044	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1784	WmiPrvSE.exe
Token: SeDebugPrivilege	3044	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 2180	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	37
PID 1788 wrote to memory of 2180	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	37
PID 1788 wrote to memory of 2180	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	37
PID 1788 wrote to memory of 1912	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	38
PID 1788 wrote to memory of 1912	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	38
PID 1788 wrote to memory of 1912	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	38
PID 1788 wrote to memory of 2400	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	39
PID 1788 wrote to memory of 2400	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	39
PID 1788 wrote to memory of 2400	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	39
PID 1788 wrote to memory of 672	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	40
PID 1788 wrote to memory of 672	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	40
PID 1788 wrote to memory of 672	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	40
PID 1788 wrote to memory of 1472	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	41
PID 1788 wrote to memory of 1472	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	41
PID 1788 wrote to memory of 1472	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	41
PID 1788 wrote to memory of 688	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	42
PID 1788 wrote to memory of 688	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	42
PID 1788 wrote to memory of 688	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	42
PID 1788 wrote to memory of 1284	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	43
PID 1788 wrote to memory of 1284	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	43
PID 1788 wrote to memory of 1284	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	43
PID 1788 wrote to memory of 956	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	44
PID 1788 wrote to memory of 956	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	44
PID 1788 wrote to memory of 956	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	44
PID 1788 wrote to memory of 2396	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	45
PID 1788 wrote to memory of 2396	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	45
PID 1788 wrote to memory of 2396	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	45
PID 1788 wrote to memory of 1936	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	46
PID 1788 wrote to memory of 1936	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	46
PID 1788 wrote to memory of 1936	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	46
PID 1788 wrote to memory of 1776	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	48
PID 1788 wrote to memory of 1776	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	48
PID 1788 wrote to memory of 1776	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	48
PID 1788 wrote to memory of 1956	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	50
PID 1788 wrote to memory of 1956	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	50
PID 1788 wrote to memory of 1956	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	50
PID 1788 wrote to memory of 2332	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	61
PID 1788 wrote to memory of 2332	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	61
PID 1788 wrote to memory of 2332	1788	5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe	61
PID 2332 wrote to memory of 1256	2332	cmd.exe	63
PID 2332 wrote to memory of 1256	2332	cmd.exe	63
PID 2332 wrote to memory of 1256	2332	cmd.exe	63
PID 2332 wrote to memory of 1784	2332	cmd.exe	64
PID 2332 wrote to memory of 1784	2332	cmd.exe	64
PID 2332 wrote to memory of 1784	2332	cmd.exe	64
PID 1784 wrote to memory of 2896	1784	WmiPrvSE.exe	66
PID 1784 wrote to memory of 2896	1784	WmiPrvSE.exe	66
PID 1784 wrote to memory of 2896	1784	WmiPrvSE.exe	66
PID 1784 wrote to memory of 2636	1784	WmiPrvSE.exe	67
PID 1784 wrote to memory of 2636	1784	WmiPrvSE.exe	67
PID 1784 wrote to memory of 2636	1784	WmiPrvSE.exe	67
PID 2896 wrote to memory of 3044	2896	WScript.exe	68
PID 2896 wrote to memory of 3044	2896	WScript.exe	68
PID 2896 wrote to memory of 3044	2896	WScript.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe
"C:\Users\Admin\AppData\Local\Temp\5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yabN673CUK.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1256
- - C:\Windows\de-DE\WmiPrvSE.exe
    "C:\Windows\de-DE\WmiPrvSE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ac4cf0c-4872-4d7e-b900-5cd91ae5b15f.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\de-DE\WmiPrvSE.exe
        
        C:\Windows\de-DE\WmiPrvSE.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4027219-2506-4e8e-81b5-baf444ecc17d.vbs"
      4⤵
      PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe

Filesize
1.7MB

MD5
923f20fa80a987b89185792d34e7f849

SHA1
df96c7bc99eb2bb7edb07850cb9d67e53d24fe8f

SHA256
6477a4ed49e27db126620b6476a816aa123ee3098f95d85900db89a55f52453f

SHA512
ecb50291d73af7cdd873fcd5de2818b2c9ae40fd087bc5f90790828ea6fdb26427deb5b264641e7b084f2a15aa2bcff3891157197dbd1ec6820304b5d9906824

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ac4cf0c-4872-4d7e-b900-5cd91ae5b15f.vbs

Filesize
705B

MD5
d68fe670b7627208b40b550559d617c9

SHA1
dc83573da93108dda1faddefd4b2f0e4f90d7737

SHA256
8281a757035cc2c05c236be951c484e43c076513dcbf6e2c3c9cc0d958289ad3

SHA512
cd9eff44153262e14b908f4ca24d5952d0e82fd8cd31fae23bd778892b80302e9915c13732bb7289728762bb64ad4f8d92101bdedab298919abf90449be91b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4027219-2506-4e8e-81b5-baf444ecc17d.vbs

Filesize
481B

MD5
91dc8bf5b03ee7d9ff026988b8f670c2

SHA1
4dd3041d5efc1eda4e9c60d34b226d897900ee34

SHA256
106df5dacffd4f74b91917495c150a75e2abe45c01b74df5277f86eea1f030e0

SHA512
d79b2bea1b6ff4c7d7669a5abcd7f4fb01c93070c4dc0ea4bb27d34e0bb926b455872d85d5202a88264f3b8ba9e32822a18c0fee6f540bc052f4dceef719d720

Download Submit
C:\Users\Admin\AppData\Local\Temp\yabN673CUK.bat

Filesize
194B

MD5
c91c66ae872ded5bac7aab944d4534e0

SHA1
c178d7a67705f1dbc34d40447a7d7760465fbc98

SHA256
13b96c0143119aa22fbb1e08b559c2103e441bd560a929ce6f7b307f6f8138a2

SHA512
d6007b99a226903ca594b5d8e4b7f651f2abcc65ece905eee40ba7919305839c147a75680d99a87ae824da722e188db6988bfdba64620b8ef2e95f017b6b859b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8f2356efdf6f9ea96aedd115dfc2e1e5

SHA1
804142f90d58fcb2752886811f25f5dd3d1b6d5e

SHA256
5eb0c4fd937fb24213cf8a5b8496628889012d5353c96332007c0d8233a959be

SHA512
b278fbcb438b58b8cf7f76f1cbbb0798167207ab5d99bba8104211d0ceea9d6582d44c9cf5fc5f2cfee2d51267355a61c4b48fc929d549476a380bb1c6e6b30a

Download Submit
C:\Windows\de-DE\WmiPrvSE.exe

Filesize
1.7MB

MD5
4c5cdbe993419be6ff5d2608e01f7620

SHA1
0f9cddc4a321cd1641d5c207f7223f61de0c54dd

SHA256
5a57068f66938c8c0346643f8cedd304cd572b3c3f55e15887081b94edaa8987

SHA512
cae371309fda6b5fee01284ca445be72c47ab0816a2451835e8da5c9ba8bd741eab2160602d62b8064b80220a713d1d89a5371bcb2f6aaafba7f7c10150696d9

Download Submit
memory/1784-122-0x0000000000770000-0x0000000000782000-memory.dmp

Filesize
72KB

Download
memory/1784-121-0x0000000000070000-0x0000000000226000-memory.dmp

Filesize
1.7MB

Download
memory/1788-15-0x0000000001320000-0x0000000001328000-memory.dmp

Filesize
32KB

Download
memory/1788-7-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/1788-10-0x00000000012E0000-0x00000000012E8000-memory.dmp

Filesize
32KB

Download
memory/1788-12-0x0000000001300000-0x000000000130C000-memory.dmp

Filesize
48KB

Download
memory/1788-17-0x0000000001350000-0x000000000135C000-memory.dmp

Filesize
48KB

Download
memory/1788-16-0x0000000001340000-0x000000000134C000-memory.dmp

Filesize
48KB

Download
memory/1788-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/1788-14-0x0000000001310000-0x000000000131A000-memory.dmp

Filesize
40KB

Download
memory/1788-13-0x0000000001330000-0x000000000133C000-memory.dmp

Filesize
48KB

Download
memory/1788-20-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/1788-8-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/1788-9-0x0000000000D40000-0x0000000000D4C000-memory.dmp

Filesize
48KB

Download
memory/1788-6-0x00000000012C0000-0x00000000012D6000-memory.dmp

Filesize
88KB

Download
memory/1788-1-0x00000000013B0000-0x0000000001566000-memory.dmp

Filesize
1.7MB

Download
memory/1788-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/1788-112-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/1788-5-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/1788-4-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/1788-3-0x00000000005D0000-0x00000000005EC000-memory.dmp

Filesize
112KB

Download
memory/1956-70-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1956-81-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/3044-133-0x0000000001230000-0x00000000013E6000-memory.dmp

Filesize
1.7MB

Download
memory/3044-134-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download