dcrat | e850c790d73622a00145c2db809cfdef073894a15f6b1ccbf64ee431b9472306

Analysis

max time kernel
145s
max time network
153s
platform
windows7_x64
resource
win7-20220812-es
resource tags

arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows
submitted
28/12/2022, 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MultiHack STALCRAFT.exe
Size

2.6MB
MD5

999f1063f749669bfb2ca8b981a02fc3
SHA1

b7cfbea56657a13fc857ef4fc0709f90c2e00433
SHA256

e850c790d73622a00145c2db809cfdef073894a15f6b1ccbf64ee431b9472306
SHA512

2695ba800010e688e4656f209a91f666b60859d1d28bba5ffd941fc7532385360a90362882c1564dd21486ac0ba085d8692cd7e030d8935df02a737f811b254b
SSDEEP

49152:UbA30+n2mgETrv8FVKWlhzEyZqRbSMeLDH/nNycDsenl9pf0ibF7izYk:Uba2irch77YW/HfgcwClr8sRizB

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	1884	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1884	schtasks.exe	33

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001339d-63.dat	dcrat
behavioral1/files/0x000700000001339d-67.dat	dcrat
behavioral1/files/0x000700000001339d-65.dat	dcrat
behavioral1/files/0x000700000001339d-64.dat	dcrat
behavioral1/memory/1840-68-0x0000000000C60000-0x0000000000EB2000-memory.dmp	dcrat
behavioral1/files/0x000600000001453c-77.dat	dcrat
behavioral1/files/0x000600000001453c-78.dat	dcrat
behavioral1/memory/2288-79-0x0000000000D20000-0x0000000000F72000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
1840	Hyperperfcrt.exe
2288	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
988	cmd.exe
988	cmd.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\services.exe	Hyperperfcrt.exe
File created	C:\Program Files\VideoLAN\VLC\winlogon.exe	Hyperperfcrt.exe
File created	C:\Program Files\VideoLAN\VLC\cc11b995f2a76d	Hyperperfcrt.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ebf1f9fa8afd6d	Hyperperfcrt.exe
File created	C:\Program Files\Uninstall Information\lsass.exe	Hyperperfcrt.exe
File created	C:\Program Files\Uninstall Information\6203df4a6bafc7	Hyperperfcrt.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe	Hyperperfcrt.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\101b941d020240	Hyperperfcrt.exe
File created	C:\Program Files (x86)\Google\c5b4cb5e9653cc	Hyperperfcrt.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\winlogon.exe	Hyperperfcrt.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe	Hyperperfcrt.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\dwm.exe	Hyperperfcrt.exe
File created	C:\Windows\Fonts\6cb0b6c459d5d3	Hyperperfcrt.exe
File opened for modification	C:\Windows\Setup\State\dwm.exe	Hyperperfcrt.exe
File opened for modification	C:\Windows\Setup\State\6cb0b6c459d5d3	Hyperperfcrt.exe
File created	C:\Windows\fr-FR\Hyperperfcrt.exe	Hyperperfcrt.exe
File created	C:\Windows\fr-FR\08ffe93800f65f	Hyperperfcrt.exe
File created	C:\Windows\Setup\State\dwm.exe	Hyperperfcrt.exe
File created	C:\Windows\Setup\State\6cb0b6c459d5d3	Hyperperfcrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1712	schtasks.exe
1180	schtasks.exe
1672	schtasks.exe
2260	schtasks.exe
884	schtasks.exe
1692	schtasks.exe
1520	schtasks.exe
432	schtasks.exe
2144	schtasks.exe
1828	schtasks.exe
1864	schtasks.exe
1984	schtasks.exe
1684	schtasks.exe
1628	schtasks.exe
2124	schtasks.exe
1632	schtasks.exe
1224	schtasks.exe
1664	schtasks.exe
2028	schtasks.exe
432	schtasks.exe
1820	schtasks.exe
1980	schtasks.exe
1072	schtasks.exe
396	schtasks.exe
1676	schtasks.exe
1612	schtasks.exe
1240	schtasks.exe
2076	schtasks.exe
2188	schtasks.exe
1772	schtasks.exe
1668	schtasks.exe
964	schtasks.exe
1876	schtasks.exe
1804	schtasks.exe
1180	schtasks.exe
1592	schtasks.exe
1364	schtasks.exe
864	schtasks.exe
332	schtasks.exe
2164	schtasks.exe
564	schtasks.exe
1948	schtasks.exe
1420	schtasks.exe
1504	schtasks.exe
1812	schtasks.exe
2096	schtasks.exe
588	schtasks.exe
996	schtasks.exe
1816	schtasks.exe
1040	schtasks.exe
2216	schtasks.exe
2024	schtasks.exe
884	schtasks.exe
1528	schtasks.exe
912	schtasks.exe
2236	schtasks.exe
292	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1840	Hyperperfcrt.exe
1840	Hyperperfcrt.exe
1840	Hyperperfcrt.exe
1840	Hyperperfcrt.exe
1840	Hyperperfcrt.exe
1840	Hyperperfcrt.exe
1840	Hyperperfcrt.exe
2288	lsass.exe
2288	lsass.exe
2288	lsass.exe
2288	lsass.exe
2288	lsass.exe
2288	lsass.exe
2288	lsass.exe
2288	lsass.exe
2288	lsass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	Hyperperfcrt.exe
Token: SeDebugPrivilege	2288	lsass.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1872	1300	MultiHack STALCRAFT.exe	28
PID 1300 wrote to memory of 1872	1300	MultiHack STALCRAFT.exe	28
PID 1300 wrote to memory of 1872	1300	MultiHack STALCRAFT.exe	28
PID 1300 wrote to memory of 1872	1300	MultiHack STALCRAFT.exe	28
PID 1300 wrote to memory of 1620	1300	MultiHack STALCRAFT.exe	29
PID 1300 wrote to memory of 1620	1300	MultiHack STALCRAFT.exe	29
PID 1300 wrote to memory of 1620	1300	MultiHack STALCRAFT.exe	29
PID 1300 wrote to memory of 1620	1300	MultiHack STALCRAFT.exe	29
PID 1872 wrote to memory of 988	1872	WScript.exe	30
PID 1872 wrote to memory of 988	1872	WScript.exe	30
PID 1872 wrote to memory of 988	1872	WScript.exe	30
PID 1872 wrote to memory of 988	1872	WScript.exe	30
PID 988 wrote to memory of 1840	988	cmd.exe	32
PID 988 wrote to memory of 1840	988	cmd.exe	32
PID 988 wrote to memory of 1840	988	cmd.exe	32
PID 988 wrote to memory of 1840	988	cmd.exe	32
PID 1840 wrote to memory of 2288	1840	Hyperperfcrt.exe	91
PID 1840 wrote to memory of 2288	1840	Hyperperfcrt.exe	91
PID 1840 wrote to memory of 2288	1840	Hyperperfcrt.exe	91

C:\Users\Admin\AppData\Local\Temp\MultiHack STALCRAFT.exe
"C:\Users\Admin\AppData\Local\Temp\MultiHack STALCRAFT.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\winrefHost\L3LnYNcg2ndBEhia1dY6vzGVM3h7rI.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\winrefHost\by3bzroT3WJ.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\winrefHost\Hyperperfcrt.exe
      "C:\winrefHost\Hyperperfcrt.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1840
    - - C:\Program Files\Uninstall Information\lsass.exe
        
        "C:\Program Files\Uninstall Information\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\winrefHost\file.vbs"
  2⤵
  PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperperfcrtH" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\Hyperperfcrt.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Hyperperfcrt" /sc ONLOGON /tr "'C:\Windows\fr-FR\Hyperperfcrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperperfcrtH" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\Hyperperfcrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\State\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Setup\State\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperperfcrtH" /sc MINUTE /mo 10 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Hyperperfcrt.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Hyperperfcrt" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Hyperperfcrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperperfcrtH" /sc MINUTE /mo 5 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Hyperperfcrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\winrefHost\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\winrefHost\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\winrefHost\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Setup\State\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Uninstall Information\lsass.exe

Filesize
2.3MB

MD5
1d719b0bbbe447f2e490abf201afd4e4

SHA1
4e1ad6d2a874f2fce789c8b5bc6ad832079e315a

SHA256
125ff5afa4cce4a8aeba52e8abe67c21001a9ebac619c3879362d1074798a09b

SHA512
3ceab2604f34fbe24d2c5160d4207cd69d922dcc8ab36ddb8569b2f61c7d151df901e5f0a0222111cc70eeb0822089215f71d2351f7a77237252780463730fd7

Download Submit
C:\Program Files\Uninstall Information\lsass.exe

Filesize
2.3MB

MD5
1d719b0bbbe447f2e490abf201afd4e4

SHA1
4e1ad6d2a874f2fce789c8b5bc6ad832079e315a

SHA256
125ff5afa4cce4a8aeba52e8abe67c21001a9ebac619c3879362d1074798a09b

SHA512
3ceab2604f34fbe24d2c5160d4207cd69d922dcc8ab36ddb8569b2f61c7d151df901e5f0a0222111cc70eeb0822089215f71d2351f7a77237252780463730fd7

Download Submit
C:\winrefHost\Hyperperfcrt.exe

Filesize
2.3MB

MD5
1d719b0bbbe447f2e490abf201afd4e4

SHA1
4e1ad6d2a874f2fce789c8b5bc6ad832079e315a

SHA256
125ff5afa4cce4a8aeba52e8abe67c21001a9ebac619c3879362d1074798a09b

SHA512
3ceab2604f34fbe24d2c5160d4207cd69d922dcc8ab36ddb8569b2f61c7d151df901e5f0a0222111cc70eeb0822089215f71d2351f7a77237252780463730fd7

Download Submit
C:\winrefHost\Hyperperfcrt.exe

Filesize
2.3MB

MD5
1d719b0bbbe447f2e490abf201afd4e4

SHA1
4e1ad6d2a874f2fce789c8b5bc6ad832079e315a

SHA256
125ff5afa4cce4a8aeba52e8abe67c21001a9ebac619c3879362d1074798a09b

SHA512
3ceab2604f34fbe24d2c5160d4207cd69d922dcc8ab36ddb8569b2f61c7d151df901e5f0a0222111cc70eeb0822089215f71d2351f7a77237252780463730fd7

Download Submit
C:\winrefHost\L3LnYNcg2ndBEhia1dY6vzGVM3h7rI.vbe

Filesize
198B

MD5
05b098999c7dcc148606c839fa680a1f

SHA1
15a99da3c7ce701748a69bc99f98b46e260031b8

SHA256
d76f2cec01d4def8fae939cd051bab2698087acc0689708524e26259b9c36097

SHA512
c28267f7e25ba651e22a17a50e5a64e92a754e400e90a00d19d023869a3cc53e7878b625d39286ded0d13f1281487c28bc2e5e6ff2586d37baa45ca24e28cb64

Download Submit
C:\winrefHost\by3bzroT3WJ.bat

Filesize
32B

MD5
935c7f36c394cada665c48a7f460ab65

SHA1
8a55a151ac6ae8ff990679aa862fd0f476fa10b8

SHA256
dfd653bf319f98bdecab9823602433fb381c73ca63335f694216daf441ad5cc5

SHA512
527587eb19a4d609174441edf570189fb07024c1bf26e1924b8a835e31251c27bf7dbbe1ef5c769e4f335f70e2ed1f53dee938958d50928ed621586e9c9dfcf2

Download Submit
C:\winrefHost\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
\winrefHost\Hyperperfcrt.exe

Filesize
2.3MB

MD5
1d719b0bbbe447f2e490abf201afd4e4

SHA1
4e1ad6d2a874f2fce789c8b5bc6ad832079e315a

SHA256
125ff5afa4cce4a8aeba52e8abe67c21001a9ebac619c3879362d1074798a09b

SHA512
3ceab2604f34fbe24d2c5160d4207cd69d922dcc8ab36ddb8569b2f61c7d151df901e5f0a0222111cc70eeb0822089215f71d2351f7a77237252780463730fd7

Download Submit
\winrefHost\Hyperperfcrt.exe

Filesize
2.3MB

MD5
1d719b0bbbe447f2e490abf201afd4e4

SHA1
4e1ad6d2a874f2fce789c8b5bc6ad832079e315a

SHA256
125ff5afa4cce4a8aeba52e8abe67c21001a9ebac619c3879362d1074798a09b

SHA512
3ceab2604f34fbe24d2c5160d4207cd69d922dcc8ab36ddb8569b2f61c7d151df901e5f0a0222111cc70eeb0822089215f71d2351f7a77237252780463730fd7

Download Submit
memory/1300-54-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/1840-68-0x0000000000C60000-0x0000000000EB2000-memory.dmp

Filesize
2.3MB

Download
memory/1840-69-0x0000000000460000-0x000000000047C000-memory.dmp

Filesize
112KB

Download
memory/1840-70-0x0000000000480000-0x0000000000496000-memory.dmp

Filesize
88KB

Download
memory/1840-71-0x0000000000950000-0x00000000009A6000-memory.dmp

Filesize
344KB

Download
memory/1840-72-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1840-73-0x0000000000B10000-0x0000000000B1E000-memory.dmp

Filesize
56KB

Download
memory/1840-74-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/1840-75-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/2288-79-0x0000000000D20000-0x0000000000F72000-memory.dmp

Filesize
2.3MB

Download
memory/2288-80-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download