dcrat | 754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754ad

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
05/08/2023, 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe
Size

3.5MB
MD5

12826025c71dbd7b7b7b9b8ed8e73176
SHA1

b129a45b5ccfdf0493fabcd3b9d54f9d2321f17f
SHA256

754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754ad
SHA512

f476b6bdf461eb9a6efed2f96280d6a545731e1e4e9071960f3b3d00cf077c11ddbeb0ca2b4d087fe3bf3118bae0dea85625e21843d4e160a2401caf2a978706
SSDEEP

98304:UboZN6a7pKnH5txu3hOVj0wycuXOI8jthCAPKr:U0XvUnH5i3s7M8mP

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	828	schtasks.exe	33

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	componentsaves.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	componentsaves.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	componentsaves.exe

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015c02-67.dat	dcrat
behavioral1/files/0x0008000000015c02-68.dat	dcrat
behavioral1/files/0x0008000000015c02-69.dat	dcrat
behavioral1/files/0x0008000000015c02-70.dat	dcrat
behavioral1/memory/2844-71-0x0000000000B00000-0x0000000000E3A000-memory.dmp	dcrat
behavioral1/files/0x0006000000016d2c-109.dat	dcrat
behavioral1/files/0x0005000000019312-140.dat	dcrat
behavioral1/files/0x0005000000019312-141.dat	dcrat
behavioral1/memory/1604-142-0x0000000000030000-0x000000000036A000-memory.dmp	dcrat
behavioral1/memory/1604-144-0x0000000002240000-0x00000000022C0000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2844	componentsaves.exe
1604	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	cmd.exe
2732	cmd.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe	componentsaves.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\27d1bcfc3c54e0	componentsaves.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\csrss.exe	componentsaves.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\886983d96e3d3e	componentsaves.exe
File created	C:\Program Files (x86)\Google\Temp\c5b4cb5e9653cc	componentsaves.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\27d1bcfc3c54e0	componentsaves.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\System.exe	componentsaves.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe	componentsaves.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cc11b995f2a76d	componentsaves.exe
File created	C:\Program Files (x86)\Google\Temp\services.exe	componentsaves.exe
File created	C:\Program Files\Windows Media Player\Icons\csrss.exe	componentsaves.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\System.exe	componentsaves.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\en-US\System.exe	componentsaves.exe
File created	C:\Windows\en-US\27d1bcfc3c54e0	componentsaves.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2984	schtasks.exe
1924	schtasks.exe
2072	schtasks.exe
1728	schtasks.exe
2164	schtasks.exe
2092	schtasks.exe
2076	schtasks.exe
2188	schtasks.exe
756	schtasks.exe
772	schtasks.exe
912	schtasks.exe
2284	schtasks.exe
1888	schtasks.exe
1096	schtasks.exe
2404	schtasks.exe
1780	schtasks.exe
2060	schtasks.exe
2308	schtasks.exe
2624	schtasks.exe
1284	schtasks.exe
1240	schtasks.exe
1820	schtasks.exe
564	schtasks.exe
1388	schtasks.exe
1532	schtasks.exe
1716	schtasks.exe
1676	schtasks.exe
1088	schtasks.exe
2288	schtasks.exe
2592	schtasks.exe
1684	schtasks.exe
1348	schtasks.exe
2484	schtasks.exe
1068	schtasks.exe
1920	schtasks.exe
1724	schtasks.exe
2584	schtasks.exe
2956	schtasks.exe
2104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2844	componentsaves.exe
2844	componentsaves.exe
2844	componentsaves.exe
2844	componentsaves.exe
2844	componentsaves.exe
2844	componentsaves.exe
2844	componentsaves.exe
2844	componentsaves.exe
2844	componentsaves.exe
2844	componentsaves.exe
2844	componentsaves.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1604	conhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	componentsaves.exe
Token: SeDebugPrivilege	1604	conhost.exe
Token: SeBackupPrivilege	2784	vssvc.exe
Token: SeRestorePrivilege	2784	vssvc.exe
Token: SeAuditPrivilege	2784	vssvc.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 544	3024	754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe	28
PID 3024 wrote to memory of 544	3024	754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe	28
PID 3024 wrote to memory of 544	3024	754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe	28
PID 3024 wrote to memory of 544	3024	754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe	28
PID 3024 wrote to memory of 2872	3024	754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe	29
PID 3024 wrote to memory of 2872	3024	754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe	29
PID 3024 wrote to memory of 2872	3024	754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe	29
PID 3024 wrote to memory of 2872	3024	754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe	29
PID 544 wrote to memory of 2732	544	WScript.exe	30
PID 544 wrote to memory of 2732	544	WScript.exe	30
PID 544 wrote to memory of 2732	544	WScript.exe	30
PID 544 wrote to memory of 2732	544	WScript.exe	30
PID 2732 wrote to memory of 2844	2732	cmd.exe	32
PID 2732 wrote to memory of 2844	2732	cmd.exe	32
PID 2732 wrote to memory of 2844	2732	cmd.exe	32
PID 2732 wrote to memory of 2844	2732	cmd.exe	32
PID 2844 wrote to memory of 2272	2844	componentsaves.exe	73
PID 2844 wrote to memory of 2272	2844	componentsaves.exe	73
PID 2844 wrote to memory of 2272	2844	componentsaves.exe	73
PID 2272 wrote to memory of 1500	2272	cmd.exe	75
PID 2272 wrote to memory of 1500	2272	cmd.exe	75
PID 2272 wrote to memory of 1500	2272	cmd.exe	75
PID 2272 wrote to memory of 1604	2272	cmd.exe	76
PID 2272 wrote to memory of 1604	2272	cmd.exe	76
PID 2272 wrote to memory of 1604	2272	cmd.exe	76
PID 1604 wrote to memory of 2792	1604	conhost.exe	79
PID 1604 wrote to memory of 2792	1604	conhost.exe	79
PID 1604 wrote to memory of 2792	1604	conhost.exe	79
PID 1604 wrote to memory of 2500	1604	conhost.exe	80
PID 1604 wrote to memory of 2500	1604	conhost.exe	80
PID 1604 wrote to memory of 2500	1604	conhost.exe	80

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	componentsaves.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	componentsaves.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	componentsaves.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe

C:\Users\Admin\AppData\Local\Temp\754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\comBrowser\WjASW46x39BT.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\comBrowser\pRTxhw.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\comBrowser\componentsaves.exe
      "C:\comBrowser\componentsaves.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2844
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pvj4xGO1tT.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1500
      - C:\Users\Admin\Local Settings\conhost.exe
        
        "C:\Users\Admin\Local Settings\conhost.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6570039f-ad4c-48f2-a626-5b5b0788c95b.vbs"
        7⤵
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0cfbd87-5718-4711-b912-64cda6f04504.vbs"
        7⤵
        
        PID:2500
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\comBrowser\file.vbs"
  2⤵
  PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentsavesc" /sc MINUTE /mo 7 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\componentsaves.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentsaves" /sc ONLOGON /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\componentsaves.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentsavesc" /sc MINUTE /mo 8 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\componentsaves.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentsavesc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\componentsaves.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentsaves" /sc ONLOGON /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\componentsaves.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentsavesc" /sc MINUTE /mo 13 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\componentsaves.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe

Filesize
3.2MB

MD5
67b598599821a46cae86c89b4942664f

SHA1
7a5e983be68766eb5ffb86ebc43d37c44c66cc9c

SHA256
f512769aa40ab275fb5b24a1326eb4ae0bcd35706dc78895394623a42130e26d

SHA512
f5aed68a83c933c2df59bc4d4733f22ce1528e0c97727b8debb3f2d65624481f6602150a6106f8109438dbccd5b3550b6f5a65f01f0664c50070faa2e5ef01b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6570039f-ad4c-48f2-a626-5b5b0788c95b.vbs

Filesize
717B

MD5
17a0f4987ba3aef5c55879b69f15f172

SHA1
becb21c6c55e9fec7702ee4ac98a0d157bc74aa9

SHA256
b73f88463719246d08c341723ff94e9313cae98fe3c6d1cc3245e9c951568383

SHA512
291d4f5742606584549d0921150056b9f1cb34a656c82e56b435032d28f1cf30d8dabc1a224079b379ce390a3e9ef3185a2645158c0ee25a2e9a36e66ac8fcff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pvj4xGO1tT.bat

Filesize
206B

MD5
4afe8ac4200f155e8afcc4e60a38f97f

SHA1
9e206774554ca198e77a6da94e8530de531e6032

SHA256
b25b86c63029b1b995c3d0139194ae4625659ab65fbbbaa2cb1fa7274cb105ad

SHA512
96f1cf74e37c27e608b09fec478cedc99fc35d2951f5dcee0b34a7b75fdaf92442174fd363f38abb20fe77bfb65d54786937350759f76463a15643ccd97f124a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0cfbd87-5718-4711-b912-64cda6f04504.vbs

Filesize
493B

MD5
3039974d14bfdcf021a6420458e23984

SHA1
2c9df3dd4b86ab62393f06d85cd703b7e1c0a9a1

SHA256
7969954bfcf91109aa3fa98db69655955031aa754da7a4b071a0795bfa8305f5

SHA512
ef2bee9af862532689dbed971227aa8f5881366d9b69ad4a0b803960e6bfee9e918b5ef5a8a63453888bea20e21f3bf14523957abbf17efeb04e2d3e0b5db3d3

Download Submit
C:\Users\Admin\AppData\Local\conhost.exe

Filesize
3.2MB

MD5
67b598599821a46cae86c89b4942664f

SHA1
7a5e983be68766eb5ffb86ebc43d37c44c66cc9c

SHA256
f512769aa40ab275fb5b24a1326eb4ae0bcd35706dc78895394623a42130e26d

SHA512
f5aed68a83c933c2df59bc4d4733f22ce1528e0c97727b8debb3f2d65624481f6602150a6106f8109438dbccd5b3550b6f5a65f01f0664c50070faa2e5ef01b3

Download Submit
C:\Users\Admin\Local Settings\conhost.exe

Filesize
3.2MB

MD5
67b598599821a46cae86c89b4942664f

SHA1
7a5e983be68766eb5ffb86ebc43d37c44c66cc9c

SHA256
f512769aa40ab275fb5b24a1326eb4ae0bcd35706dc78895394623a42130e26d

SHA512
f5aed68a83c933c2df59bc4d4733f22ce1528e0c97727b8debb3f2d65624481f6602150a6106f8109438dbccd5b3550b6f5a65f01f0664c50070faa2e5ef01b3

Download Submit
C:\comBrowser\WjASW46x39BT.vbe

Filesize
194B

MD5
c5b75678f537eb298465b875c16bdc32

SHA1
1437a0c736b4a51da3c507c21dba67394464bb1a

SHA256
608bcf1b8a64e6bdd049a75bc27187610b3c2c985dfc1c3a87b70f2506ed8b37

SHA512
6c78caf9c40310f0bee817390dd25e14a0a3b8268577e2b830ef800bfaa18502b634dcb1d1b988d5d52ac8517bab417f63fa1b9bb6d62aced46a0f2f37b82841

Download Submit
C:\comBrowser\componentsaves.exe

Filesize
3.2MB

MD5
67b598599821a46cae86c89b4942664f

SHA1
7a5e983be68766eb5ffb86ebc43d37c44c66cc9c

SHA256
f512769aa40ab275fb5b24a1326eb4ae0bcd35706dc78895394623a42130e26d

SHA512
f5aed68a83c933c2df59bc4d4733f22ce1528e0c97727b8debb3f2d65624481f6602150a6106f8109438dbccd5b3550b6f5a65f01f0664c50070faa2e5ef01b3

Download Submit
C:\comBrowser\componentsaves.exe

Filesize
3.2MB

MD5
67b598599821a46cae86c89b4942664f

SHA1
7a5e983be68766eb5ffb86ebc43d37c44c66cc9c

SHA256
f512769aa40ab275fb5b24a1326eb4ae0bcd35706dc78895394623a42130e26d

SHA512
f5aed68a83c933c2df59bc4d4733f22ce1528e0c97727b8debb3f2d65624481f6602150a6106f8109438dbccd5b3550b6f5a65f01f0664c50070faa2e5ef01b3

Download Submit
C:\comBrowser\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\comBrowser\pRTxhw.bat

Filesize
34B

MD5
02cb21db6ec286736bfd5fd2dad1f4ad

SHA1
d51de8ccbb7a921b7afbffd05e10a5f4c460a4a9

SHA256
e1153ce8370ace295803a78da424980db3dca34fee5503eb66b053e79dd647ca

SHA512
dba520e750e13dffcb8b9b9b789f28577846eb04f2470a39062af9b10d2c50e509fee11312fec3a30b45d219c95c0396ac2a4d8926237eef447238f2cda446ba

Download Submit
\comBrowser\componentsaves.exe

Filesize
3.2MB

MD5
67b598599821a46cae86c89b4942664f

SHA1
7a5e983be68766eb5ffb86ebc43d37c44c66cc9c

SHA256
f512769aa40ab275fb5b24a1326eb4ae0bcd35706dc78895394623a42130e26d

SHA512
f5aed68a83c933c2df59bc4d4733f22ce1528e0c97727b8debb3f2d65624481f6602150a6106f8109438dbccd5b3550b6f5a65f01f0664c50070faa2e5ef01b3

Download Submit
\comBrowser\componentsaves.exe

Filesize
3.2MB

MD5
67b598599821a46cae86c89b4942664f

SHA1
7a5e983be68766eb5ffb86ebc43d37c44c66cc9c

SHA256
f512769aa40ab275fb5b24a1326eb4ae0bcd35706dc78895394623a42130e26d

SHA512
f5aed68a83c933c2df59bc4d4733f22ce1528e0c97727b8debb3f2d65624481f6602150a6106f8109438dbccd5b3550b6f5a65f01f0664c50070faa2e5ef01b3

Download Submit
memory/1604-156-0x000007FEF49E0000-0x000007FEF53CC000-memory.dmp

Filesize
9.9MB

Download
memory/1604-145-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/1604-144-0x0000000002240000-0x00000000022C0000-memory.dmp

Filesize
512KB

Download
memory/1604-142-0x0000000000030000-0x000000000036A000-memory.dmp

Filesize
3.2MB

Download
memory/1604-143-0x000007FEF49E0000-0x000007FEF53CC000-memory.dmp

Filesize
9.9MB

Download
memory/1604-146-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/1604-157-0x0000000002240000-0x00000000022C0000-memory.dmp

Filesize
512KB

Download
memory/2844-88-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2844-99-0x0000000002640000-0x0000000002648000-memory.dmp

Filesize
32KB

Download
memory/2844-84-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/2844-85-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/2844-86-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/2844-87-0x0000000002560000-0x00000000025B6000-memory.dmp

Filesize
344KB

Download
memory/2844-82-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/2844-89-0x0000000002350000-0x000000000235C000-memory.dmp

Filesize
48KB

Download
memory/2844-90-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/2844-91-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download
memory/2844-92-0x00000000025D0000-0x00000000025D8000-memory.dmp

Filesize
32KB

Download
memory/2844-93-0x00000000025E0000-0x00000000025E8000-memory.dmp

Filesize
32KB

Download
memory/2844-94-0x00000000025F0000-0x00000000025FC000-memory.dmp

Filesize
48KB

Download
memory/2844-95-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/2844-96-0x0000000002600000-0x000000000260C000-memory.dmp

Filesize
48KB

Download
memory/2844-98-0x0000000002630000-0x000000000263E000-memory.dmp

Filesize
56KB

Download
memory/2844-97-0x0000000002610000-0x000000000261A000-memory.dmp

Filesize
40KB

Download
memory/2844-83-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2844-100-0x0000000002650000-0x000000000265E000-memory.dmp

Filesize
56KB

Download
memory/2844-101-0x0000000002660000-0x0000000002668000-memory.dmp

Filesize
32KB

Download
memory/2844-102-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/2844-103-0x000000001AB00000-0x000000001AB0A000-memory.dmp

Filesize
40KB

Download
memory/2844-104-0x000000001AB10000-0x000000001AB1C000-memory.dmp

Filesize
48KB

Download
memory/2844-136-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2844-81-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2844-80-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/2844-79-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2844-78-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/2844-77-0x0000000000570000-0x000000000058C000-memory.dmp

Filesize
112KB

Download
memory/2844-76-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2844-75-0x0000000000550000-0x000000000055E000-memory.dmp

Filesize
56KB

Download
memory/2844-74-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download
memory/2844-73-0x000000001B440000-0x000000001B4C0000-memory.dmp

Filesize
512KB

Download
memory/2844-72-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2844-71-0x0000000000B00000-0x0000000000E3A000-memory.dmp

Filesize
3.2MB

Download