dcrat | b134e4e5d74eb1a5ddd66625837b44ed6d23fbac004bbaae91ece785b7c574e3

Analysis

max time kernel
133s
max time network
154s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/08/2023, 05:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

397f5c91fd7cafc22c3fe28bc8fe675a.exe
Size

1.3MB
MD5

397f5c91fd7cafc22c3fe28bc8fe675a
SHA1

02e127ae9c5a55e9b48731a3d47220cdb056f3eb
SHA256

b134e4e5d74eb1a5ddd66625837b44ed6d23fbac004bbaae91ece785b7c574e3
SHA512

fdb348e8d451e68f59c02c57dcc788e486f7244211687b854463768961c50bd70fad6e5e0e2e66dd3c42666fa6d04fcf1014e3dd356011eeaba4a6a7031bf311
SSDEEP

24576:dA1MqYjjU6kS6e5jB/n4L6JXWutEcPO6KhepiKnG/hnPrdSkl+j9aTw1OquD:d4dK756e5VgL6JXWutEcLmesKG/hQzj4

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2900	schtasks.exe	34

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000120e6-57.dat	dcrat
behavioral1/files/0x00080000000120e6-59.dat	dcrat
behavioral1/files/0x00080000000120e6-60.dat	dcrat
behavioral1/files/0x00080000000120e6-63.dat	dcrat
behavioral1/files/0x0006000000018eec-77.dat	dcrat
behavioral1/files/0x0006000000018eec-78.dat	dcrat
behavioral1/files/0x0006000000018eec-79.dat	dcrat
behavioral1/files/0x0006000000018eec-80.dat	dcrat
behavioral1/memory/2320-81-0x0000000001390000-0x0000000001466000-memory.dmp	dcrat
behavioral1/files/0x0005000000018fc1-88.dat	dcrat
behavioral1/files/0x0006000000018eec-107.dat	dcrat
behavioral1/memory/1056-108-0x00000000003C0000-0x0000000000496000-memory.dmp	dcrat
behavioral1/memory/1056-110-0x000000001AE80000-0x000000001AF00000-memory.dmp	dcrat
behavioral1/files/0x0005000000018fc1-117.dat	dcrat
behavioral1/files/0x00050000000195a7-136.dat	dcrat
behavioral1/memory/2816-137-0x0000000000910000-0x00000000009E6000-memory.dmp	dcrat
behavioral1/files/0x00050000000195a7-135.dat	dcrat

Executes dropped EXE 4 IoCs

pid	Process
1568	prikol.exe
2320	agentServer.exe
1056	agentServer.exe
2816	csrss.exe

Loads dropped DLL 3 IoCs

pid	Process
2924	397f5c91fd7cafc22c3fe28bc8fe675a.exe
2524	cmd.exe
2524	cmd.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\6203df4a6bafc7	agentServer.exe
File created	C:\Program Files\7-Zip\Lang\dllhost.exe	agentServer.exe
File created	C:\Program Files\7-Zip\Lang\5940a34987c991	agentServer.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\42af1c969fbb7b	agentServer.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe	agentServer.exe
File created	C:\Program Files\Windows Mail\WMIADAP.exe	agentServer.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\lsass.exe	agentServer.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe	agentServer.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\ebf1f9fa8afd6d	agentServer.exe
File opened for modification	C:\Program Files\Windows Mail\WMIADAP.exe	agentServer.exe
File created	C:\Program Files\Windows Mail\75a57c1bdf437c	agentServer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\tracing\sppsvc.exe	agentServer.exe
File created	C:\Windows\tracing\0a1fd5f707cd16	agentServer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2800	schtasks.exe
2228	schtasks.exe
1796	schtasks.exe
1788	schtasks.exe
2460	schtasks.exe
2024	schtasks.exe
2936	schtasks.exe
3048	schtasks.exe
2476	schtasks.exe
2084	schtasks.exe
1284	schtasks.exe
1132	schtasks.exe
2240	schtasks.exe
2632	schtasks.exe
1032	schtasks.exe
584	schtasks.exe
908	schtasks.exe
2152	schtasks.exe
2680	schtasks.exe
2588	schtasks.exe
1744	schtasks.exe
1276	schtasks.exe
812	schtasks.exe
588	schtasks.exe
2176	schtasks.exe
2804	schtasks.exe
2636	schtasks.exe
1040	schtasks.exe
2968	schtasks.exe
1820	schtasks.exe
1912	schtasks.exe
3004	schtasks.exe
1668	schtasks.exe
3000	schtasks.exe
1060	schtasks.exe
640	schtasks.exe
2548	schtasks.exe
2288	schtasks.exe
2416	schtasks.exe
2568	schtasks.exe
2924	schtasks.exe
2156	schtasks.exe
1752	schtasks.exe
1356	schtasks.exe
1288	schtasks.exe
2428	schtasks.exe
2516	schtasks.exe
2400	schtasks.exe
1536	schtasks.exe
2452	schtasks.exe
592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2320	agentServer.exe
2320	agentServer.exe
2320	agentServer.exe
2320	agentServer.exe
2320	agentServer.exe
1056	agentServer.exe
2816	csrss.exe
2816	csrss.exe
2816	csrss.exe
2816	csrss.exe
2816	csrss.exe
2816	csrss.exe
2816	csrss.exe
2816	csrss.exe
2816	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2816	csrss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	agentServer.exe
Token: SeDebugPrivilege	1056	agentServer.exe
Token: SeDebugPrivilege	2816	csrss.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
852	DllHost.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1568	2924	397f5c91fd7cafc22c3fe28bc8fe675a.exe	28
PID 2924 wrote to memory of 1568	2924	397f5c91fd7cafc22c3fe28bc8fe675a.exe	28
PID 2924 wrote to memory of 1568	2924	397f5c91fd7cafc22c3fe28bc8fe675a.exe	28
PID 2924 wrote to memory of 1568	2924	397f5c91fd7cafc22c3fe28bc8fe675a.exe	28
PID 1568 wrote to memory of 2564	1568	prikol.exe	30
PID 1568 wrote to memory of 2564	1568	prikol.exe	30
PID 1568 wrote to memory of 2564	1568	prikol.exe	30
PID 1568 wrote to memory of 2564	1568	prikol.exe	30
PID 2564 wrote to memory of 2524	2564	WScript.exe	31
PID 2564 wrote to memory of 2524	2564	WScript.exe	31
PID 2564 wrote to memory of 2524	2564	WScript.exe	31
PID 2564 wrote to memory of 2524	2564	WScript.exe	31
PID 2524 wrote to memory of 2320	2524	cmd.exe	33
PID 2524 wrote to memory of 2320	2524	cmd.exe	33
PID 2524 wrote to memory of 2320	2524	cmd.exe	33
PID 2524 wrote to memory of 2320	2524	cmd.exe	33
PID 2320 wrote to memory of 1804	2320	agentServer.exe	61
PID 2320 wrote to memory of 1804	2320	agentServer.exe	61
PID 2320 wrote to memory of 1804	2320	agentServer.exe	61
PID 1804 wrote to memory of 440	1804	cmd.exe	63
PID 1804 wrote to memory of 440	1804	cmd.exe	63
PID 1804 wrote to memory of 440	1804	cmd.exe	63
PID 1804 wrote to memory of 1056	1804	cmd.exe	64
PID 1804 wrote to memory of 1056	1804	cmd.exe	64
PID 1804 wrote to memory of 1056	1804	cmd.exe	64
PID 1056 wrote to memory of 2816	1056	agentServer.exe	92
PID 1056 wrote to memory of 2816	1056	agentServer.exe	92
PID 1056 wrote to memory of 2816	1056	agentServer.exe	92

C:\Users\Admin\AppData\Local\Temp\397f5c91fd7cafc22c3fe28bc8fe675a.exe
"C:\Users\Admin\AppData\Local\Temp\397f5c91fd7cafc22c3fe28bc8fe675a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\prikol.exe
  "C:\Users\Admin\AppData\Local\Temp\prikol.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\comhostDhcpcommon\2tGgrQ6HpW.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\comhostDhcpcommon\V15q6MjWRY5zvqjkxpp.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\comhostDhcpcommon\agentServer.exe
        
        "C:\comhostDhcpcommon\agentServer.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ON63aZOvkV.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:440
        
        C:\comhostDhcpcommon\agentServer.exe
        
        "C:\comhostDhcpcommon\agentServer.exe"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\comhostDhcpcommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\comhostDhcpcommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\comhostDhcpcommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\comhostDhcpcommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\comhostDhcpcommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\comhostDhcpcommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\a60d4a02-20f1-11ee-b5a9-e92b09c817f3\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\a60d4a02-20f1-11ee-b5a9-e92b09c817f3\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\a60d4a02-20f1-11ee-b5a9-e92b09c817f3\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\a60d4a02-20f1-11ee-b5a9-e92b09c817f3\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\a60d4a02-20f1-11ee-b5a9-e92b09c817f3\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\a60d4a02-20f1-11ee-b5a9-e92b09c817f3\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\comhostDhcpcommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\comhostDhcpcommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\comhostDhcpcommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\a60d4a02-20f1-11ee-b5a9-e92b09c817f3\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\a60d4a02-20f1-11ee-b5a9-e92b09c817f3\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\a60d4a02-20f1-11ee-b5a9-e92b09c817f3\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ON63aZOvkV.bat

Filesize
201B

MD5
cfaeca9dcaf6a91a9f0baeca50ce4548

SHA1
7648459b5232446ea59c44e145f0cd006b010f99

SHA256
31a31158d5a48e32c5ea8d7c3ce4218001ad685b36adf3f19181fb0aeecbf25e

SHA512
733b491b9cde30842c0e5e92bf779acc2f15397704bf46f4f0490fa126592f2d47ecb3401fe62f17fb2e9577a37b03fd55a9c70dd841fd7e7ea143389b7e5a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\krasivye-kartinki-pandy-na-rabochij-stol-26.jpg

Filesize
355KB

MD5
0726b75ceb8ff437a917cc3e2ab8480d

SHA1
f010247cbc857e00cc8d4cee6794f3d6d81c4772

SHA256
55d61d7537d4ba7b1b5f915c3d1200951f952d373c50294bd3c752e968d45fbc

SHA512
4faeb7ce7e811116bf5f82584f397c275fca8ab714a26e32f8b81b449aa08eb1f9a865988d2eeff09441d0df835b885ebf6ac1389a86e16d7fcd7cc59251efb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\prikol.exe

Filesize
1.1MB

MD5
1df91d3d9db8d531d84c3090af0c5399

SHA1
d5289bf48dc32630219ca3fb50b9509e40a61d82

SHA256
a6e63a37391179fcb2b624a4e3a12a2d59fcd2479b79d8e0d117facd0b6b4948

SHA512
85762e86d9aeb7d8360af01405e90fd5a06c1b5f53c5c913b1a2d025361bed7e3bb8cfca05e23c3ae87fe9fec8073e4687d5700d88b29adaa027186186288979

Download Submit
C:\Users\Admin\AppData\Local\Temp\prikol.exe

Filesize
1.1MB

MD5
1df91d3d9db8d531d84c3090af0c5399

SHA1
d5289bf48dc32630219ca3fb50b9509e40a61d82

SHA256
a6e63a37391179fcb2b624a4e3a12a2d59fcd2479b79d8e0d117facd0b6b4948

SHA512
85762e86d9aeb7d8360af01405e90fd5a06c1b5f53c5c913b1a2d025361bed7e3bb8cfca05e23c3ae87fe9fec8073e4687d5700d88b29adaa027186186288979

Download Submit
C:\Users\Admin\AppData\Local\Temp\prikol.exe

Filesize
1.1MB

MD5
1df91d3d9db8d531d84c3090af0c5399

SHA1
d5289bf48dc32630219ca3fb50b9509e40a61d82

SHA256
a6e63a37391179fcb2b624a4e3a12a2d59fcd2479b79d8e0d117facd0b6b4948

SHA512
85762e86d9aeb7d8360af01405e90fd5a06c1b5f53c5c913b1a2d025361bed7e3bb8cfca05e23c3ae87fe9fec8073e4687d5700d88b29adaa027186186288979

Download Submit
C:\comhostDhcpcommon\2tGgrQ6HpW.vbe

Filesize
213B

MD5
c0dbb672804e81ed5bdc6ae50ec4b16a

SHA1
df8bfc820f8de52ce8293395446991e5e5c43125

SHA256
3a91849c1602a6fd0556663ea487f01d64fe4828f619ed5eb3f13c67c20dd905

SHA512
6546e2c5c95f5bab69f7664cd4a0850a55554a1394a3dfe8252d048227df6ca8f0aec034f5954dbfc8eaf2137e642970364f71c1a5be5d5a68b6e5c32858f9e7

Download Submit
C:\comhostDhcpcommon\V15q6MjWRY5zvqjkxpp.bat

Filesize
38B

MD5
9daeb83018f1b30f4911748df09b9fa5

SHA1
6162370200b2c9e65620291d6ff114236492824e

SHA256
c85b773f45f51d07874769ea344f153f63709b38f04cfc4180a7791392dcd5bb

SHA512
1ec027262ba1aca607e00d00afb4cff5f471f39fb76760a1ac7af1437bd23814f0cb1ef8cad2211db104772ba02501812ba8e96f41ee3e0da56a7aac3ef5bced

Download Submit
C:\comhostDhcpcommon\agentServer.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\comhostDhcpcommon\agentServer.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\comhostDhcpcommon\agentServer.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\comhostDhcpcommon\f3b6ecef712a24

Filesize
763B

MD5
7afc1095e9ba53aa9fed18ffa9d257fe

SHA1
40cce9f3d3390b966044bdf8dcfe2bfee404ae38

SHA256
976439d0e05b4f738debdb11a90ba806738f004bda0c9ddd480f3e912155b6ca

SHA512
a112c02c92b2c9c977668d74153ec3cb9a14af78665c852ddeb074ec3b57b7d0d01f96f07d21cd0fb7e2fbae14eb669d49abc7d59b0c8e92d6b96766664bd83a

Download Submit
C:\comhostDhcpcommon\spoolsv.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\comhostDhcpcommon\spoolsv.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
\Users\Admin\AppData\Local\Temp\prikol.exe

Filesize
1.1MB

MD5
1df91d3d9db8d531d84c3090af0c5399

SHA1
d5289bf48dc32630219ca3fb50b9509e40a61d82

SHA256
a6e63a37391179fcb2b624a4e3a12a2d59fcd2479b79d8e0d117facd0b6b4948

SHA512
85762e86d9aeb7d8360af01405e90fd5a06c1b5f53c5c913b1a2d025361bed7e3bb8cfca05e23c3ae87fe9fec8073e4687d5700d88b29adaa027186186288979

Download Submit
\comhostDhcpcommon\agentServer.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
\comhostDhcpcommon\agentServer.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
memory/852-74-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/852-72-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/852-106-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/1056-110-0x000000001AE80000-0x000000001AF00000-memory.dmp

Filesize
512KB

Download
memory/1056-139-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/1056-109-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/1056-108-0x00000000003C0000-0x0000000000496000-memory.dmp

Filesize
856KB

Download
memory/2320-105-0x000007FEF60A0000-0x000007FEF6A8C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-83-0x000000001B170000-0x000000001B1F0000-memory.dmp

Filesize
512KB

Download
memory/2320-82-0x000007FEF60A0000-0x000007FEF6A8C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-81-0x0000000001390000-0x0000000001466000-memory.dmp

Filesize
856KB

Download
memory/2816-137-0x0000000000910000-0x00000000009E6000-memory.dmp

Filesize
856KB

Download
memory/2816-138-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2816-140-0x000000001ADA0000-0x000000001AE20000-memory.dmp

Filesize
512KB

Download
memory/2816-141-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2816-142-0x000000001ADA0000-0x000000001AE20000-memory.dmp

Filesize
512KB

Download
memory/2924-71-0x0000000002A90000-0x0000000002A92000-memory.dmp

Filesize
8KB

Download