dcrat | 3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
Size

828KB
MD5

af741ec427d46644c68572c50f87d61e
SHA1

7e31fdcd599478fe8e6b9b07be11ff307d79ce53
SHA256

3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731
SHA512

ae5a81bcf21c60b32e67be306daa8eeb6bfa5e24723e46c8519ea095fccaf3509ba6a3f0372a0e4412d75f1c16eb0e634a3f31a77bb68c248d238c45af5896e8
SSDEEP

12288:dKAvgOSpwbrYBil5nRRWZlN4CBe1bqOhSiXLu5uWWDKT+pDu:hvgOSpwYE53+4F+OhzlmT+pDu

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
File created	C:\Windows\Fonts\5940a34987c991		3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
		1688	schtasks.exe
		2348	schtasks.exe
		2100	schtasks.exe
		768	schtasks.exe
		2592	schtasks.exe
		2328	schtasks.exe
		2420	schtasks.exe
		2068	schtasks.exe
		2004	schtasks.exe
File created	C:\Windows\Migration\WTR\6203df4a6bafc7		3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\5f5e3257b2ba1c		3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
		2696	schtasks.exe
		2980	schtasks.exe
		2364	schtasks.exe
		1092	schtasks.exe
		1540	schtasks.exe
		1748	schtasks.exe
		1972	schtasks.exe
		1848	schtasks.exe
		1200	schtasks.exe
		2084	schtasks.exe
		1988	schtasks.exe
		1620	schtasks.exe
		1392	schtasks.exe
		2668	schtasks.exe
		1744	schtasks.exe
		520	schtasks.exe
		592	schtasks.exe
		2960	schtasks.exe
		3012	schtasks.exe
		656	schtasks.exe
		2540	schtasks.exe
		2272	schtasks.exe
File created	C:\Program Files\Common Files\System\services.exe		3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
		2212	schtasks.exe
		1364	schtasks.exe
		2132	schtasks.exe
		632	schtasks.exe
		2572	schtasks.exe
		1668	schtasks.exe
		2888	schtasks.exe
		476	schtasks.exe
		2404	schtasks.exe
		3048	schtasks.exe
		1820	schtasks.exe
		2360	schtasks.exe
		1056	schtasks.exe
		2524	schtasks.exe
		912	schtasks.exe
		1816	schtasks.exe
		1392	schtasks.exe
		944	schtasks.exe
		3028	schtasks.exe
		1760	schtasks.exe
		2612	schtasks.exe
		2072	schtasks.exe
		2600	schtasks.exe
		2228	schtasks.exe
		840	schtasks.exe
		2592	schtasks.exe
		2816	schtasks.exe
		2340	schtasks.exe
		2512	schtasks.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2692	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2692	schtasks.exe	28

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2288-0-0x0000000000CD0000-0x0000000000DA6000-memory.dmp	dcrat
behavioral1/memory/2288-2-0x00000000003F0000-0x0000000000470000-memory.dmp	dcrat
behavioral1/files/0x0006000000018af3-11.dat	dcrat
behavioral1/memory/2564-123-0x0000000000EB0000-0x0000000000F86000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2564	schtasks.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\sk-SK\audiodg.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Windows\System32\sk-SK\42af1c969fbb7b	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\smss.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files (x86)\Reference Assemblies\dwm.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\System.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files\7-Zip\Lang\cc11b995f2a76d	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files (x86)\Common Files\Services\schtasks.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File opened for modification	C:\Program Files\Common Files\System\services.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\smss.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\c5b4cb5e9653cc	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files\Windows Defender\en-US\schtasks.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files (x86)\Google\CrashReports\3a6fe29a7ceee6	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files\Common Files\System\c5b4cb5e9653cc	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\27d1bcfc3c54e0	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\886983d96e3d3e	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files\Windows Media Player\de-DE\886983d96e3d3e	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\69ddcba757bf72	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files\7-Zip\Lang\winlogon.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\69ddcba757bf72	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files\Windows Media Player\de-DE\csrss.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files (x86)\Common Files\Services\3a6fe29a7ceee6	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\schtasks.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\3a6fe29a7ceee6	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files (x86)\Reference Assemblies\6cb0b6c459d5d3	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\5f5e3257b2ba1c	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\services.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\c5b4cb5e9653cc	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files\Windows Defender\en-US\3a6fe29a7ceee6	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\3a6fe29a7ceee6	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files\Common Files\System\services.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files (x86)\Windows Portable Devices\wininit.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files (x86)\Windows Portable Devices\56085415360792	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files (x86)\Google\CrashReports\schtasks.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\schtasks.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\3a6fe29a7ceee6	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Windows\fr-FR\spoolsv.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Windows\ja-JP\101b941d020240	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Windows\twain_32\explorer.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Windows\ja-JP\lsm.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Windows\Performance\WinSAT\DataStore\smss.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Windows\Performance\WinSAT\DataStore\69ddcba757bf72	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Windows\twain_32\7a0fd90576e088	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Windows\Fonts\5940a34987c991	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Windows\Migration\WTR\lsass.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Windows\Migration\WTR\6203df4a6bafc7	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Windows\fr-FR\f3b6ecef712a24	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Windows\Boot\taskhost.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Windows\Web\Wallpaper\schtasks.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
File created	C:\Windows\Fonts\dllhost.exe	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1048	schtasks.exe
2240	schtasks.exe
2084	schtasks.exe
2860	schtasks.exe
1364	schtasks.exe
1816	schtasks.exe
2992	schtasks.exe
1200	schtasks.exe
836	schtasks.exe
960	schtasks.exe
2360	schtasks.exe
1636	schtasks.exe
1092	schtasks.exe
520	schtasks.exe
1204	schtasks.exe
1688	schtasks.exe
3012	schtasks.exe
1744	schtasks.exe
1640	schtasks.exe
680	schtasks.exe
2392	schtasks.exe
944	schtasks.exe
2600	schtasks.exe
2004	schtasks.exe
3040	schtasks.exe
2656	schtasks.exe
2228	schtasks.exe
656	schtasks.exe
1576	schtasks.exe
2816	schtasks.exe
2580	schtasks.exe
392	schtasks.exe
2312	schtasks.exe
2980	schtasks.exe
3052	schtasks.exe
1748	schtasks.exe
2592	schtasks.exe
2612	schtasks.exe
2012	schtasks.exe
1960	schtasks.exe
276	schtasks.exe
1484	schtasks.exe
2864	schtasks.exe
1952	schtasks.exe
2592	schtasks.exe
632	schtasks.exe
1720	schtasks.exe
2560	schtasks.exe
3028	schtasks.exe
1620	schtasks.exe
2924	schtasks.exe
2540	schtasks.exe
584	schtasks.exe
1548	schtasks.exe
2696	schtasks.exe
1496	schtasks.exe
2344	schtasks.exe
1864	schtasks.exe
1524	schtasks.exe
476	schtasks.exe
2272	schtasks.exe
2404	schtasks.exe
2888	schtasks.exe
1956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2288	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
2288	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
2288	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
2288	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
2288	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
676	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
676	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
676	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
676	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
676	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
676	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
676	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
768	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
768	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
768	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
2580	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
2580	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
2580	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
2580	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
2580	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
2580	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
2580	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
2580	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
2580	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
2580	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
2580	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
2564	schtasks.exe
2564	schtasks.exe
2564	schtasks.exe
2564	schtasks.exe
2564	schtasks.exe
2564	schtasks.exe
2564	schtasks.exe
2564	schtasks.exe
2564	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2564	schtasks.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
Token: SeDebugPrivilege	676	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
Token: SeDebugPrivilege	768	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
Token: SeDebugPrivilege	2580	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
Token: SeDebugPrivilege	2564	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 336	2288	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe	62
PID 2288 wrote to memory of 336	2288	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe	62
PID 2288 wrote to memory of 336	2288	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe	62
PID 336 wrote to memory of 2920	336	cmd.exe	64
PID 336 wrote to memory of 2920	336	cmd.exe	64
PID 336 wrote to memory of 2920	336	cmd.exe	64
PID 336 wrote to memory of 676	336	cmd.exe	65
PID 336 wrote to memory of 676	336	cmd.exe	65
PID 336 wrote to memory of 676	336	cmd.exe	65
PID 676 wrote to memory of 768	676	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe	117
PID 676 wrote to memory of 768	676	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe	117
PID 676 wrote to memory of 768	676	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe	117
PID 768 wrote to memory of 2580	768	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe	154
PID 768 wrote to memory of 2580	768	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe	154
PID 768 wrote to memory of 2580	768	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe	154
PID 2580 wrote to memory of 2564	2580	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe	182
PID 2580 wrote to memory of 2564	2580	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe	182
PID 2580 wrote to memory of 2564	2580	3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe	182

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
"C:\Users\Admin\AppData\Local\Temp\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe"
1⤵
- DcRat
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GC7cxal2vL.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2920
- - C:\Users\Admin\AppData\Local\Temp\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
    "C:\Users\Admin\AppData\Local\Temp\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Users\Admin\AppData\Local\Temp\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
      "C:\Users\Admin\AppData\Local\Temp\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe"
      4⤵
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Users\Admin\AppData\Local\Temp\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe"
        5⤵
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Program Files\Mozilla Firefox\browser\features\schtasks.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\schtasks.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\System\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf7313" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf7313" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\en-US\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf7313" /sc MINUTE /mo 7 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731" /sc ONLOGON /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf7313" /sc MINUTE /mo 13 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\services.exe'" /rl HIGHEST /f
1⤵
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\dwm.exe'" /f
1⤵
- DcRat
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\dwm.exe'" /rl HIGHEST /f
1⤵
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\dwm.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\services.exe'" /f
1⤵
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe'" /f
1⤵
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- DcRat
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Videos\audiodg.exe'" /f
1⤵
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Videos\audiodg.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Videos\audiodg.exe'" /rl HIGHEST /f
1⤵
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /f
1⤵
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf7313" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe'" /f
1⤵
- DcRat
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf7313" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\LocalLow\Idle.exe'" /f
1⤵
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\LocalLow\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\Idle.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\Idle.exe'" /rl HIGHEST /f
1⤵
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\Idle.exe'" /f
1⤵
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\schtasks.exe'" /f
1⤵
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
1⤵
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\de-DE\csrss.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\sk-SK\audiodg.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\System32\sk-SK\audiodg.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\sk-SK\audiodg.exe'" /rl HIGHEST /f
1⤵
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\CrashReports\schtasks.exe'" /f
1⤵
- DcRat
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\schtasks.exe'" /rl HIGHEST /f
1⤵
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\schtasks.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Wallpaper\schtasks.exe'" /f
1⤵
- DcRat
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\schtasks.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\smss.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Wallpaper\schtasks.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\schtasks.exe'" /f
1⤵
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
1⤵
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
1⤵
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\smss.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\DataStore\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- DcRat
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\wininit.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\browser\features\schtasks.exe'" /f
1⤵
- DcRat
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\schtasks.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\features\schtasks.exe'" /rl HIGHEST /f
1⤵
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\en-US\schtasks.exe'" /f
1⤵
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\schtasks.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\schtasks.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Services\schtasks.exe'" /f
1⤵
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\schtasks.exe'" /rl HIGHEST /f
1⤵
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\schtasks.exe'" /rl HIGHEST /f
1⤵
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\wininit.exe'" /f
1⤵
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\wininit.exe'" /rl HIGHEST /f
1⤵
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\schtasks.exe'" /f
1⤵
- DcRat
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\schtasks.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\schtasks.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\dwm.exe

Filesize
828KB

MD5
af741ec427d46644c68572c50f87d61e

SHA1
7e31fdcd599478fe8e6b9b07be11ff307d79ce53

SHA256
3e4493f78ba3b135a512c640d1aee8b6938f3613521d8a9262ef31b604fbf731

SHA512
ae5a81bcf21c60b32e67be306daa8eeb6bfa5e24723e46c8519ea095fccaf3509ba6a3f0372a0e4412d75f1c16eb0e634a3f31a77bb68c248d238c45af5896e8

Download Submit
C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\56085415360792

Filesize
636B

MD5
06c3a56a9d3863a5fc150676dbd5d594

SHA1
faea4b111fd3169fb9289e49b171d466c75545d9

SHA256
e0ba0bbac3ac0cc899a5b68b521596b9124b9ce143fd25afb82a7aa13937ac3e

SHA512
e33bdbf682509854c22ada9c95cba1917bc16db1fecc42a4d0d8e6965856d15e8ac098f6e9623f3952103244c9ed36b58d9577a10519d1cac56e0523bb85a981

Download Submit
C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\69ddcba757bf72

Filesize
90B

MD5
3d3501f5e8236c6836f39a5546c4a126

SHA1
d8ae1361fd7a265996ea933fa2a6b9d2a56e8fa7

SHA256
a9d17b91d30027db4d5b4dccd51b4b4c3d345dcf5b83d9bcacc6bf2c2c1dbc2f

SHA512
4fb689be02959812e4cb50d7656474979425acd4677b5edac5d7f0e057f9043b51a2f8b0137a98f4bd2db1c383baddc7db8b3e7fc7633ee31f001c07b44027a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GC7cxal2vL.bat

Filesize
267B

MD5
d30bfb4c8aedaa0b41a69477fc73d6f1

SHA1
d3b495f4caec62dcc9029629904cc36405be47b0

SHA256
d29d79337750d49039aa077b54527120b2e08cbdb0df04c2ae88886a82444d23

SHA512
d3d3165efb3b832f089124bd701eaa0e1215b6151da47ea719ab3e97265758beb8402234e76f721e2f33435b80fa22cd576384c10efc53e33499e4cfe3d6c91e

Download Submit
memory/676-31-0x000007FEF4B60000-0x000007FEF554C000-memory.dmp

Filesize
9.9MB

Download
memory/676-67-0x000007FEF4B60000-0x000007FEF554C000-memory.dmp

Filesize
9.9MB

Download
memory/768-66-0x000007FEF4B60000-0x000007FEF554C000-memory.dmp

Filesize
9.9MB

Download
memory/768-126-0x000007FEF4B60000-0x000007FEF554C000-memory.dmp

Filesize
9.9MB

Download
memory/768-68-0x000000001ACE0000-0x000000001AD60000-memory.dmp

Filesize
512KB

Download
memory/2288-29-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

Filesize
9.9MB

Download
memory/2288-0-0x0000000000CD0000-0x0000000000DA6000-memory.dmp

Filesize
856KB

Download
memory/2288-2-0x00000000003F0000-0x0000000000470000-memory.dmp

Filesize
512KB

Download
memory/2288-1-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

Filesize
9.9MB

Download
memory/2564-123-0x0000000000EB0000-0x0000000000F86000-memory.dmp

Filesize
856KB

Download
memory/2564-124-0x000007FEF4B60000-0x000007FEF554C000-memory.dmp

Filesize
9.9MB

Download
memory/2564-127-0x000007FEF4B60000-0x000007FEF554C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-95-0x000007FEF4B60000-0x000007FEF554C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-96-0x000000001AEC0000-0x000000001AF40000-memory.dmp

Filesize
512KB

Download
memory/2580-125-0x000007FEF4B60000-0x000007FEF554C000-memory.dmp

Filesize
9.9MB

Download