dcrat | 2f949ec92bdeb2498382e19b8588048fc6ff21aee5a29ade4433f1d6ea3d43aa

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f949ec92bdeb2498382e19b8588048fc6ff21aee5a29ade4433f1d6ea3d43aa.exe
Size

1.4MB
MD5

0dd0c6f698a708a404a557cbb55b281c
SHA1

974be3c05755714a185b183be657a3c4123767d2
SHA256

2f949ec92bdeb2498382e19b8588048fc6ff21aee5a29ade4433f1d6ea3d43aa
SHA512

b235c5e74eae9d493f625ebd489d99f58dc484c37559d3e5aa65135ceefba3e9950d98429295ff72db7d82a238da4af669740ae0fd1159150c908e3ceef58cdb
SSDEEP

24576:U2G/nvxW3Ww0txuMyTPo5JOeM/ibuPp7GWrGCmxhejeKjn:UbA30xuMy6JOx/GCmmj7D

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		4656	schtasks.exe
		748	schtasks.exe
		1744	schtasks.exe
		2912	schtasks.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\e1ef82546f0b02		Hypercomponent.exe
		4736	schtasks.exe
File created	C:\Program Files\Windows Mail\886983d96e3d3e		Hypercomponent.exe
		1992	schtasks.exe
		4744	schtasks.exe
		1476	schtasks.exe
		4728	schtasks.exe
		4424	schtasks.exe
		1060	schtasks.exe
		4312	schtasks.exe
		2908	schtasks.exe
		4872	schtasks.exe
		4340	schtasks.exe
		464	schtasks.exe
		1480	schtasks.exe
		5076	schtasks.exe
		1664	schtasks.exe
		4160	schtasks.exe
		1712	schtasks.exe
		4848	schtasks.exe
		3564	schtasks.exe
		1480	schtasks.exe
		3032	schtasks.exe
		3844	schtasks.exe
		1380	schtasks.exe
		996	schtasks.exe
		872	schtasks.exe
		4460	schtasks.exe
		4216	schtasks.exe
		4724	schtasks.exe
		2232	schtasks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation		2f949ec92bdeb2498382e19b8588048fc6ff21aee5a29ade4433f1d6ea3d43aa.exe
		4424	schtasks.exe
		4520	schtasks.exe
		2008	schtasks.exe
		1676	schtasks.exe
		1780	schtasks.exe
		464	schtasks.exe
		4064	schtasks.exe
		3104	schtasks.exe
		2488	schtasks.exe
		2524	schtasks.exe
		4412	schtasks.exe
		1592	schtasks.exe
		740	schtasks.exe
		4212	schtasks.exe
		4656	schtasks.exe
		428	schtasks.exe
		4852	schtasks.exe
		2192	schtasks.exe
		1780	schtasks.exe
		1224	schtasks.exe
		2448	schtasks.exe
		2740	schtasks.exe
		2548	schtasks.exe
		1224	schtasks.exe
		4004	schtasks.exe
		2524	schtasks.exe
		3516	schtasks.exe
		1636	schtasks.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	2804	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	2804	schtasks.exe	94

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023429-10.dat	dcrat
behavioral2/memory/3680-13-0x00000000003B0000-0x00000000004D6000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2f949ec92bdeb2498382e19b8588048fc6ff21aee5a29ade4433f1d6ea3d43aa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Hypercomponent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Hypercomponent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Hypercomponent.exe

Executes dropped EXE 4 IoCs

pid	Process
3680	Hypercomponent.exe
748	Hypercomponent.exe
1816	Hypercomponent.exe
2744	System.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\886983d96e3d3e	Hypercomponent.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe	Hypercomponent.exe
File created	C:\Program Files\Mozilla Firefox\fonts\System.exe	Hypercomponent.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe	Hypercomponent.exe
File created	C:\Program Files\Internet Explorer\6203df4a6bafc7	Hypercomponent.exe
File created	C:\Program Files\Mozilla Firefox\fonts\27d1bcfc3c54e0	Hypercomponent.exe
File created	C:\Program Files\Internet Explorer\lsass.exe	Hypercomponent.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\spoolsv.exe	Hypercomponent.exe
File created	C:\Program Files\Windows Multimedia Platform\ee2ad38f3d4382	Hypercomponent.exe
File created	C:\Program Files\Windows Multimedia Platform\Registry.exe	Hypercomponent.exe
File created	C:\Program Files\ModifiableWindowsApps\System.exe	Hypercomponent.exe
File created	C:\Program Files\dotnet\swidtag\explorer.exe	Hypercomponent.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\56085415360792	Hypercomponent.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\f3b6ecef712a24	Hypercomponent.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\SppExtComObj.exe	Hypercomponent.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\69ddcba757bf72	Hypercomponent.exe
File created	C:\Program Files (x86)\Microsoft.NET\explorer.exe	Hypercomponent.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\explorer.exe	Hypercomponent.exe
File created	C:\Program Files (x86)\Microsoft.NET\7a0fd90576e088	Hypercomponent.exe
File created	C:\Program Files\MSBuild\Microsoft\taskhostw.exe	Hypercomponent.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe	Hypercomponent.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\9e8d7a4ca61bd9	Hypercomponent.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\Registry.exe	Hypercomponent.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\e1ef82546f0b02	Hypercomponent.exe
File created	C:\Program Files\Uninstall Information\RuntimeBroker.exe	Hypercomponent.exe
File created	C:\Program Files\Uninstall Information\9e8d7a4ca61bd9	Hypercomponent.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe	Hypercomponent.exe
File created	C:\Program Files\Windows Mail\csrss.exe	Hypercomponent.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ea9f0e6c9e2dcd	Hypercomponent.exe
File created	C:\Program Files\dotnet\swidtag\7a0fd90576e088	Hypercomponent.exe
File created	C:\Program Files\MSBuild\Microsoft\ea9f0e6c9e2dcd	Hypercomponent.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Registration\dwm.exe	Hypercomponent.exe
File created	C:\Windows\Registration\6cb0b6c459d5d3	Hypercomponent.exe
File created	C:\Windows\Vss\Writers\Application\System.exe	Hypercomponent.exe
File created	C:\Windows\Vss\Writers\Application\27d1bcfc3c54e0	Hypercomponent.exe
File created	C:\Windows\Panther\setup.exe\SppExtComObj.exe	Hypercomponent.exe
File created	C:\Windows\Panther\setup.exe\e1ef82546f0b02	Hypercomponent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4236	schtasks.exe
4520	schtasks.exe
4212	schtasks.exe
2524	schtasks.exe
1480	schtasks.exe
4312	schtasks.exe
2920	schtasks.exe
4456	schtasks.exe
2912	schtasks.exe
4656	schtasks.exe
1480	schtasks.exe
4064	schtasks.exe
1968	schtasks.exe
1636	schtasks.exe
2740	schtasks.exe
1380	schtasks.exe
3844	schtasks.exe
3216	schtasks.exe
2192	schtasks.exe
748	schtasks.exe
4744	schtasks.exe
1504	schtasks.exe
4424	schtasks.exe
2200	schtasks.exe
4160	schtasks.exe
1488	schtasks.exe
3516	schtasks.exe
4788	schtasks.exe
2232	schtasks.exe
464	schtasks.exe
3032	schtasks.exe
2908	schtasks.exe
1380	schtasks.exe
2404	schtasks.exe
740	schtasks.exe
4656	schtasks.exe
4736	schtasks.exe
5076	schtasks.exe
4004	schtasks.exe
8	schtasks.exe
1592	schtasks.exe
428	schtasks.exe
1992	schtasks.exe
2800	schtasks.exe
996	schtasks.exe
4420	schtasks.exe
1780	schtasks.exe
4672	schtasks.exe
4912	schtasks.exe
1364	schtasks.exe
4848	schtasks.exe
1664	schtasks.exe
1224	schtasks.exe
2444	schtasks.exe
1676	schtasks.exe
2560	schtasks.exe
4004	schtasks.exe
2172	schtasks.exe
872	schtasks.exe
1392	schtasks.exe
1476	schtasks.exe
4460	schtasks.exe
1060	schtasks.exe
3564	schtasks.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	2f949ec92bdeb2498382e19b8588048fc6ff21aee5a29ade4433f1d6ea3d43aa.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	Hypercomponent.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	Hypercomponent.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3680	Hypercomponent.exe
3680	Hypercomponent.exe
3680	Hypercomponent.exe
3680	Hypercomponent.exe
3680	Hypercomponent.exe
3680	Hypercomponent.exe
3680	Hypercomponent.exe
3680	Hypercomponent.exe
3680	Hypercomponent.exe
3680	Hypercomponent.exe
3680	Hypercomponent.exe
3680	Hypercomponent.exe
748	Hypercomponent.exe
748	Hypercomponent.exe
748	Hypercomponent.exe
1816	Hypercomponent.exe
1816	Hypercomponent.exe
1816	Hypercomponent.exe
1816	Hypercomponent.exe
1816	Hypercomponent.exe
1816	Hypercomponent.exe
1816	Hypercomponent.exe
1816	Hypercomponent.exe
1816	Hypercomponent.exe
1816	Hypercomponent.exe
1816	Hypercomponent.exe
1816	Hypercomponent.exe
1816	Hypercomponent.exe
1816	Hypercomponent.exe
1816	Hypercomponent.exe
1816	Hypercomponent.exe
2744	System.exe
2744	System.exe
2744	System.exe
2744	System.exe
2744	System.exe
2744	System.exe
2744	System.exe
2744	System.exe
2744	System.exe
2744	System.exe
2744	System.exe
2744	System.exe
2744	System.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2744	System.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3680	Hypercomponent.exe
Token: SeDebugPrivilege	748	Hypercomponent.exe
Token: SeDebugPrivilege	1816	Hypercomponent.exe
Token: SeDebugPrivilege	2744	System.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 4000	4864	2f949ec92bdeb2498382e19b8588048fc6ff21aee5a29ade4433f1d6ea3d43aa.exe	83
PID 4864 wrote to memory of 4000	4864	2f949ec92bdeb2498382e19b8588048fc6ff21aee5a29ade4433f1d6ea3d43aa.exe	83
PID 4864 wrote to memory of 4000	4864	2f949ec92bdeb2498382e19b8588048fc6ff21aee5a29ade4433f1d6ea3d43aa.exe	83
PID 4000 wrote to memory of 528	4000	WScript.exe	96
PID 4000 wrote to memory of 528	4000	WScript.exe	96
PID 4000 wrote to memory of 528	4000	WScript.exe	96
PID 528 wrote to memory of 3680	528	cmd.exe	98
PID 528 wrote to memory of 3680	528	cmd.exe	98
PID 3680 wrote to memory of 748	3680	Hypercomponent.exe	126
PID 3680 wrote to memory of 748	3680	Hypercomponent.exe	126
PID 748 wrote to memory of 1660	748	Hypercomponent.exe	140
PID 748 wrote to memory of 1660	748	Hypercomponent.exe	140
PID 1660 wrote to memory of 3860	1660	cmd.exe	143
PID 1660 wrote to memory of 3860	1660	cmd.exe	143
PID 1660 wrote to memory of 1816	1660	cmd.exe	144
PID 1660 wrote to memory of 1816	1660	cmd.exe	144
PID 1816 wrote to memory of 764	1816	Hypercomponent.exe	199
PID 1816 wrote to memory of 764	1816	Hypercomponent.exe	199
PID 764 wrote to memory of 2176	764	cmd.exe	201
PID 764 wrote to memory of 2176	764	cmd.exe	201
PID 764 wrote to memory of 2744	764	cmd.exe	202
PID 764 wrote to memory of 2744	764	cmd.exe	202

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2f949ec92bdeb2498382e19b8588048fc6ff21aee5a29ade4433f1d6ea3d43aa.exe
"C:\Users\Admin\AppData\Local\Temp\2f949ec92bdeb2498382e19b8588048fc6ff21aee5a29ade4433f1d6ea3d43aa.exe"
1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\dllnetcommon\nksvCU.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\dllnetcommon\CZ0AxGh8iI0xX.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:528
  - - C:\dllnetcommon\Hypercomponent.exe
      "C:\dllnetcommon\Hypercomponent.exe"
      4⤵
      DcRat
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\dllnetcommon\Hypercomponent.exe
        
        "C:\dllnetcommon\Hypercomponent.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:748
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nkLbemKWfx.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3860
        
        C:\dllnetcommon\Hypercomponent.exe
        
        "C:\dllnetcommon\Hypercomponent.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1xLZnJRsdK.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2176
        
        C:\Recovery\WindowsRE\System.exe
        
        "C:\Recovery\WindowsRE\System.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\dllnetcommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\dllnetcommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\dllnetcommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\WaaSMedicAgent.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Admin\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\fonts\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Templates\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Templates\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Registration\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Registration\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\swidtag\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\swidtag\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Music\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Music\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Music\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\dllnetcommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\dllnetcommon\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\dllnetcommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\dllnetcommon\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\dllnetcommon\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\dllnetcommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\dllnetcommon\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\dllnetcommon\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\dllnetcommon\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\dllnetcommon\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\dllnetcommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\dllnetcommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhostw.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\Application\System.exe'" /f
1⤵
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\System.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\Application\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\lsass.exe'" /f
1⤵
- Creates scheduled task(s)
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\spoolsv.exe'" /f
1⤵
- DcRat
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\setup.exe\SppExtComObj.exe'" /f
1⤵
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\setup.exe\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\7a0fd90576e088

Filesize
76B

MD5
d333bdd2b5b3da6f177ea2648c79303a

SHA1
29f660328b16ef34bfda3892ffe0edbe27b916fa

SHA256
423f5f6e2c51a1aa1819ca8caed127ebe6f262c15a3cbebbf229465e121995b0

SHA512
06298a63a13817cc653f7aeba03f57a233621a64089dcfc2c83f0e27c35576789d696afa06c851a3360c429476b374edb922d0ed15cf365c4ac897f16d7b9886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Hypercomponent.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Temp\1xLZnJRsdK.bat

Filesize
197B

MD5
a2283474b2ce382b625ee03bb6b0ecb0

SHA1
e8f2187d2ae4719ed01a47147bc488b02937397d

SHA256
ccd6ce46efe3efe4cfc9b7596697318ef2ac59311604e4ffefeb0356bc9044c3

SHA512
2f5d44716fae13fae743bc9edfcc3d58939b8aedf790d58dd2a8d4a5d33594cfabce498601b2e56eae551b6d1e16c6e8a5c22182dcb0e9be7313b86de9c03cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkLbemKWfx.bat

Filesize
199B

MD5
212d61710a873ab902b09a9c0a630829

SHA1
9dc87172139abcb2ea7feb167dac4c6ad684d6b3

SHA256
ab6a92a565b7c69717c99558785f3cfe09c318494fe5fd0307d2d8ca87f5358d

SHA512
16f0869ceadd6d2129873a08f49b5caa8f42e345bac146ec137f76ce48f82d5c1121ccda700a4cf8a31b0ce24842012c2e17c2b62569eed00e9f4b5be63c81df

Download Submit
C:\dllnetcommon\CZ0AxGh8iI0xX.bat

Filesize
36B

MD5
a7ccb379ea9088b989b98f4b276a6dae

SHA1
8e779da19dc4079fb7756ee39ccb09323ad1c698

SHA256
b6e2d4c42b7e0005c705b98df4fae50ffea17f18bcfa989929bd04cd8acc8dd9

SHA512
3b3f24c5631357e6bbc3e61466d613f761ad1311d6be8b516f9917512c99c89e8d734c4651756fef05b52b39d09ef89bce9afbb1fa2aecb5af8af9bda4c68f47

Download Submit
C:\dllnetcommon\Hypercomponent.exe

Filesize
1.1MB

MD5
18d11f5deb5b177a7025dea61ac9699f

SHA1
c2b707419d5edc966ed57f5cd517214c01eccc17

SHA256
f388054504d405891e096ac309e2f2cd79b31e57d26bd35b656355087d848fcb

SHA512
b97a7d1b5f64aad524de9f1cb71065b9faacaf97063a1c8e9beb3f0a2c3c3a5967b528e90484acd5d0a58e248ea70ba259256474df1318f1b37d7855e6490a87

Download Submit
C:\dllnetcommon\nksvCU.vbe

Filesize
202B

MD5
db1cd14e32e7c320993c766da747dd0a

SHA1
61772de5539a68e9efcd8a8e4fb838bfc5a41dc8

SHA256
3f81eb984aae8c8a80bd55857f05c9d83b3983968c82c5548dee13cbd9c93a0e

SHA512
85a9aed69fc747f19971f603b48e64706aa1740f7648ec1798c2ff534a102551b00a921fde27684fb0c63c7c795c6b3c76fc8ddd969a61faf4efee9185a47c29

Download Submit
memory/3680-12-0x00007FFDE42B3000-0x00007FFDE42B5000-memory.dmp

Filesize
8KB

Download
memory/3680-13-0x00000000003B0000-0x00000000004D6000-memory.dmp

Filesize
1.1MB

Download
memory/3680-14-0x0000000000CB0000-0x0000000000CCC000-memory.dmp

Filesize
112KB

Download
memory/3680-15-0x000000001B7C0000-0x000000001B810000-memory.dmp

Filesize
320KB

Download
memory/3680-16-0x000000001B210000-0x000000001B226000-memory.dmp

Filesize
88KB

Download