dcrat | 49691df1941f383a519f87b72d504014b93e45bbf5de5fadf2b46e9f7d3a942b

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

076d90a3d6aea27339df2f4eec47e392.exe
Size

2.6MB
MD5

076d90a3d6aea27339df2f4eec47e392
SHA1

7647815357cd0c3138a93d814793508d2a112250
SHA256

49691df1941f383a519f87b72d504014b93e45bbf5de5fadf2b46e9f7d3a942b
SHA512

56f26340fae318934ad10dddf7d80f19088e700dd8d1474a04ea8432f47825d603a72114c02a241b8e8af297bba1a0c879daca701137aef0751c967bd02ecb6e
SSDEEP

49152:ubA3jJYqk9Fzi1PwHR0aSyOZv6TpFkKM1dvFo8drtnJrk2HrC:uboy9FzZSlhEg/1dvFNtn62W

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2560	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2560	schtasks.exe	33

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016cec-14.dat	dcrat
behavioral1/memory/2620-18-0x00000000000E0000-0x0000000000332000-memory.dmp	dcrat
behavioral1/memory/2672-43-0x0000000000040000-0x0000000000292000-memory.dmp	dcrat
behavioral1/memory/2148-51-0x0000000001240000-0x0000000001492000-memory.dmp	dcrat

Executes dropped EXE 11 IoCs

pid	Process
2620	ntoskrnl.exe
2672	spoolsv.exe
2148	spoolsv.exe
2472	spoolsv.exe
2036	spoolsv.exe
1944	spoolsv.exe
2772	spoolsv.exe
2068	spoolsv.exe
1272	spoolsv.exe
2348	spoolsv.exe
2520	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2920	cmd.exe
2920	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
3	pastebin.com
4	pastebin.com
7	pastebin.com
8	pastebin.com
11	pastebin.com
5	pastebin.com
6	pastebin.com
9	pastebin.com
10	pastebin.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\services.exe	ntoskrnl.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	ntoskrnl.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\886983d96e3d3e	ntoskrnl.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe	ntoskrnl.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\101b941d020240	ntoskrnl.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\59e9c5f2f94833	ntoskrnl.exe
File created	C:\Windows\Speech\Engines\Idle.exe	ntoskrnl.exe
File created	C:\Windows\Speech\Engines\6ccacd8608530f	ntoskrnl.exe
File created	C:\Windows\Logs\DISM\spoolsv.exe	ntoskrnl.exe
File created	C:\Windows\Logs\DISM\f3b6ecef712a24	ntoskrnl.exe
File created	C:\Windows\Tasks\ntoskrnl.exe	ntoskrnl.exe
File opened for modification	C:\Windows\Tasks\ntoskrnl.exe	ntoskrnl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2004	schtasks.exe
588	schtasks.exe
1176	schtasks.exe
3000	schtasks.exe
1788	schtasks.exe
2976	schtasks.exe
2808	schtasks.exe
1268	schtasks.exe
948	schtasks.exe
1680	schtasks.exe
1032	schtasks.exe
1720	schtasks.exe
2572	schtasks.exe
2372	schtasks.exe
2676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2620	ntoskrnl.exe
2672	spoolsv.exe
2148	spoolsv.exe
2472	spoolsv.exe
2036	spoolsv.exe
1944	spoolsv.exe
2772	spoolsv.exe
2068	spoolsv.exe
1272	spoolsv.exe
2348	spoolsv.exe
2520	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	ntoskrnl.exe
Token: SeDebugPrivilege	2672	spoolsv.exe
Token: SeDebugPrivilege	2148	spoolsv.exe
Token: SeDebugPrivilege	2472	spoolsv.exe
Token: SeDebugPrivilege	2036	spoolsv.exe
Token: SeDebugPrivilege	1944	spoolsv.exe
Token: SeDebugPrivilege	2772	spoolsv.exe
Token: SeDebugPrivilege	2068	spoolsv.exe
Token: SeDebugPrivilege	1272	spoolsv.exe
Token: SeDebugPrivilege	2348	spoolsv.exe
Token: SeDebugPrivilege	2520	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2280	2216	076d90a3d6aea27339df2f4eec47e392.exe	28
PID 2216 wrote to memory of 2280	2216	076d90a3d6aea27339df2f4eec47e392.exe	28
PID 2216 wrote to memory of 2280	2216	076d90a3d6aea27339df2f4eec47e392.exe	28
PID 2216 wrote to memory of 2280	2216	076d90a3d6aea27339df2f4eec47e392.exe	28
PID 2216 wrote to memory of 1560	2216	076d90a3d6aea27339df2f4eec47e392.exe	29
PID 2216 wrote to memory of 1560	2216	076d90a3d6aea27339df2f4eec47e392.exe	29
PID 2216 wrote to memory of 1560	2216	076d90a3d6aea27339df2f4eec47e392.exe	29
PID 2216 wrote to memory of 1560	2216	076d90a3d6aea27339df2f4eec47e392.exe	29
PID 2280 wrote to memory of 2920	2280	WScript.exe	30
PID 2280 wrote to memory of 2920	2280	WScript.exe	30
PID 2280 wrote to memory of 2920	2280	WScript.exe	30
PID 2280 wrote to memory of 2920	2280	WScript.exe	30
PID 2920 wrote to memory of 2620	2920	cmd.exe	32
PID 2920 wrote to memory of 2620	2920	cmd.exe	32
PID 2920 wrote to memory of 2620	2920	cmd.exe	32
PID 2920 wrote to memory of 2620	2920	cmd.exe	32
PID 2620 wrote to memory of 2168	2620	ntoskrnl.exe	49
PID 2620 wrote to memory of 2168	2620	ntoskrnl.exe	49
PID 2620 wrote to memory of 2168	2620	ntoskrnl.exe	49
PID 2168 wrote to memory of 2316	2168	cmd.exe	51
PID 2168 wrote to memory of 2316	2168	cmd.exe	51
PID 2168 wrote to memory of 2316	2168	cmd.exe	51
PID 2168 wrote to memory of 2672	2168	cmd.exe	52
PID 2168 wrote to memory of 2672	2168	cmd.exe	52
PID 2168 wrote to memory of 2672	2168	cmd.exe	52
PID 2672 wrote to memory of 2300	2672	spoolsv.exe	53
PID 2672 wrote to memory of 2300	2672	spoolsv.exe	53
PID 2672 wrote to memory of 2300	2672	spoolsv.exe	53
PID 2300 wrote to memory of 1736	2300	cmd.exe	55
PID 2300 wrote to memory of 1736	2300	cmd.exe	55
PID 2300 wrote to memory of 1736	2300	cmd.exe	55
PID 2300 wrote to memory of 2148	2300	cmd.exe	58
PID 2300 wrote to memory of 2148	2300	cmd.exe	58
PID 2300 wrote to memory of 2148	2300	cmd.exe	58
PID 2148 wrote to memory of 560	2148	spoolsv.exe	59
PID 2148 wrote to memory of 560	2148	spoolsv.exe	59
PID 2148 wrote to memory of 560	2148	spoolsv.exe	59
PID 560 wrote to memory of 2112	560	cmd.exe	61
PID 560 wrote to memory of 2112	560	cmd.exe	61
PID 560 wrote to memory of 2112	560	cmd.exe	61
PID 560 wrote to memory of 2472	560	cmd.exe	62
PID 560 wrote to memory of 2472	560	cmd.exe	62
PID 560 wrote to memory of 2472	560	cmd.exe	62
PID 2472 wrote to memory of 2164	2472	spoolsv.exe	63
PID 2472 wrote to memory of 2164	2472	spoolsv.exe	63
PID 2472 wrote to memory of 2164	2472	spoolsv.exe	63
PID 2164 wrote to memory of 2276	2164	cmd.exe	65
PID 2164 wrote to memory of 2276	2164	cmd.exe	65
PID 2164 wrote to memory of 2276	2164	cmd.exe	65
PID 2164 wrote to memory of 2036	2164	cmd.exe	66
PID 2164 wrote to memory of 2036	2164	cmd.exe	66
PID 2164 wrote to memory of 2036	2164	cmd.exe	66
PID 2036 wrote to memory of 2664	2036	spoolsv.exe	67
PID 2036 wrote to memory of 2664	2036	spoolsv.exe	67
PID 2036 wrote to memory of 2664	2036	spoolsv.exe	67
PID 2664 wrote to memory of 1188	2664	cmd.exe	69
PID 2664 wrote to memory of 1188	2664	cmd.exe	69
PID 2664 wrote to memory of 1188	2664	cmd.exe	69
PID 2664 wrote to memory of 1944	2664	cmd.exe	70
PID 2664 wrote to memory of 1944	2664	cmd.exe	70
PID 2664 wrote to memory of 1944	2664	cmd.exe	70
PID 1944 wrote to memory of 3032	1944	spoolsv.exe	71
PID 1944 wrote to memory of 3032	1944	spoolsv.exe	71
PID 1944 wrote to memory of 3032	1944	spoolsv.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\076d90a3d6aea27339df2f4eec47e392.exe
"C:\Users\Admin\AppData\Local\Temp\076d90a3d6aea27339df2f4eec47e392.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ntoskrnl\Al42AfNQb.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\ntoskrnl\VX19BQ0l7b.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Users\Admin\AppData\Roaming\ntoskrnl\ntoskrnl.exe
      "C:\Users\Admin\AppData\Roaming\\ntoskrnl\ntoskrnl.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AqcTTEwq0v.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2168
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2316
      - C:\Windows\Logs\DISM\spoolsv.exe
        
        "C:\Windows\Logs\DISM\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1736
        
        C:\Windows\Logs\DISM\spoolsv.exe
        
        "C:\Windows\Logs\DISM\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2112
        
        C:\Windows\Logs\DISM\spoolsv.exe
        
        "C:\Windows\Logs\DISM\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2276
        
        C:\Windows\Logs\DISM\spoolsv.exe
        
        "C:\Windows\Logs\DISM\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1188
        
        C:\Windows\Logs\DISM\spoolsv.exe
        
        "C:\Windows\Logs\DISM\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat"
        15⤵
        
        PID:3032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2832
        
        C:\Windows\Logs\DISM\spoolsv.exe
        
        "C:\Windows\Logs\DISM\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat"
        17⤵
        
        PID:872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1940
        
        C:\Windows\Logs\DISM\spoolsv.exe
        
        "C:\Windows\Logs\DISM\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat"
        19⤵
        
        PID:108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:688
        
        C:\Windows\Logs\DISM\spoolsv.exe
        
        "C:\Windows\Logs\DISM\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat"
        21⤵
        
        PID:2952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2448
        
        C:\Windows\Logs\DISM\spoolsv.exe
        
        "C:\Windows\Logs\DISM\spoolsv.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat"
        23⤵
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2744
        
        C:\Windows\Logs\DISM\spoolsv.exe
        
        "C:\Windows\Logs\DISM\spoolsv.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ntoskrnl\file.vbs"
  2⤵
  PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ntoskrnln" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\ntoskrnl.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ntoskrnl" /sc ONLOGON /tr "'C:\Windows\Tasks\ntoskrnl.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ntoskrnln" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\ntoskrnl.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech\Engines\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\Engines\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\DISM\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Logs\DISM\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\DISM\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat

Filesize
197B

MD5
92c0afa083ab08ee034187969e9b1ba0

SHA1
9314fd29b4fbf17b3f98b5c3389cdd8a5e91a034

SHA256
784f0cede1590d032944994bf4553308ba6a5cbecf4a35418698bf341c1b3078

SHA512
6494ed0aeb7466dee1cf1dfa9ffbc494228bb402bdf827cbfbbd4b250a39994b2e68de829fc2514e75d0dbec2e9d78b644054ea0f4f13085057f04c5221db29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat

Filesize
197B

MD5
b4bf8c253354364aec05ceeae28467ff

SHA1
b51816b8973bad954672072e08677cdfb816a68e

SHA256
7fa1f049c7311e9634fda575ae05e4c3cefec4029d5c6a2e5ec481d6971a5d5b

SHA512
2c830e98e42bac2f04317961fe0edc5b27af42f56a6a8152a4d7d5d7126f37cf206e8c019aa8f0fbf2a33ef3ab64309da8a20d6a7ee72e35b433c2127f7e0a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat

Filesize
197B

MD5
9ea2d25de1800387f0cce9b96c797090

SHA1
4880425e8f30bca2eebc3cdde9eaf02005c31a0c

SHA256
8506adc0d12d089d45a8f33f51728b9d31f504353f6b13fb5c86d414a70cd5b3

SHA512
c42805076e23e964b146db2b1e2c341daf78d3cc84fa77bde2c6f76c340d5e17375a913c89629d34aecd7c32187f23fea277a36ab7511986bdb2bbfed3069700

Download Submit
C:\Users\Admin\AppData\Local\Temp\AqcTTEwq0v.bat

Filesize
197B

MD5
8f8669363d347058b5904bd6fa880ccc

SHA1
2630a20f1722935a2c9b073c407473e2b8c62dd0

SHA256
97e6e05948454c6155e7991a8601672737f92de34b99a050867fc57ca9001264

SHA512
50c22ed14bc5e722b530cd1658bc924bc4b09269aa9372bbc4bbf4ec2cdebc3499cab8b0b2834779bb71c85561714cd9449f4695462eccd24c1c22d2784f051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat

Filesize
197B

MD5
1374a13f4f0221e0020096b8ee77bcef

SHA1
d9db3a057ab5887167516fef077a87306dcb5f52

SHA256
fd2c43722dbb40c04c089e0595f185763023f23aed26080059de15e9b4d38931

SHA512
8210eefda42d9f02c607a6b3ea425c63e973c1251706db436b2b20b23f1c3dee7976dc9aefd55e806399870a1cde243278ce01a244b654ed5d21cc8b3891d942

Download Submit
C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat

Filesize
197B

MD5
e3a658bff2779ef50afba60db1544b70

SHA1
76d151d5b9453ffc85ed830bca9e757a3569e1fb

SHA256
32cba02bcb545b8e116f11afc2f6a11bbb8a16768a15c7da09758a43ec11694f

SHA512
b9522b6197a59e874526e622c6e8686572733fb6cc48f1022c1ebb9b676492e4094444b970f06294983640bfba11cbeec944951624b0ccafc83600648f77c74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat

Filesize
197B

MD5
c70ac3523d9ca5dad1c81429e572e1d6

SHA1
bfef1b9e9c31c959c150119704c2fda381417d53

SHA256
711b39ad55d2516259b6e4a9e7457b3e2109d72dcfb91ee66e046a517c7fe676

SHA512
390236451718f2605eebd4f8320c60f0df4144193d9effcb0c8eb6b925cb5a14b33092f35b88ae33c0e15bbaac889af698aa0567c3c1b9c0b95b63260a8e8bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat

Filesize
197B

MD5
50dacc861358602ee6e1b2206b7c9487

SHA1
4ecaa7195526659591c6d602f4ca147c40a6f81a

SHA256
4374ee5ca5d41f5588feaa7a96fb731e6664007c1f7f2b62f26a47591de890c8

SHA512
e9641e4a973f70469d6318ba57dfeba856444ed78c79c42cb19e2247729b9b89ed0ec57f5d9effcd6ac34c0f467ccfe7306d92ece5e93ed9a71143daf1cb38d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat

Filesize
197B

MD5
da80d694d872d0706512e2d7bfad2086

SHA1
062ad06f182f81e304f780a165623ff56fdefc85

SHA256
9687bf66fbd664984310ebef2807ae461fab72737841c5141db6b20e21c0ae65

SHA512
c3364b77ee133000f9bf4009c2e28c4043862ee94e9bc3f06661ba8c0db570708054c28438665d334d1ac46d7a8a4291a7c79fbdae93ab88e37e656ac2df5420

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

Filesize
197B

MD5
851ad6746bffd6401b7f379f56ec30d6

SHA1
c08e3fef199f85eeeea52decb853cd38d8bbf655

SHA256
374a8098b81433ecb379307086b4a5d643ab27a4e4db180de344cc9c3857f258

SHA512
cb93ae095051db4381e41cc8a31202e62db4ff8127bc9bb032b74b9232376922dceff0663a6cf01e8f75c48161289f6db58e2f3b74a431373014dd87d0de090c

Download Submit
C:\Users\Admin\AppData\Roaming\ntoskrnl\Al42AfNQb.vbe

Filesize
203B

MD5
ec95986ab8d8cabf6b9d9f4aaa2e3b65

SHA1
90850bba57e9a28ac5b3a23e24847dc1c9718a40

SHA256
40654e35c32851edb432372a5d8c12d97a1d44e93f50e821bf0d1ad84187d2f2

SHA512
20826b954bb2f964207b4dc03baa44f2b62ee6132146e33c300d7c65aa7fe6b143a0312e55091e5178643a8b85e04a76ad5a28ed5cccd4d515db7b60cfa18855

Download Submit
C:\Users\Admin\AppData\Roaming\ntoskrnl\VX19BQ0l7b.bat

Filesize
34B

MD5
b6fca7a84b01b35cc0de3b527c25d652

SHA1
6bc3a099d9f1f5795c74c2354fdd08590142265f

SHA256
ba5e3ca6a095f1ba158f8f8113517d4ed541ffe4a99cc291599c83d058f1e2ed

SHA512
48419e18a3bf97204b4a06639f964c24020a44998ef3ef5aa039e64105434f786a3b45638fd2b614ff59cf0ca17099898e2a32114200437005b97232b90b428b

Download Submit
C:\Users\Admin\AppData\Roaming\ntoskrnl\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
\Users\Admin\AppData\Roaming\ntoskrnl\ntoskrnl.exe

Filesize
2.3MB

MD5
71b622a322078846cdeb8d6359f076d6

SHA1
8e9efaae5cfa9f1a0fcf55d4005c266143661971

SHA256
66683dfb091e28344b0b9bcafb5ccdeea914892360337f340590520863ed284d

SHA512
a208454faac38dc4acd2ae97c367e50111219f222f2ac149256431389403c4c09b5e5edcb76bd6a6d4e5fd85bd5f0b467e7ecbc70b2de2a53b7448765d4c830b

Download Submit
memory/1272-93-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1944-73-0x0000000000370000-0x0000000000382000-memory.dmp

Filesize
72KB

Download
memory/2036-66-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/2068-86-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2148-51-0x0000000001240000-0x0000000001492000-memory.dmp

Filesize
2.3MB

Download
memory/2148-52-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2348-100-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2472-59-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/2620-20-0x0000000000740000-0x0000000000756000-memory.dmp

Filesize
88KB

Download
memory/2620-25-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2620-24-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2620-23-0x0000000000790000-0x000000000079E000-memory.dmp

Filesize
56KB

Download
memory/2620-22-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/2620-21-0x0000000002340000-0x0000000002396000-memory.dmp

Filesize
344KB

Download
memory/2620-19-0x0000000000620000-0x000000000063C000-memory.dmp

Filesize
112KB

Download
memory/2620-18-0x00000000000E0000-0x0000000000332000-memory.dmp

Filesize
2.3MB

Download
memory/2672-43-0x0000000000040000-0x0000000000292000-memory.dmp

Filesize
2.3MB

Download
memory/2672-44-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download