dcrat | 8b72c7dce8c76cc75eb19390ca84dc43a2c8e47eb627b9894e534be9328e9ecc

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
Size

827KB
MD5

759b333fd8d1eedb5666fdea1da25b25
SHA1

b66fc861196561f793062622b88cdb1065e35459
SHA256

7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e
SHA512

831006157773f5a30dbf07dcbfd484f49a978c077f8e132d33c8e044f8141462bb890c344724b23c3144488c1c406d576b7009c1205772a503ce6cc92692aec3
SSDEEP

12288:M+B2ad7F/Jf2xm1/nNfkOV+0Z3+5DlpAXdet4y5+q:gad7PuxmRn60Zu7xtZp

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	972	schtasks.exe	31

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2652-1-0x0000000000270000-0x0000000000346000-memory.dmp	dcrat
behavioral1/files/0x000500000001a487-11.dat	dcrat
behavioral1/memory/1120-34-0x0000000000920000-0x00000000009F6000-memory.dmp	dcrat
behavioral1/memory/2336-59-0x0000000000B30000-0x0000000000C06000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid	Process
2336	services.exe

Drops file in Program Files directory 10 IoCs

Processes:

7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\audiodg.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Program Files\Windows NT\smss.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Program Files\Windows NT\69ddcba757bf72	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\services.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\c5b4cb5e9653cc	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Program Files\Windows Defender\ja-JP\services.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Program Files\Windows Defender\ja-JP\c5b4cb5e9653cc	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Program Files\Reference Assemblies\42af1c969fbb7b	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Program Files\Common Files\SpeechEngines\smss.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Program Files\Common Files\SpeechEngines\69ddcba757bf72	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe

Drops file in Windows directory 20 IoCs

Processes:

7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe

description	ioc	Process
File created	C:\Windows\LiveKernelReports\1610b97d3ab4a7	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\Panther\setup.exe\24dbde2999530e	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\TAPI\taskhost.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\debug\WIA\7a0fd90576e088	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\inf\de-DE\69ddcba757bf72	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\ja-JP\75a57c1bdf437c	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\TAPI\b75386f1303e64	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\Registration\CRMLog\27d1bcfc3c54e0	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\Panther\setup.exe\WmiPrvSE.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\1610b97d3ab4a7	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\debug\WIA\explorer.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\inf\de-DE\smss.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File opened for modification	C:\Windows\TAPI\taskhost.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\en-US\27d1bcfc3c54e0	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\Registration\CRMLog\System.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\LiveKernelReports\OSPPSVC.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File opened for modification	C:\Windows\Panther\setup.exe\WmiPrvSE.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\ja-JP\WMIADAP.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
File created	C:\Windows\en-US\System.exe	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1564	schtasks.exe
2024	schtasks.exe
300	schtasks.exe
2536	schtasks.exe
2900	schtasks.exe
2688	schtasks.exe
2240	schtasks.exe
1988	schtasks.exe
988	schtasks.exe
2704	schtasks.exe
1064	schtasks.exe
1924	schtasks.exe
1792	schtasks.exe
2752	schtasks.exe
2184	schtasks.exe
872	schtasks.exe
3052	schtasks.exe
1724	schtasks.exe
1132	schtasks.exe
600	schtasks.exe
1788	schtasks.exe
3000	schtasks.exe
2948	schtasks.exe
1496	schtasks.exe
1584	schtasks.exe
1188	schtasks.exe
2968	schtasks.exe
3012	schtasks.exe
2944	schtasks.exe
1904	schtasks.exe
1636	schtasks.exe
2312	schtasks.exe
2892	schtasks.exe
2140	schtasks.exe
1740	schtasks.exe
2116	schtasks.exe
2684	schtasks.exe
3060	schtasks.exe
2840	schtasks.exe
2300	schtasks.exe
1516	schtasks.exe
2736	schtasks.exe
1648	schtasks.exe
2452	schtasks.exe
2196	schtasks.exe
2988	schtasks.exe
2348	schtasks.exe
2552	schtasks.exe
2068	schtasks.exe
908	schtasks.exe
1344	schtasks.exe
1804	schtasks.exe
2344	schtasks.exe
2304	schtasks.exe
340	schtasks.exe
3004	schtasks.exe
2716	schtasks.exe
1052	schtasks.exe
2872	schtasks.exe
2932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exeservices.exe

pid	Process
2652	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
1120	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
1120	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
1120	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
1120	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
1120	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
2336	services.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exeservices.exe

description	pid	Process
Token: SeDebugPrivilege	2652	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
Token: SeDebugPrivilege	1120	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
Token: SeDebugPrivilege	2336	services.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.execmd.exe7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe

description	pid	Process	procid_target
PID 2652 wrote to memory of 2020	2652	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe	68
PID 2652 wrote to memory of 2020	2652	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe	68
PID 2652 wrote to memory of 2020	2652	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe	68
PID 2020 wrote to memory of 952	2020	cmd.exe	70
PID 2020 wrote to memory of 952	2020	cmd.exe	70
PID 2020 wrote to memory of 952	2020	cmd.exe	70
PID 2020 wrote to memory of 1120	2020	cmd.exe	71
PID 2020 wrote to memory of 1120	2020	cmd.exe	71
PID 2020 wrote to memory of 1120	2020	cmd.exe	71
PID 1120 wrote to memory of 2336	1120	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe	96
PID 1120 wrote to memory of 2336	1120	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe	96
PID 1120 wrote to memory of 2336	1120	7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
"C:\Users\Admin\AppData\Local\Temp\7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2aNC9mq12B.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe
    "C:\Users\Admin\AppData\Local\Temp\7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e.exe"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\services.exe
      "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\services.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\setup.exe\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\setup.exe\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\WIA\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\debug\WIA\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\WIA\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\inf\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\inf\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\inf\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\SpeechEngines\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\SpeechEngines\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\TAPI\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Defender\ja-JP\services.exe

Filesize
827KB

MD5
759b333fd8d1eedb5666fdea1da25b25

SHA1
b66fc861196561f793062622b88cdb1065e35459

SHA256
7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e

SHA512
831006157773f5a30dbf07dcbfd484f49a978c077f8e132d33c8e044f8141462bb890c344724b23c3144488c1c406d576b7009c1205772a503ce6cc92692aec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2aNC9mq12B.bat

Filesize
267B

MD5
ad85f54783062e7b96c48815935dd0de

SHA1
fb8f0598e91dd37805dbac0bc46b4bdefb955a04

SHA256
67824f8b1d87a14bde554a41fe13be08bb00618cf78b9a888890ab9e4aaf1938

SHA512
6ccd9aa3bcc0db51f36c121690ed0af8091a5b247a0d5e28cdd522f370d76e65c1fa254ec966722141e100e6b3c895c5566d0d1228118bf0c918b7274e1bfa1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9385A.tmp

Filesize
876B

MD5
86d922b361bf41581b0c621785767354

SHA1
1677a6b14f9f4d4cecd38a3f5b5bf1c93bc8e937

SHA256
c9012b430d369b95009e7b1cca8548b1b83feb6c43ec078d598b1c36e735267e

SHA512
9a49bf568b471324f62d46931c1ac0213c9ac237c6f8a0033cbcac0190523a055f099d6fa3a77fbc507fe0e578e1169379a05e35435e09fb4ab666931042bef7

Download Submit
memory/1120-34-0x0000000000920000-0x00000000009F6000-memory.dmp

Filesize
856KB

Download
memory/2336-59-0x0000000000B30000-0x0000000000C06000-memory.dmp

Filesize
856KB

Download
memory/2652-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

Filesize
4KB

Download
memory/2652-1-0x0000000000270000-0x0000000000346000-memory.dmp

Filesize
856KB

Download
memory/2652-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-33-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download