dcrat | d7917a55c255297286aacb020baf7e7fcd6acb4a0d380e4cb3d50e50e90593b0

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2024, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NeverLoseCrackbyLick0_.exe
Size

2.8MB
MD5

3687f8b8c673eb5541ed071b708dc5a5
SHA1

e019bc82b0fd67875615673c0ac07013962077af
SHA256

d7917a55c255297286aacb020baf7e7fcd6acb4a0d380e4cb3d50e50e90593b0
SHA512

510c3298b7dfaa02657dcec9ab63ef3eac6d15a9b946daff7d07ab840ef8331531a90b1873fe37f9c694c6d5ff88216c5d4e81b9b7db08eb51fd8da1aae7931f
SSDEEP

49152:MbA3Q4etyON8AHfj+roH3t1Um1K7gAV2Oinx8WL8+oGidW6:MbXnyBroXts7NyxlZD6

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2112	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2112	schtasks.exe	97

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b95-20.dat	dcrat
behavioral2/memory/432-22-0x0000000000410000-0x000000000068E000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	NeverLoseCrackbyLick0_.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ComSurrogateDriver.exe

Executes dropped EXE 2 IoCs

pid	Process
432	ComSurrogateDriver.exe
1536	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	pastebin.com
20	pastebin.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Security\eddb19405b7ce1	ComSurrogateDriver.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe	ComSurrogateDriver.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\eddb19405b7ce1	ComSurrogateDriver.exe
File created	C:\Program Files\Internet Explorer\images\5940a34987c991	ComSurrogateDriver.exe
File created	C:\Program Files\Windows Security\backgroundTaskHost.exe	ComSurrogateDriver.exe
File created	C:\Program Files\Windows NT\Accessories\explorer.exe	ComSurrogateDriver.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\backgroundTaskHost.exe	ComSurrogateDriver.exe
File created	C:\Program Files\Internet Explorer\ja-JP\spoolsv.exe	ComSurrogateDriver.exe
File created	C:\Program Files\Internet Explorer\ja-JP\f3b6ecef712a24	ComSurrogateDriver.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\eddb19405b7ce1	ComSurrogateDriver.exe
File created	C:\Program Files\Windows NT\Accessories\7a0fd90576e088	ComSurrogateDriver.exe
File created	C:\Program Files\Windows Multimedia Platform\ee2ad38f3d4382	ComSurrogateDriver.exe
File created	C:\Program Files\Windows Multimedia Platform\Registry.exe	ComSurrogateDriver.exe
File created	C:\Program Files\Internet Explorer\images\dllhost.exe	ComSurrogateDriver.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\wininit.exe	ComSurrogateDriver.exe
File opened for modification	C:\Windows\L2Schemas\wininit.exe	ComSurrogateDriver.exe
File created	C:\Windows\L2Schemas\56085415360792	ComSurrogateDriver.exe
File created	C:\Windows\PrintDialog\Assets\dwm.exe	ComSurrogateDriver.exe
File created	C:\Windows\PrintDialog\Assets\6cb0b6c459d5d3	ComSurrogateDriver.exe
File created	C:\Windows\GameBarPresenceWriter\fontdrvhost.exe	ComSurrogateDriver.exe
File created	C:\Windows\GameBarPresenceWriter\5b884080fd4f94	ComSurrogateDriver.exe
File created	C:\Windows\CSC\unsecapp.exe	ComSurrogateDriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NeverLoseCrackbyLick0_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3556	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	NeverLoseCrackbyLick0_.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4176	schtasks.exe
3200	schtasks.exe
1804	schtasks.exe
2624	schtasks.exe
4844	schtasks.exe
2716	schtasks.exe
1420	schtasks.exe
2600	schtasks.exe
4140	schtasks.exe
4224	schtasks.exe
2612	schtasks.exe
1972	schtasks.exe
1344	schtasks.exe
2712	schtasks.exe
532	schtasks.exe
908	schtasks.exe
1268	schtasks.exe
3424	schtasks.exe
1160	schtasks.exe
1208	schtasks.exe
2068	schtasks.exe
1216	schtasks.exe
2012	schtasks.exe
860	schtasks.exe
3596	schtasks.exe
4644	schtasks.exe
2120	schtasks.exe
1900	schtasks.exe
372	schtasks.exe
2536	schtasks.exe
3308	schtasks.exe
3136	schtasks.exe
3996	schtasks.exe
1752	schtasks.exe
3916	schtasks.exe
2004	schtasks.exe
1020	schtasks.exe
3716	schtasks.exe
4516	schtasks.exe
3948	schtasks.exe
2464	schtasks.exe
3956	schtasks.exe
4480	schtasks.exe
3612	schtasks.exe
3812	schtasks.exe
1600	schtasks.exe
4084	schtasks.exe
2460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
432	ComSurrogateDriver.exe
1536	spoolsv.exe
1536	spoolsv.exe
1536	spoolsv.exe
1536	spoolsv.exe
1536	spoolsv.exe
1536	spoolsv.exe
1536	spoolsv.exe
1536	spoolsv.exe
1536	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	ComSurrogateDriver.exe
Token: SeDebugPrivilege	1536	spoolsv.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 1104	4548	NeverLoseCrackbyLick0_.exe	84
PID 4548 wrote to memory of 1104	4548	NeverLoseCrackbyLick0_.exe	84
PID 4548 wrote to memory of 1104	4548	NeverLoseCrackbyLick0_.exe	84
PID 4548 wrote to memory of 4032	4548	NeverLoseCrackbyLick0_.exe	85
PID 4548 wrote to memory of 4032	4548	NeverLoseCrackbyLick0_.exe	85
PID 4548 wrote to memory of 4032	4548	NeverLoseCrackbyLick0_.exe	85
PID 4548 wrote to memory of 2292	4548	NeverLoseCrackbyLick0_.exe	86
PID 4548 wrote to memory of 2292	4548	NeverLoseCrackbyLick0_.exe	86
PID 4548 wrote to memory of 2292	4548	NeverLoseCrackbyLick0_.exe	86
PID 2292 wrote to memory of 876	2292	cmd.exe	90
PID 2292 wrote to memory of 876	2292	cmd.exe	90
PID 2292 wrote to memory of 876	2292	cmd.exe	90
PID 876 wrote to memory of 3556	876	cmd.exe	91
PID 876 wrote to memory of 3556	876	cmd.exe	91
PID 876 wrote to memory of 3556	876	cmd.exe	91
PID 1104 wrote to memory of 4404	1104	WScript.exe	94
PID 1104 wrote to memory of 4404	1104	WScript.exe	94
PID 1104 wrote to memory of 4404	1104	WScript.exe	94
PID 4404 wrote to memory of 432	4404	cmd.exe	96
PID 4404 wrote to memory of 432	4404	cmd.exe	96
PID 432 wrote to memory of 1536	432	ComSurrogateDriver.exe	146
PID 432 wrote to memory of 1536	432	ComSurrogateDriver.exe	146

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NeverLoseCrackbyLick0_.exe
"C:\Users\Admin\AppData\Local\Temp\NeverLoseCrackbyLick0_.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\serversvc\sIICU.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\serversvc\298xPTUK2eRUsguC.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\serversvc\ComSurrogateDriver.exe
      "C:\serversvc\ComSurrogateDriver.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Program Files\Internet Explorer\ja-JP\spoolsv.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\serversvc\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\serversvc\6fZxXCAdox3DydUlVNG.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c "taskkill steam.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill steam.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\serversvc\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\serversvc\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\serversvc\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\serversvc\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\serversvc\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\serversvc\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComSurrogateDriverC" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\ComSurrogateDriver.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComSurrogateDriver" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ComSurrogateDriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComSurrogateDriverC" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\ComSurrogateDriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\Assets\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\PrintDialog\Assets\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\PrintDialog\Assets\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\serversvc\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\serversvc\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\serversvc\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\ja-JP\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Packages\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Packages\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Packages\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\images\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\images\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\serversvc\298xPTUK2eRUsguC.bat

Filesize
37B

MD5
a70ef85524a8291a64f86473a3613666

SHA1
9e2180e5f09e71abd13437f8e63a74185ed20499

SHA256
ccfa63116a2ee95a473c3ca843c343bdd87cfdeae691f7e12a0938a1fc09f042

SHA512
b07dea6d2cb1acc057dddacf1e573d9f585ae72750ffd828e2b381f63896976f2803ea641a6ef63fe24c7e8279eb345fe03699a88a646796082899f6fa928d70

Download Submit
C:\serversvc\6fZxXCAdox3DydUlVNG.bat

Filesize
31B

MD5
f1eb57101ab533a9731d52e4debfad4d

SHA1
b80cc75fb2cf7753b6f7c5eaa6b3dc2eaf0148b5

SHA256
bea282aa18f6fcd9bfc765cb251970ff97d8e41b816b37c2b987c2c98f28faf4

SHA512
bb5658658e6dfad7b7a0b94db207e516301c37f44c8fd5d2578bda49147e15fe5e147cb10733a37fb5e7f4c1cad9cfd9faadae97665e26f19c29b36be68efe1d

Download Submit
C:\serversvc\ComSurrogateDriver.exe

Filesize
2.5MB

MD5
8514467d2a5a3ae542fe6eecb6348d37

SHA1
81c9ba0dc68733af3bee7fae15a8eaca611d7fda

SHA256
b09d9c56ffffde85a3bb698240009cb131081b5333b6cfc3259e2b4279b7d61e

SHA512
ad91fc9289b3f598e3d68b797352deca4cb127f4c067d8154664d59037ba95a04928c7d18b22829a0b882ed50f3be5d43b51ca481a646e106db2ee847f0f0b63

Download Submit
C:\serversvc\file.vbs

Filesize
68B

MD5
e4b3857b04ed328ff4d2dd8b3b2382b5

SHA1
f30ee596d1210f776c8090425c95489a460befe1

SHA256
b198539bee398529b541f7b3f4f1d6d5f93103ca222f86e6c89941404a8fb780

SHA512
c2337323196722f645150eecaeb37ccf982632bf92863f9f24d6360d6315845883eacef0aeb30daa361a6379ec915bfc4526e7a6516176900450110da3a4895a

Download Submit
C:\serversvc\sIICU.vbe

Filesize
202B

MD5
6046e28a669b5a57f93afa3094762ecd

SHA1
56e4ee7ce81fbf9a89fa0416623fca553714bbfa

SHA256
7a2ac0e099cf62742abcd928cdb904851546ceebab077a9f5004e735d53a27a9

SHA512
55d0a0c691dd0d09c19b78cd4b966b33aaefdb382e8f9c40375e95774cd36edc65bc810585a68276739c2ba100e2123c704bbb794ef0c5a9b61ffaff573f5ffb

Download Submit
memory/432-22-0x0000000000410000-0x000000000068E000-memory.dmp

Filesize
2.5MB

Download
memory/1536-66-0x000000001D140000-0x000000001D2E9000-memory.dmp

Filesize
1.7MB

Download