dcrat | 8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955

Analysis

max time kernel
23s
max time network
24s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
Size

1.5MB
MD5

8f7fa3b34b52d77c923711a5b6510df0
SHA1

171914ec44b3bb7062f5b21bf5f628c9c1aa2b48
SHA256

8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955
SHA512

68d82717828e8ed1598e8599c39b0898bd7f4a11fadf232e5cc58ffd21028fa61ac351f0dc9135ecbe7a42758ec301a73ac4c06c3c3678c7ecb0d2837a756d63
SSDEEP

24576:0eaMajUi+6C+mDjn7gbkFaSH7Wu4mIWGE1Sy/fBEXTHhaTEEER71RM4I13:0eaj9bHmMbkBHVdGE1Sy/ujhaIh+1

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2700	schtasks.exe	30

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2508-1-0x0000000000310000-0x000000000049E000-memory.dmp	dcrat
behavioral1/files/0x000500000001927a-26.dat	dcrat
behavioral1/files/0x000b00000001938e-115.dat	dcrat
behavioral1/memory/1660-199-0x00000000003E0000-0x000000000056E000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe

Executes dropped EXE 1 IoCs

pid	Process
1660	wininit.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\RCXAEEE.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\RCXB76E.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCXB972.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files\7-Zip\Lang\OSPPSVC.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXAEED.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\886983d96e3d3e	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\OSPPSVC.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\RCXB0F3.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\explorer.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXB569.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\OSPPSVC.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files\Windows Defender\en-US\7a0fd90576e088	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\OSPPSVC.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\1610b97d3ab4a7	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXB56A.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\RCXB76D.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\24dbde2999530e	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\RCXB0F2.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCXB973.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files\7-Zip\Lang\1610b97d3ab4a7	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Program Files\Windows Defender\en-US\explorer.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\wininit.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Windows\Cursors\Idle.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Windows\AppCompat\Programs\Idle.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Windows\ModemLogs\RCXACE9.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Windows\Cursors\RCXB2F7.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCXBF81.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Windows\AppCompat\Programs\Idle.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Windows\ModemLogs\56085415360792	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Windows\ModemLogs\RCXACE8.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Windows\Cursors\RCXB365.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Windows\Cursors\6ccacd8608530f	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File created	C:\Windows\AppCompat\Programs\6ccacd8608530f	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Windows\ModemLogs\wininit.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Windows\Cursors\Idle.exe	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCXBF82.tmp	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2712	schtasks.exe
2356	schtasks.exe
2616	schtasks.exe
1924	schtasks.exe
1696	schtasks.exe
2948	schtasks.exe
1724	schtasks.exe
2996	schtasks.exe
2768	schtasks.exe
620	schtasks.exe
2084	schtasks.exe
3044	schtasks.exe
1728	schtasks.exe
2116	schtasks.exe
2136	schtasks.exe
2848	schtasks.exe
2852	schtasks.exe
2864	schtasks.exe
2360	schtasks.exe
1364	schtasks.exe
2388	schtasks.exe
1960	schtasks.exe
2988	schtasks.exe
768	schtasks.exe
2432	schtasks.exe
2324	schtasks.exe
1740	schtasks.exe
2068	schtasks.exe
2600	schtasks.exe
1744	schtasks.exe
2920	schtasks.exe
1672	schtasks.exe
2748	schtasks.exe
2648	schtasks.exe
2912	schtasks.exe
2908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe
1660	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
Token: SeDebugPrivilege	1660	wininit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2308	2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe	67
PID 2508 wrote to memory of 2308	2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe	67
PID 2508 wrote to memory of 2308	2508	8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe	67
PID 2308 wrote to memory of 2820	2308	cmd.exe	69
PID 2308 wrote to memory of 2820	2308	cmd.exe	69
PID 2308 wrote to memory of 2820	2308	cmd.exe	69
PID 2308 wrote to memory of 1660	2308	cmd.exe	71
PID 2308 wrote to memory of 1660	2308	cmd.exe	71
PID 2308 wrote to memory of 1660	2308	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe
"C:\Users\Admin\AppData\Local\Temp\8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rSnsL5gcFm.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2820
- - C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe
    "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ModemLogs\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\ModemLogs\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\AppCompat\Programs\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\AppCompat\Programs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Defender\en-US\explorer.exe

Filesize
1.5MB

MD5
8f7fa3b34b52d77c923711a5b6510df0

SHA1
171914ec44b3bb7062f5b21bf5f628c9c1aa2b48

SHA256
8f1fc87e97923cc9f810b0893e2742c277992b6ca29f9a79e66c8f3938de5955

SHA512
68d82717828e8ed1598e8599c39b0898bd7f4a11fadf232e5cc58ffd21028fa61ac351f0dc9135ecbe7a42758ec301a73ac4c06c3c3678c7ecb0d2837a756d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\rSnsL5gcFm.bat

Filesize
239B

MD5
20b561feeb9de8ec68de81da4dfb62b9

SHA1
4d8bc81c4f773f2652773f90dfcc51f4b81b75ad

SHA256
d0acbff83eba85ed11c051175b23ca044fd9388ea891b818b5df4f762aba4fff

SHA512
09a7a50166d13ef5cc072ce40bf7a448fdb1d0bd81f3024dcf8be1516cdd4aca5f7e9d5432754e71b09e6552f54bfc79adaa3e2fdab1d75e530b2b325292fc56

Download Submit
C:\Windows\Cursors\Idle.exe

Filesize
1.5MB

MD5
486dc33f34ee637efa5ab5265507089e

SHA1
00c55a6c0f468c17c2b1e3aa99f2d20fd8302b74

SHA256
243c57c5f8e5341b9ac607adad28417fe389a607d5f3e396a66a97597de85f14

SHA512
bccf860bf90eabb4430c97054127ec8ffc0c439c5bc619698ba3e81283c4599f12653d565880bb8f96724d56b17ba5d3ef4f24a7b659d87370479c9b7f43fbe3

Download Submit
memory/1660-199-0x00000000003E0000-0x000000000056E000-memory.dmp

Filesize
1.6MB

Download
memory/2508-10-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/2508-13-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2508-6-0x0000000000630000-0x0000000000646000-memory.dmp

Filesize
88KB

Download
memory/2508-7-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2508-8-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/2508-11-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2508-0-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

Filesize
4KB

Download
memory/2508-12-0x0000000000680000-0x000000000068E000-memory.dmp

Filesize
56KB

Download
memory/2508-14-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/2508-4-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/2508-15-0x0000000000820000-0x0000000000828000-memory.dmp

Filesize
32KB

Download
memory/2508-16-0x0000000002170000-0x000000000217A000-memory.dmp

Filesize
40KB

Download
memory/2508-18-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-5-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2508-3-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/2508-189-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

Filesize
4KB

Download
memory/2508-195-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-2-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-1-0x0000000000310000-0x000000000049E000-memory.dmp

Filesize
1.6MB

Download