dcrat | 05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077

Analysis

max time kernel
130s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WebReview.exe
Size

828KB
MD5

deb7ba77dcf2e54fb23d1a9b0e51088d
SHA1

6468abad160c22594fc014d948963ba4a8565074
SHA256

05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077
SHA512

18cedb50ceab47fed77100586bbb68692d82e4d3afe59815e0fb0d7c88677362756d2bcdc3003f0e6e1b2a3edff36ac450a9864d4d64ef5218612bc86e538de2
SSDEEP

12288:GKLmyuewe+aR5pDIBqIBpoAmxkPnGZKYKvwdUyBWwKoX6t:GoBuQ+I5p5qpLhu33BWwXqt

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2264	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2264	schtasks.exe	28

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2292-1-0x00000000008B0000-0x0000000000986000-memory.dmp	dcrat
behavioral1/files/0x0006000000015f4e-11.dat	dcrat
behavioral1/memory/1000-41-0x00000000013B0000-0x0000000001486000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

lsass.exe

pid	Process
1000	lsass.exe

Drops file in Program Files directory 19 IoCs

Processes:

WebReview.exe

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe	WebReview.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe	WebReview.exe
File created	C:\Program Files\Windows Defender\69ddcba757bf72	WebReview.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\7a0fd90576e088	WebReview.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\lsm.exe	WebReview.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\5940a34987c991	WebReview.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6cb0b6c459d5d3	WebReview.exe
File created	C:\Program Files\Windows Defender\smss.exe	WebReview.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\explorer.exe	WebReview.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\101b941d020240	WebReview.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\6203df4a6bafc7	WebReview.exe
File created	C:\Program Files\Google\Chrome\dllhost.exe	WebReview.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\27d1bcfc3c54e0	WebReview.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe	WebReview.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\explorer.exe	WebReview.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\7a0fd90576e088	WebReview.exe
File opened for modification	C:\Program Files\Windows Defender\smss.exe	WebReview.exe
File created	C:\Program Files\Google\Chrome\5940a34987c991	WebReview.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\System.exe	WebReview.exe

Drops file in Windows directory 6 IoCs

Processes:

WebReview.exe

description	ioc	Process
File created	C:\Windows\SchCache\Idle.exe	WebReview.exe
File created	C:\Windows\SchCache\6ccacd8608530f	WebReview.exe
File created	C:\Windows\inf\MSDTC\services.exe	WebReview.exe
File created	C:\Windows\inf\MSDTC\c5b4cb5e9653cc	WebReview.exe
File created	C:\Windows\Microsoft.NET\authman\dllhost.exe	WebReview.exe
File created	C:\Windows\Microsoft.NET\authman\5940a34987c991	WebReview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1032	schtasks.exe
2108	schtasks.exe
2632	schtasks.exe
2992	schtasks.exe
2600	schtasks.exe
1020	schtasks.exe
2216	schtasks.exe
684	schtasks.exe
3036	schtasks.exe
1888	schtasks.exe
1512	schtasks.exe
2028	schtasks.exe
3052	schtasks.exe
2592	schtasks.exe
1880	schtasks.exe
2532	schtasks.exe
2500	schtasks.exe
484	schtasks.exe
536	schtasks.exe
884	schtasks.exe
1856	schtasks.exe
2008	schtasks.exe
2896	schtasks.exe
2528	schtasks.exe
2396	schtasks.exe
1168	schtasks.exe
1452	schtasks.exe
2868	schtasks.exe
2968	schtasks.exe
1148	schtasks.exe
2300	schtasks.exe
2224	schtasks.exe
2700	schtasks.exe
1740	schtasks.exe
996	schtasks.exe
2664	schtasks.exe
1628	schtasks.exe
868	schtasks.exe
820	schtasks.exe
2016	schtasks.exe
2712	schtasks.exe
1284	schtasks.exe
2004	schtasks.exe
2876	schtasks.exe
2972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

WebReview.exelsass.exe

pid	Process
2292	WebReview.exe
1000	lsass.exe
1000	lsass.exe
1000	lsass.exe
1000	lsass.exe
1000	lsass.exe
1000	lsass.exe
1000	lsass.exe
1000	lsass.exe
1000	lsass.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

lsass.exe

pid	Process
1000	lsass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WebReview.exelsass.exe

description	pid	Process
Token: SeDebugPrivilege	2292	WebReview.exe
Token: SeDebugPrivilege	1000	lsass.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

WebReview.execmd.exe

description	pid	Process	procid_target
PID 2292 wrote to memory of 1268	2292	WebReview.exe	74
PID 2292 wrote to memory of 1268	2292	WebReview.exe	74
PID 2292 wrote to memory of 1268	2292	WebReview.exe	74
PID 1268 wrote to memory of 1804	1268	cmd.exe	76
PID 1268 wrote to memory of 1804	1268	cmd.exe	76
PID 1268 wrote to memory of 1804	1268	cmd.exe	76
PID 1268 wrote to memory of 1000	1268	cmd.exe	77
PID 1268 wrote to memory of 1000	1268	cmd.exe	77
PID 1268 wrote to memory of 1000	1268	cmd.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WebReview.exe
"C:\Users\Admin\AppData\Local\Temp\WebReview.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TSY2hOxIBJ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1804
- - C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe
    "C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\authman\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\authman\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Contacts\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Contacts\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SchCache\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\inf\MSDTC\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\inf\MSDTC\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\inf\MSDTC\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TSY2hOxIBJ.bat

Filesize
222B

MD5
8877df3297ff60c1a3b8bdd7443b2c4d

SHA1
ea4ffd2ff82039174a610f25d3edea731093dae7

SHA256
9a6476b8e218fe0699207c94b8fbc69631f102f120e1002eddc543cc5b362973

SHA512
1eb1d916a25b9833eb7f95c0a0327ef2b1a2f2506d0759ad2f9c320ebdab7f026697bbf4fb2b48d83b04af126783a28ce5a2ff5b75da285438b5c15feb95a698

Download Submit
C:\Windows\Microsoft.NET\authman\dllhost.exe

Filesize
828KB

MD5
deb7ba77dcf2e54fb23d1a9b0e51088d

SHA1
6468abad160c22594fc014d948963ba4a8565074

SHA256
05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077

SHA512
18cedb50ceab47fed77100586bbb68692d82e4d3afe59815e0fb0d7c88677362756d2bcdc3003f0e6e1b2a3edff36ac450a9864d4d64ef5218612bc86e538de2

Download Submit
memory/1000-41-0x00000000013B0000-0x0000000001486000-memory.dmp

Filesize
856KB

Download
memory/2292-0-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

Filesize
4KB

Download
memory/2292-1-0x00000000008B0000-0x0000000000986000-memory.dmp

Filesize
856KB

Download
memory/2292-2-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-37-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download