dcrat | 619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cheeto.exe
Size

1.8MB
MD5

42b89874d3138f40f32285be945f2ceb
SHA1

1766b4c4a040ba19afc4318e9b2eab775fee88d7
SHA256

619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a
SHA512

df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9
SSDEEP

49152:QdBn+oix+Z7vL4tzzQVGVzDd3Omjq+FLof:QdB+jx+Jv6zQVy1FLof

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2784	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2784	schtasks.exe	31

Executes dropped EXE 11 IoCs

pid	Process
2584	wininit.exe
2424	wininit.exe
2496	wininit.exe
2696	wininit.exe
2868	wininit.exe
2628	wininit.exe
2756	wininit.exe
1996	wininit.exe
2424	wininit.exe
1744	wininit.exe
1296	wininit.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\CrashReports\wininit.exe	cheeto.exe
File created	C:\Program Files (x86)\Google\CrashReports\56085415360792	cheeto.exe
File created	C:\Program Files\7-Zip\Lang\dwm.exe	cheeto.exe
File created	C:\Program Files\7-Zip\Lang\6cb0b6c459d5d3	cheeto.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
956	PING.EXE
1616	PING.EXE
2992	PING.EXE
1768	PING.EXE
2340	PING.EXE
2140	PING.EXE
2436	PING.EXE
2576	PING.EXE

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
2340	PING.EXE
2140	PING.EXE
2436	PING.EXE
2576	PING.EXE
956	PING.EXE
1616	PING.EXE
2992	PING.EXE
1768	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1052	schtasks.exe
2708	schtasks.exe
2880	schtasks.exe
1716	schtasks.exe
1156	schtasks.exe
2664	schtasks.exe
1796	schtasks.exe
1308	schtasks.exe
1916	schtasks.exe
1864	schtasks.exe
2840	schtasks.exe
2744	schtasks.exe
108	schtasks.exe
1288	schtasks.exe
884	schtasks.exe
2992	schtasks.exe
2844	schtasks.exe
2636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
320	cheeto.exe
2584	wininit.exe
2584	wininit.exe
2584	wininit.exe
2584	wininit.exe
2584	wininit.exe
2584	wininit.exe
2584	wininit.exe
2584	wininit.exe
2584	wininit.exe
2584	wininit.exe
2584	wininit.exe
2584	wininit.exe
2584	wininit.exe
2584	wininit.exe
2584	wininit.exe
2584	wininit.exe
2584	wininit.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	320	cheeto.exe
Token: SeDebugPrivilege	2584	wininit.exe
Token: SeDebugPrivilege	2424	wininit.exe
Token: SeDebugPrivilege	2496	wininit.exe
Token: SeDebugPrivilege	2696	wininit.exe
Token: SeDebugPrivilege	2868	wininit.exe
Token: SeDebugPrivilege	2628	wininit.exe
Token: SeDebugPrivilege	2756	wininit.exe
Token: SeDebugPrivilege	1996	wininit.exe
Token: SeDebugPrivilege	2424	wininit.exe
Token: SeDebugPrivilege	1744	wininit.exe
Token: SeDebugPrivilege	1296	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 3048	320	cheeto.exe	50
PID 320 wrote to memory of 3048	320	cheeto.exe	50
PID 320 wrote to memory of 3048	320	cheeto.exe	50
PID 3048 wrote to memory of 2084	3048	cmd.exe	52
PID 3048 wrote to memory of 2084	3048	cmd.exe	52
PID 3048 wrote to memory of 2084	3048	cmd.exe	52
PID 3048 wrote to memory of 2180	3048	cmd.exe	53
PID 3048 wrote to memory of 2180	3048	cmd.exe	53
PID 3048 wrote to memory of 2180	3048	cmd.exe	53
PID 3048 wrote to memory of 2584	3048	cmd.exe	55
PID 3048 wrote to memory of 2584	3048	cmd.exe	55
PID 3048 wrote to memory of 2584	3048	cmd.exe	55
PID 2584 wrote to memory of 1868	2584	wininit.exe	56
PID 2584 wrote to memory of 1868	2584	wininit.exe	56
PID 2584 wrote to memory of 1868	2584	wininit.exe	56
PID 1868 wrote to memory of 2176	1868	cmd.exe	58
PID 1868 wrote to memory of 2176	1868	cmd.exe	58
PID 1868 wrote to memory of 2176	1868	cmd.exe	58
PID 1868 wrote to memory of 1984	1868	cmd.exe	59
PID 1868 wrote to memory of 1984	1868	cmd.exe	59
PID 1868 wrote to memory of 1984	1868	cmd.exe	59
PID 1868 wrote to memory of 2424	1868	cmd.exe	60
PID 1868 wrote to memory of 2424	1868	cmd.exe	60
PID 1868 wrote to memory of 2424	1868	cmd.exe	60
PID 2424 wrote to memory of 1552	2424	wininit.exe	61
PID 2424 wrote to memory of 1552	2424	wininit.exe	61
PID 2424 wrote to memory of 1552	2424	wininit.exe	61
PID 1552 wrote to memory of 2568	1552	cmd.exe	63
PID 1552 wrote to memory of 2568	1552	cmd.exe	63
PID 1552 wrote to memory of 2568	1552	cmd.exe	63
PID 1552 wrote to memory of 1768	1552	cmd.exe	64
PID 1552 wrote to memory of 1768	1552	cmd.exe	64
PID 1552 wrote to memory of 1768	1552	cmd.exe	64
PID 1552 wrote to memory of 2496	1552	cmd.exe	65
PID 1552 wrote to memory of 2496	1552	cmd.exe	65
PID 1552 wrote to memory of 2496	1552	cmd.exe	65
PID 2496 wrote to memory of 1600	2496	wininit.exe	66
PID 2496 wrote to memory of 1600	2496	wininit.exe	66
PID 2496 wrote to memory of 1600	2496	wininit.exe	66
PID 1600 wrote to memory of 2688	1600	cmd.exe	68
PID 1600 wrote to memory of 2688	1600	cmd.exe	68
PID 1600 wrote to memory of 2688	1600	cmd.exe	68
PID 1600 wrote to memory of 2340	1600	cmd.exe	69
PID 1600 wrote to memory of 2340	1600	cmd.exe	69
PID 1600 wrote to memory of 2340	1600	cmd.exe	69
PID 1600 wrote to memory of 2696	1600	cmd.exe	70
PID 1600 wrote to memory of 2696	1600	cmd.exe	70
PID 1600 wrote to memory of 2696	1600	cmd.exe	70
PID 2696 wrote to memory of 1704	2696	wininit.exe	71
PID 2696 wrote to memory of 1704	2696	wininit.exe	71
PID 2696 wrote to memory of 1704	2696	wininit.exe	71
PID 1704 wrote to memory of 1928	1704	cmd.exe	73
PID 1704 wrote to memory of 1928	1704	cmd.exe	73
PID 1704 wrote to memory of 1928	1704	cmd.exe	73
PID 1704 wrote to memory of 2140	1704	cmd.exe	74
PID 1704 wrote to memory of 2140	1704	cmd.exe	74
PID 1704 wrote to memory of 2140	1704	cmd.exe	74
PID 1704 wrote to memory of 2868	1704	cmd.exe	75
PID 1704 wrote to memory of 2868	1704	cmd.exe	75
PID 1704 wrote to memory of 2868	1704	cmd.exe	75
PID 2868 wrote to memory of 2704	2868	wininit.exe	76
PID 2868 wrote to memory of 2704	2868	wininit.exe	76
PID 2868 wrote to memory of 2704	2868	wininit.exe	76
PID 2704 wrote to memory of 2592	2704	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cheeto.exe
"C:\Users\Admin\AppData\Local\Temp\cheeto.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mGOOr90sgU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2084
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2180
- - C:\Program Files (x86)\Google\CrashReports\wininit.exe
    "C:\Program Files (x86)\Google\CrashReports\wininit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aORfBZ5ejs.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2176
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1984
    - - C:\Program Files (x86)\Google\CrashReports\wininit.exe
        
        "C:\Program Files (x86)\Google\CrashReports\wininit.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O9J2Ud69mI.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1768
        
        C:\Program Files (x86)\Google\CrashReports\wininit.exe
        
        "C:\Program Files (x86)\Google\CrashReports\wininit.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hI88NPPq5Z.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2340
        
        C:\Program Files (x86)\Google\CrashReports\wininit.exe
        
        "C:\Program Files (x86)\Google\CrashReports\wininit.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c4BTxhTwZ3.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2140
        
        C:\Program Files (x86)\Google\CrashReports\wininit.exe
        
        "C:\Program Files (x86)\Google\CrashReports\wininit.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OBULCoiNqa.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2436
        
        C:\Program Files (x86)\Google\CrashReports\wininit.exe
        
        "C:\Program Files (x86)\Google\CrashReports\wininit.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hKJR6a159q.bat"
        14⤵
        
        PID:1436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2576
        
        C:\Program Files (x86)\Google\CrashReports\wininit.exe
        
        "C:\Program Files (x86)\Google\CrashReports\wininit.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mb6Aq3ZX7x.bat"
        16⤵
        
        PID:604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:956
        
        C:\Program Files (x86)\Google\CrashReports\wininit.exe
        
        "C:\Program Files (x86)\Google\CrashReports\wininit.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TIi6EHU90J.bat"
        18⤵
        
        PID:1036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:908
        
        C:\Program Files (x86)\Google\CrashReports\wininit.exe
        
        "C:\Program Files (x86)\Google\CrashReports\wininit.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8OmY81XgjJ.bat"
        20⤵
        
        PID:1980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1616
        
        C:\Program Files (x86)\Google\CrashReports\wininit.exe
        
        "C:\Program Files (x86)\Google\CrashReports\wininit.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RXbe2nqO2a.bat"
        22⤵
        
        PID:2220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2992
        
        C:\Program Files (x86)\Google\CrashReports\wininit.exe
        
        "C:\Program Files (x86)\Google\CrashReports\wininit.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cheetoc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\cheeto.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cheeto" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\cheeto.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cheetoc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\cheeto.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\dwm.exe

Filesize
1.8MB

MD5
42b89874d3138f40f32285be945f2ceb

SHA1
1766b4c4a040ba19afc4318e9b2eab775fee88d7

SHA256
619f85e67208f3639eacc3121636208ce043ce5cf1f5204b86857cb03b5a004a

SHA512
df44c7f5677a0b8e181f52b5c865315672b7c90b37f99c3b5e31714bdbb47d32d652073c42f1e614d2911faddc0394411aa3e1b8c3f832549c0d52f409722ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8OmY81XgjJ.bat

Filesize
182B

MD5
4835ee7299497a9d751e1b88d8d3073a

SHA1
f82bc6e6d871a903996b589b4fa926cee30d9c49

SHA256
8ecc3878d80a095fe3805ac927f209a4e55f1c558d9a0a7c7fe07e3c308764f2

SHA512
6f5df2bf0e00112a998fe6fc821cf33ad74d1dd369bf236594c48e7f6d3c740e60d04adec7ab38ebed66c6756bb500a6651cbad0ba8fda41e507320a82cef1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mb6Aq3ZX7x.bat

Filesize
182B

MD5
51e07591a46e0fb78293962447ba9f55

SHA1
bbf7714ddfa17b0826967956f2fb6f0c7aa70f05

SHA256
a11606c825ea0259379693637259a2031c1fe8461fd13213aa29208ac0a5c962

SHA512
e6a85c5cf7a6b51594cd2e27a906761304dac9bb4705a56c23746067f40d44a88d230505e7adb55779869084b9e6fcc16bb3fc4031d31afe2a8746bf747a8cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\O9J2Ud69mI.bat

Filesize
182B

MD5
04345c1a17ae25ac18cc591fd62bd610

SHA1
ed9ed70e797542ad867478557de5c0bcc0f4ecbf

SHA256
1e2faac20e180951157cb9ec9284a2388e8723b66d6f974a4818e029699b7fd3

SHA512
7384b0b63da3b4d5031bab19bfb02575f18f15a9a8e0486d0d948d526f8c524dc96d4e28c461b1eb46ccf8e960bc3a55d9cc761ff426e3247871254aca0a66b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OBULCoiNqa.bat

Filesize
182B

MD5
29175b76745cd82b007ec150e2eb163a

SHA1
e32f2b8cd61a941e4ee1f5b69ffea94421a9b0eb

SHA256
5da25c21c826ca5fb14f069d4da4eb7475241eb9d7906865eb2a3646290a3892

SHA512
a81260b050bf7e8f05572ff201953b34e9b13b8c43f80ac0899ca7eeaf34358a3813199a56399c18a20a6704c7ffd48bab5784b155df1b1ac6d700208f2887f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RXbe2nqO2a.bat

Filesize
182B

MD5
6c7aed2c0f2eed9ee110e17a7c0bb7aa

SHA1
85cb80045805cd4ea5ca448a16c0bfd850bccd20

SHA256
aa13788ee8a989b7b4dcbeac6d8370ee99ccfbbb4dfc4f057a21785664de880a

SHA512
415303ec96192eb13242f1d233b3ee50d13a8f09b76e5c10a734da140e27fe29f36a3d74efb53b4f42d7a33dd1ac003d49266bbde5b6cc6902d32ad5a79b3cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIi6EHU90J.bat

Filesize
230B

MD5
4e9b4894aa860b8d9164c27b3583f574

SHA1
cb5eb6c09e1d74ba05ae69eb668a09eef1ffca97

SHA256
4a2d1d0fdbc90cf1474c2ca19c8645acddd2ba97fc52d197d2bb62edad8f31f6

SHA512
78d63baafc8084d208d4f01f3659b79be221f8036a0839c1da9761bb4b4ccae3df6c3e49511ac6f58185d2f18437685a197ea0b32c65f91be791d8e1289c9e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\aORfBZ5ejs.bat

Filesize
230B

MD5
61654e4a95260a51ee424b748a388048

SHA1
06abd576f0519cde4ccfa0fc02ff422835c3f97d

SHA256
d0d983342b781e4f5f53fecd32649fd5e20197beaa0f6377bbec9d47783c14ec

SHA512
526b46b00303669050538dc4e0b61760698226f14e7ad922e3ec49cc16204b3421d63cbb69c0dcf9d3c813e52d28931725b37e9c3eea97dc467a09f4e9fab630

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4BTxhTwZ3.bat

Filesize
182B

MD5
84fc61d02da2f7c23266eeb486f26970

SHA1
f672dde801979465626a2261a3beeb5c44e6e756

SHA256
561c8ab06c9dc46619b75c0084c2132c87b85537c2a4c747c413fa3117c214be

SHA512
62807d0c4ca1153c6d8d5ad7d1edfd4fc8676afd8a011f549be2d42705cf5c6b0da096124497e77d2cd40dd6d382d8cd5d74015e860422bfdf6347d75bd714e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hI88NPPq5Z.bat

Filesize
182B

MD5
417a6ac590a5209edde4e047082b62cc

SHA1
2825fb92ab7748a7eca8e865519fa9418b4236bc

SHA256
b02f53f7aec72eff6b18385ebfaa430659106a3767914fe038d7833bda414572

SHA512
8bccbb3bf0422e1a294e487d3212c0b84104e80ebe223ba8e7a5b4607599a5ce2b9b8fb262e995dfe80d44e0de7c6502c95525d5bc088c58a190faf8a6cd83b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hKJR6a159q.bat

Filesize
182B

MD5
2ec5eec4b95ca531abc5b2967b8bd4b0

SHA1
0a5ec450c53aa48a1ce239a73b02458468935653

SHA256
4feeeff477c64f763a136d203337d23b1f7329d992708b3b97b767f83c7e3000

SHA512
2c2a96a7c7cc158eb9a6695a799c0d0dd0c32ad17f9515e7d6da3d8f8f761832a2e28f3acae5c45c4f27bd9b5f18741af46f0e9e7a9419cf99611ffd8de3c47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mGOOr90sgU.bat

Filesize
230B

MD5
42a6c671f61d2d1d263b2008a95b20b1

SHA1
78980736ef23c9bceefbabf06ade62b35c25b2fc

SHA256
af9b7d13f94371757a5d6b281d85399533d0fa2791ea72b84850e0ef6ea9b83b

SHA512
0c6906a7450b41531486de44b2e247746c87c28c6881a62b7319ac0a694e745d7804d04e4d4e0e5889ec728099970ec12573fff809e1908a4582c5b827982e1d

Download Submit
memory/320-31-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

Filesize
9.9MB

Download
memory/320-11-0x0000000002180000-0x0000000002198000-memory.dmp

Filesize
96KB

Download
memory/320-1-0x0000000000960000-0x0000000000B32000-memory.dmp

Filesize
1.8MB

Download
memory/320-25-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

Filesize
9.9MB

Download
memory/320-24-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

Filesize
9.9MB

Download
memory/320-2-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

Filesize
9.9MB

Download
memory/320-15-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

Filesize
9.9MB

Download
memory/320-0-0x000007FEF52B3000-0x000007FEF52B4000-memory.dmp

Filesize
4KB

Download
memory/320-3-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

Filesize
9.9MB

Download
memory/320-6-0x0000000000940000-0x000000000094E000-memory.dmp

Filesize
56KB

Download
memory/320-9-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

Filesize
9.9MB

Download
memory/320-8-0x0000000002160000-0x000000000217C000-memory.dmp

Filesize
112KB

Download
memory/320-4-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

Filesize
9.9MB

Download
memory/2496-53-0x0000000000340000-0x0000000000512000-memory.dmp

Filesize
1.8MB

Download
memory/2584-34-0x0000000001320000-0x00000000014F2000-memory.dmp

Filesize
1.8MB

Download
memory/2696-64-0x00000000013C0000-0x0000000001592000-memory.dmp

Filesize
1.8MB

Download