dcrat | 6b3a8d4fc15f0d27845c0a7ff3d43028f20c3e867e34a5d0dc82574061eaae1f

Analysis

max time kernel
27s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fatality crack.exe
Size

2.4MB
MD5

da0ce88710bea395b0ba51554af3c36b
SHA1

f0847749b4490eb44aa84933d28470eb07ef09c6
SHA256

2d239250cac86df7069e0143132ee1f5f0c25ff2a5425a38352f14d24599ccd0
SHA512

59e844fa8b57ea3f6916d60a76cf754097524ba5b2fa8a5e63346e880b378e6070315ab955718270ca4ea0cd3f74973fbea9260dd0cc8371ec3e2aadf75fd710
SSDEEP

49152:UbA30L2rtRmcGqlbwZdGqmNOvBluP3LgOhDr+EBAV:Ub32hF8ZXHvaThDr+Ew

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2476	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2476	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000023c5f-10.dat	dcrat
behavioral1/memory/1592-13-0x00000000000C0000-0x00000000002E4000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fatality crack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Browsersavesperf.exe

Executes dropped EXE 2 IoCs

pid	Process
1592	Browsersavesperf.exe
1232	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	pastebin.com
21	pastebin.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\explorer.exe	Browsersavesperf.exe
File created	C:\Program Files (x86)\Windows Mail\wininit.exe	Browsersavesperf.exe
File created	C:\Program Files (x86)\Windows Mail\56085415360792	Browsersavesperf.exe
File created	C:\Program Files (x86)\Google\Temp\6203df4a6bafc7	Browsersavesperf.exe
File created	C:\Program Files\Java\5b884080fd4f94	Browsersavesperf.exe
File created	C:\Program Files\Reference Assemblies\sihost.exe	Browsersavesperf.exe
File created	C:\Program Files (x86)\Windows Portable Devices\7a0fd90576e088	Browsersavesperf.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\lsass.exe	Browsersavesperf.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\6203df4a6bafc7	Browsersavesperf.exe
File created	C:\Program Files (x86)\Google\Temp\lsass.exe	Browsersavesperf.exe
File created	C:\Program Files\Java\fontdrvhost.exe	Browsersavesperf.exe
File created	C:\Program Files\Reference Assemblies\66fc9ff0ee96c2	Browsersavesperf.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\SppExtComObj.exe	Browsersavesperf.exe
File created	C:\Windows\L2Schemas\e1ef82546f0b02	Browsersavesperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fatality crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fatality crack.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2972	schtasks.exe
3108	schtasks.exe
1108	schtasks.exe
2764	schtasks.exe
1704	schtasks.exe
3324	schtasks.exe
376	schtasks.exe
2172	schtasks.exe
5044	schtasks.exe
4484	schtasks.exe
4296	schtasks.exe
4108	schtasks.exe
2576	schtasks.exe
540	schtasks.exe
4144	schtasks.exe
3472	schtasks.exe
3564	schtasks.exe
3700	schtasks.exe
208	schtasks.exe
736	schtasks.exe
4912	schtasks.exe
4976	schtasks.exe
2176	schtasks.exe
2936	schtasks.exe
4708	schtasks.exe
3988	schtasks.exe
2016	schtasks.exe
2992	schtasks.exe
5016	schtasks.exe
2060	schtasks.exe
3816	schtasks.exe
2384	schtasks.exe
760	schtasks.exe
1972	schtasks.exe
4572	schtasks.exe
5092	schtasks.exe
4316	schtasks.exe
3328	schtasks.exe
2208	schtasks.exe
2108	schtasks.exe
456	schtasks.exe
3520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1592	Browsersavesperf.exe
1592	Browsersavesperf.exe
1592	Browsersavesperf.exe
2896	taskmgr.exe
2896	taskmgr.exe
1232	RuntimeBroker.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	Browsersavesperf.exe
Token: SeDebugPrivilege	2896	taskmgr.exe
Token: SeSystemProfilePrivilege	2896	taskmgr.exe
Token: SeCreateGlobalPrivilege	2896	taskmgr.exe
Token: SeDebugPrivilege	1232	RuntimeBroker.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 3464	2484	fatality crack.exe	83
PID 2484 wrote to memory of 3464	2484	fatality crack.exe	83
PID 2484 wrote to memory of 3464	2484	fatality crack.exe	83
PID 3464 wrote to memory of 2952	3464	WScript.exe	84
PID 3464 wrote to memory of 2952	3464	WScript.exe	84
PID 3464 wrote to memory of 2952	3464	WScript.exe	84
PID 2952 wrote to memory of 1592	2952	cmd.exe	86
PID 2952 wrote to memory of 1592	2952	cmd.exe	86
PID 1592 wrote to memory of 1232	1592	Browsersavesperf.exe	130
PID 1592 wrote to memory of 1232	1592	Browsersavesperf.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fatality crack.exe
"C:\Users\Admin\AppData\Local\Temp\fatality crack.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\portwebWinsvc\ZDy6Obd7i.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\portwebWinsvc\AT8VpGXO9Jiy.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\portwebWinsvc\Browsersavesperf.exe
      "C:\portwebWinsvc\Browsersavesperf.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Users\Public\AccountPictures\RuntimeBroker.exe
        
        "C:\Users\Public\AccountPictures\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AccountPictures\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\portwebWinsvc\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\portwebWinsvc\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\portwebWinsvc\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Java\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\L2Schemas\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\portwebWinsvc\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\portwebWinsvc\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\portwebWinsvc\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\Searches\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Searches\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Templates\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\portwebWinsvc\AT8VpGXO9Jiy.bat

Filesize
39B

MD5
0877fa04f40fe9008de1c48bd872b651

SHA1
84f3383c15a7a6bb00972833f9477f68c3d28d9e

SHA256
be172c136012001e44ee48cb06c7f60df6f8e8d2bbd2d05a87a195fbe17b2954

SHA512
f7c709643b41841f56b0172cf5c8a30f53a5d20638da0cdb2eafc76191cb94f56cb09d49c99c71ba84d7cd16449737dc0694f758d62b6c54f09b3732ce65c70b

Download Submit
C:\portwebWinsvc\Browsersavesperf.exe

Filesize
2.1MB

MD5
0e21c6abefda0c74a7344b08f1866f6d

SHA1
2cb369613545524bb44992838ff4b5de4e43b4d6

SHA256
127bfad54c28772dce436b0edd3bd6f5c232e37883a194851d5b00cbb9aea32d

SHA512
c30b587e34420c609e11fc5b2666a75e9c41f67c859fb3941d8269b465db3c21d06845be9c63ed1cef0e5c42067481bf6cbc9971b67a2c2f676487f9706b2df3

Download Submit
C:\portwebWinsvc\ZDy6Obd7i.vbe

Filesize
202B

MD5
720ed4f44e88c2dc6dc905a0eebdf312

SHA1
0431a47e3d2c7d011a1f2f90aab5835b34da3d6c

SHA256
eb78b3fec6f3a91b9bbcec064f122391213486c1cb1f83fa977a8d4580ba333f

SHA512
459cffba8905a6e1fd3d4d37cb148bb70aa9543bbc8260adfe28513e9278077455c1e202e78ec21da8cbfb91b2285b72f4c246af8a06e35ffa59e82633c7e097

Download Submit
memory/1232-57-0x000000001CCA0000-0x000000001CCF6000-memory.dmp

Filesize
344KB

Download
memory/1592-12-0x00007FFBA8913000-0x00007FFBA8915000-memory.dmp

Filesize
8KB

Download
memory/1592-13-0x00000000000C0000-0x00000000002E4000-memory.dmp

Filesize
2.1MB

Download
memory/1592-14-0x00000000023C0000-0x00000000023DC000-memory.dmp

Filesize
112KB

Download
memory/1592-15-0x000000001B590000-0x000000001B5E0000-memory.dmp

Filesize
320KB

Download
memory/1592-16-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/1592-17-0x000000001B540000-0x000000001B596000-memory.dmp

Filesize
344KB

Download
memory/2896-58-0x000001B2354D0000-0x000001B2354D1000-memory.dmp

Filesize
4KB

Download
memory/2896-59-0x000001B2354D0000-0x000001B2354D1000-memory.dmp

Filesize
4KB

Download
memory/2896-60-0x000001B2354D0000-0x000001B2354D1000-memory.dmp

Filesize
4KB

Download
memory/2896-70-0x000001B2354D0000-0x000001B2354D1000-memory.dmp

Filesize
4KB

Download
memory/2896-69-0x000001B2354D0000-0x000001B2354D1000-memory.dmp

Filesize
4KB

Download
memory/2896-68-0x000001B2354D0000-0x000001B2354D1000-memory.dmp

Filesize
4KB

Download
memory/2896-67-0x000001B2354D0000-0x000001B2354D1000-memory.dmp

Filesize
4KB

Download
memory/2896-66-0x000001B2354D0000-0x000001B2354D1000-memory.dmp

Filesize
4KB

Download
memory/2896-65-0x000001B2354D0000-0x000001B2354D1000-memory.dmp

Filesize
4KB

Download
memory/2896-64-0x000001B2354D0000-0x000001B2354D1000-memory.dmp

Filesize
4KB

Download