dcrat | 9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004f

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
Size

828KB
MD5

58af79b3ea2a593144474e327fa48a10
SHA1

4a32b49ec04f6f8e3a7b2097fb9b5bb36f4dffcf
SHA256

9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004f
SHA512

3923cfd4344b68a3b468f82b7e142ff5778a548cb692138ad7fee57ed0f003fa355a0b90b043ac78275a8489073bccdcc6aef9b1664b262b24a8a04a876bf13a
SSDEEP

12288:K5jHYVjmobNqsKDsSvjbHQVtVZJizDxRxhDsGALvbI6bnY6a2Xu:1b4sKDZUZJuR/ALvbLnY8Xu

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 45 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
1704	schtasks.exe
1364	schtasks.exe
2456	schtasks.exe
1916	schtasks.exe
2252	schtasks.exe
1272	schtasks.exe
1900	schtasks.exe
1712	schtasks.exe
1668	schtasks.exe
1240	schtasks.exe
2140	schtasks.exe
1440	schtasks.exe
2968	schtasks.exe
1672	schtasks.exe
2440	schtasks.exe
2600	schtasks.exe
1928	schtasks.exe
1592	schtasks.exe
2032	schtasks.exe
848	schtasks.exe
2092	schtasks.exe
2764	schtasks.exe
2900	schtasks.exe
1040	schtasks.exe
2056	schtasks.exe
2144	schtasks.exe
2824	schtasks.exe
1724	schtasks.exe
1796	schtasks.exe
1284	schtasks.exe
2388	schtasks.exe
2432	schtasks.exe
876	schtasks.exe
2584	schtasks.exe
1800	schtasks.exe
824	schtasks.exe
1456	schtasks.exe
1528	schtasks.exe
1696	schtasks.exe
2272	schtasks.exe
2632	schtasks.exe
852	schtasks.exe
2884	schtasks.exe
2284	schtasks.exe
3000	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	1640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	1640	schtasks.exe	30

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2064-1-0x0000000000950000-0x0000000000A26000-memory.dmp	dcrat
behavioral1/memory/2808-13-0x00000000003F0000-0x00000000004C6000-memory.dmp	dcrat
behavioral1/files/0x0005000000019502-18.dat	dcrat
behavioral1/memory/2120-47-0x00000000001E0000-0x00000000002B6000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2120	services.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\wininit.exe	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
File created	C:\Program Files\Mozilla Firefox\defaults\wininit.exe	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\69ddcba757bf72	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\f3b6ecef712a24	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\5940a34987c991	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
File created	C:\Program Files (x86)\Windows Defender\56085415360792	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
File created	C:\Program Files\Mozilla Firefox\defaults\56085415360792	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\smss.exe	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\spoolsv.exe	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\27d1bcfc3c54e0	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
File created	C:\Windows\AppCompat\Programs\System.exe	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2284	schtasks.exe
1528	schtasks.exe
2272	schtasks.exe
1040	schtasks.exe
1900	schtasks.exe
852	schtasks.exe
2032	schtasks.exe
2884	schtasks.exe
1704	schtasks.exe
1724	schtasks.exe
2140	schtasks.exe
2092	schtasks.exe
1800	schtasks.exe
824	schtasks.exe
876	schtasks.exe
2900	schtasks.exe
2252	schtasks.exe
1928	schtasks.exe
2388	schtasks.exe
2824	schtasks.exe
1796	schtasks.exe
1916	schtasks.exe
2600	schtasks.exe
2056	schtasks.exe
2456	schtasks.exe
2968	schtasks.exe
1240	schtasks.exe
1592	schtasks.exe
1668	schtasks.exe
848	schtasks.exe
1456	schtasks.exe
1672	schtasks.exe
2764	schtasks.exe
2440	schtasks.exe
2632	schtasks.exe
1712	schtasks.exe
1440	schtasks.exe
1364	schtasks.exe
2432	schtasks.exe
2584	schtasks.exe
3000	schtasks.exe
1284	schtasks.exe
2144	schtasks.exe
1696	schtasks.exe
1272	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2064	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
2808	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
2808	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
2808	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
2120	services.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
Token: SeDebugPrivilege	2808	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
Token: SeDebugPrivilege	2120	services.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 3040	2064	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe	37
PID 2064 wrote to memory of 3040	2064	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe	37
PID 2064 wrote to memory of 3040	2064	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe	37
PID 3040 wrote to memory of 2812	3040	cmd.exe	39
PID 3040 wrote to memory of 2812	3040	cmd.exe	39
PID 3040 wrote to memory of 2812	3040	cmd.exe	39
PID 3040 wrote to memory of 2808	3040	cmd.exe	41
PID 3040 wrote to memory of 2808	3040	cmd.exe	41
PID 3040 wrote to memory of 2808	3040	cmd.exe	41
PID 2808 wrote to memory of 1436	2808	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe	81
PID 2808 wrote to memory of 1436	2808	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe	81
PID 2808 wrote to memory of 1436	2808	9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe	81
PID 1436 wrote to memory of 2080	1436	cmd.exe	83
PID 1436 wrote to memory of 2080	1436	cmd.exe	83
PID 1436 wrote to memory of 2080	1436	cmd.exe	83
PID 1436 wrote to memory of 2120	1436	cmd.exe	84
PID 1436 wrote to memory of 2120	1436	cmd.exe	84
PID 1436 wrote to memory of 2120	1436	cmd.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
"C:\Users\Admin\AppData\Local\Temp\9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pRsDwHI0ah.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2812
- - C:\Users\Admin\AppData\Local\Temp\9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe
    "C:\Users\Admin\AppData\Local\Temp\9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004fN.exe"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ydDvMf1lEo.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1436
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2080
    - - C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\Mozilla\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Mozilla\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Roaming\Mozilla\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\defaults\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\AppCompat\Programs\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\wininit.exe

Filesize
828KB

MD5
58af79b3ea2a593144474e327fa48a10

SHA1
4a32b49ec04f6f8e3a7b2097fb9b5bb36f4dffcf

SHA256
9e128aa17df105d29fbf1da4673f15c3c2467829bb4dea076dd58b1fc260004f

SHA512
3923cfd4344b68a3b468f82b7e142ff5778a548cb692138ad7fee57ed0f003fa355a0b90b043ac78275a8489073bccdcc6aef9b1664b262b24a8a04a876bf13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pRsDwHI0ah.bat

Filesize
268B

MD5
6599375637b8ea57920872b4f52c2b67

SHA1
38feb4ec1c85d33dde6b3a4cbff0091993e1cc17

SHA256
de9640383e2a841f6092d2fd734f15a704e2f7a72438dfa4525c1f199cef4bc2

SHA512
ddfef713da2f0ea674ac7de53cddfe4d738213885531cb3772afc675538b82d1b1bc5c81f261a7913e16b39b8fb465aa9351a6c087b132ae1d562f41c6591577

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydDvMf1lEo.bat

Filesize
226B

MD5
0cdd9638554f4aae99efe7d5797467ba

SHA1
ebb5e4e5779595ea171a8d95102ca178a44bb71e

SHA256
fdd892068e8b276ff352d3a10bdd1d4a847d57ac145943fbae951558b44f75da

SHA512
c611b0b035e35c384c61bd17d54573bdeb396d4529f06245b2a31433d2fbf8727bb453de35dfcd24d48d3da2b47a80060fa116410f3377add2692dd739cf64c4

Download Submit
memory/2064-0-0x000007FEF5E73000-0x000007FEF5E74000-memory.dmp

Filesize
4KB

Download
memory/2064-1-0x0000000000950000-0x0000000000A26000-memory.dmp

Filesize
856KB

Download
memory/2064-2-0x000007FEF5E70000-0x000007FEF685C000-memory.dmp

Filesize
9.9MB

Download
memory/2064-11-0x000007FEF5E70000-0x000007FEF685C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-47-0x00000000001E0000-0x00000000002B6000-memory.dmp

Filesize
856KB

Download
memory/2808-13-0x00000000003F0000-0x00000000004C6000-memory.dmp

Filesize
856KB

Download