dcrat | 9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe
Size

1.1MB
MD5

08e95dabb86201eeb98188769e4fcd62
SHA1

40a819d79a67c7be05f9c0c45ee7558ec58971f9
SHA256

9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7
SHA512

7d9b35d175f4a0c90a48c44930e7f8260e4a16821b4c778bc5fcb1d5a220d29d29520f7b1809918eb5e03dfd16a6dfcfac3fcbfd4cebabcdd38776c5508cf722
SSDEEP

24576:U2G/nvxW3Ww0tE9E3RrEdapg6gnUcKnbXq5Qck:UbA30E9ldapLpkQl

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	3068	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	3068	schtasks.exe	35

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000018bdd-12.dat	dcrat
behavioral1/memory/2964-13-0x00000000002D0000-0x00000000003A6000-memory.dmp	dcrat
behavioral1/memory/2536-53-0x0000000000D50000-0x0000000000E26000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2964	Runtimemonitor.exe
2536	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2840	cmd.exe
2840	cmd.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Java\0a1fd5f707cd16	Runtimemonitor.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\dwm.exe	Runtimemonitor.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\6cb0b6c459d5d3	Runtimemonitor.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\sppsvc.exe	Runtimemonitor.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\0a1fd5f707cd16	Runtimemonitor.exe
File created	C:\Program Files\Java\sppsvc.exe	Runtimemonitor.exe
File opened for modification	C:\Program Files\Java\sppsvc.exe	Runtimemonitor.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\f3b6ecef712a24	Runtimemonitor.exe
File created	C:\Windows\tracing\Idle.exe	Runtimemonitor.exe
File created	C:\Windows\tracing\6ccacd8608530f	Runtimemonitor.exe
File created	C:\Windows\DigitalLocker\en-US\winlogon.exe	Runtimemonitor.exe
File created	C:\Windows\DigitalLocker\en-US\cc11b995f2a76d	Runtimemonitor.exe
File created	C:\Windows\Migration\WTR\spoolsv.exe	Runtimemonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1856	schtasks.exe
1936	schtasks.exe
2176	schtasks.exe
1420	schtasks.exe
1620	schtasks.exe
2136	schtasks.exe
1092	schtasks.exe
1788	schtasks.exe
2084	schtasks.exe
1944	schtasks.exe
2876	schtasks.exe
2196	schtasks.exe
2920	schtasks.exe
2760	schtasks.exe
2488	schtasks.exe
2512	schtasks.exe
2904	schtasks.exe
880	schtasks.exe
1552	schtasks.exe
3052	schtasks.exe
2312	schtasks.exe
2592	schtasks.exe
1720	schtasks.exe
2864	schtasks.exe
1948	schtasks.exe
1624	schtasks.exe
772	schtasks.exe
3032	schtasks.exe
2880	schtasks.exe
1852	schtasks.exe
540	schtasks.exe
2540	schtasks.exe
2700	schtasks.exe
2040	schtasks.exe
1996	schtasks.exe
1844	schtasks.exe
684	schtasks.exe
1524	schtasks.exe
1744	schtasks.exe
2108	schtasks.exe
284	schtasks.exe
1220	schtasks.exe
2820	schtasks.exe
828	schtasks.exe
984	schtasks.exe
608	schtasks.exe
1464	schtasks.exe
1924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2964	Runtimemonitor.exe
2536	Idle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	Runtimemonitor.exe
Token: SeDebugPrivilege	2536	Idle.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1748	1664	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe	30
PID 1664 wrote to memory of 1748	1664	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe	30
PID 1664 wrote to memory of 1748	1664	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe	30
PID 1664 wrote to memory of 1748	1664	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe	30
PID 1748 wrote to memory of 2840	1748	WScript.exe	32
PID 1748 wrote to memory of 2840	1748	WScript.exe	32
PID 1748 wrote to memory of 2840	1748	WScript.exe	32
PID 1748 wrote to memory of 2840	1748	WScript.exe	32
PID 2840 wrote to memory of 2964	2840	cmd.exe	34
PID 2840 wrote to memory of 2964	2840	cmd.exe	34
PID 2840 wrote to memory of 2964	2840	cmd.exe	34
PID 2840 wrote to memory of 2964	2840	cmd.exe	34
PID 2964 wrote to memory of 2140	2964	Runtimemonitor.exe	84
PID 2964 wrote to memory of 2140	2964	Runtimemonitor.exe	84
PID 2964 wrote to memory of 2140	2964	Runtimemonitor.exe	84
PID 2140 wrote to memory of 2352	2140	cmd.exe	86
PID 2140 wrote to memory of 2352	2140	cmd.exe	86
PID 2140 wrote to memory of 2352	2140	cmd.exe	86
PID 2140 wrote to memory of 2536	2140	cmd.exe	87
PID 2140 wrote to memory of 2536	2140	cmd.exe	87
PID 2140 wrote to memory of 2536	2140	cmd.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe
"C:\Users\Admin\AppData\Local\Temp\9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\PortcomAgentwinbroker\1uTBfrpLb993XlgcpIpPee79uOtZ.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\PortcomAgentwinbroker\Runtimemonitor.exe
      "C:\PortcomAgentwinbroker\Runtimemonitor.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GoiOXginkp.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2352
      - C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Java\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Application Data\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\Application Data\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\PortcomAgentwinbroker\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\PortcomAgentwinbroker\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\PortcomAgentwinbroker\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\PortcomAgentwinbroker\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\PortcomAgentwinbroker\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\PortcomAgentwinbroker\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Media Renderer\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\Media Renderer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\tracing\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Favorites\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Favorites\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Favorites\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\PortcomAgentwinbroker\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\PortcomAgentwinbroker\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\PortcomAgentwinbroker\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortcomAgentwinbroker\1uTBfrpLb993XlgcpIpPee79uOtZ.bat

Filesize
45B

MD5
045087efd61d5ab94d918bfd3946a335

SHA1
3aff3cfa40d70469614e4228d91a606c83ea7919

SHA256
e482a83af3f1dfc25dc04f86b454e21d1107cc9cf5cd18c172c3e3f3b9a3b022

SHA512
047d93b004fe7ee1448eb274ee640d104aac06c00d5ea2acdd56b78581d610e93a702e9098d33c985cae2758b3cc502331747fa0979a075aa5c39a30f7910d49

Download Submit
C:\PortcomAgentwinbroker\Runtimemonitor.exe

Filesize
828KB

MD5
2effcbfe83a6e643d620bd7221b8d4cc

SHA1
37ba35e898bc1135c3be15127d1baf95ea311029

SHA256
4618a1f497b813ef1f58a9a256bbd0f418c70ec7340ce9e0a51e343d21095b40

SHA512
0dcc2febdf5ad2c5f5bda5680bde51b23ea5d5ea38bdc6bc8dda0d2f0a0ae9c4a619b9a7aabd024da9c45f4df594766d400abd4df07ee30fc4a2869da77d6999

Download Submit
C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe

Filesize
226B

MD5
965fe1cee13f15bd288f9f8d603a2769

SHA1
18ca01b1ee9a9b524ca5aaa1b750c38a1303f7c1

SHA256
b6ff2be9587c1e05b35823470a835d0dea7850ff2ed98e57722489db44033a8b

SHA512
364a403217a76567c96632741c3f0473a09af1185acff65926aafee1655df5d9f6161f2799d57f6d432e7f87a0ac592cd6ad7f6424c89eac12f793b27d4e9d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoiOXginkp.bat

Filesize
222B

MD5
29a45470e9db537ced7cd55951f92521

SHA1
a8c6ce220ce1e0271079d0ee083c2de1eb4ddb78

SHA256
8164e64f63de6cbb2ef3ff87a5abba5db7cad465364840c8ab639f574ca8cc0c

SHA512
a05713bc301dd85327d41f24a1c1eadf65d6522b3217efc7c564ea009fa858bd4107c7679ea7c21a83fa3c074fd02643c8522aa3f911644d717897b944bb091a

Download Submit
memory/2536-53-0x0000000000D50000-0x0000000000E26000-memory.dmp

Filesize
856KB

Download
memory/2964-13-0x00000000002D0000-0x00000000003A6000-memory.dmp

Filesize
856KB

Download