dcrat | 9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7

Analysis

max time kernel
93s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe
Size

1.1MB
MD5

08e95dabb86201eeb98188769e4fcd62
SHA1

40a819d79a67c7be05f9c0c45ee7558ec58971f9
SHA256

9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7
SHA512

7d9b35d175f4a0c90a48c44930e7f8260e4a16821b4c778bc5fcb1d5a220d29d29520f7b1809918eb5e03dfd16a6dfcfac3fcbfd4cebabcdd38776c5508cf722
SSDEEP

24576:U2G/nvxW3Ww0tE9E3RrEdapg6gnUcKnbXq5Qck:UbA30E9ldapLpkQl

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat 33 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
File created	C:\Program Files\MSBuild\5b884080fd4f94		Runtimemonitor.exe
		1952	schtasks.exe
		2952	schtasks.exe
		3336	schtasks.exe
		3268	schtasks.exe
		3440	schtasks.exe
		3580	schtasks.exe
		460	schtasks.exe
		3420	schtasks.exe
		5092	schtasks.exe
		1764	schtasks.exe
		4296	schtasks.exe
		244	schtasks.exe
		4456	schtasks.exe
		3116	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe
		4916	schtasks.exe
		1920	schtasks.exe
		816	schtasks.exe
		3100	schtasks.exe
		1456	schtasks.exe
		4596	schtasks.exe
		2424	schtasks.exe
File created	C:\Windows\InputMethod\SHARED\9e8d7a4ca61bd9		Runtimemonitor.exe
		1824	schtasks.exe
		4672	schtasks.exe
		2940	schtasks.exe
		4136	schtasks.exe
		1212	schtasks.exe
		1000	schtasks.exe
		2484	schtasks.exe
		3280	schtasks.exe
		2332	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	244	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	3936	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	3936	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c9e-10.dat	dcrat
behavioral2/memory/4556-13-0x0000000000160000-0x0000000000236000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Runtimemonitor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Runtimemonitor.exe

Executes dropped EXE 3 IoCs

pid	Process
4556	Runtimemonitor.exe
3456	Runtimemonitor.exe
2044	MoUsoCoreWorker.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\lua\04c1e7795967e4	Runtimemonitor.exe
File created	C:\Program Files\MSBuild\fontdrvhost.exe	Runtimemonitor.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\7a0fd90576e088	Runtimemonitor.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\WmiPrvSE.exe	Runtimemonitor.exe
File created	C:\Program Files\ModifiableWindowsApps\System.exe	Runtimemonitor.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\24dbde2999530e	Runtimemonitor.exe
File created	C:\Program Files\VideoLAN\VLC\lua\TrustedInstaller.exe	Runtimemonitor.exe
File opened for modification	C:\Program Files\MSBuild\fontdrvhost.exe	Runtimemonitor.exe
File created	C:\Program Files\MSBuild\5b884080fd4f94	Runtimemonitor.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe	Runtimemonitor.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\InputMethod\SHARED\RuntimeBroker.exe	Runtimemonitor.exe
File created	C:\Windows\InputMethod\SHARED\9e8d7a4ca61bd9	Runtimemonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	Runtimemonitor.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	Runtimemonitor.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3116	schtasks.exe
1212	schtasks.exe
4296	schtasks.exe
2424	schtasks.exe
1764	schtasks.exe
2952	schtasks.exe
2332	schtasks.exe
5092	schtasks.exe
816	schtasks.exe
4596	schtasks.exe
1000	schtasks.exe
4916	schtasks.exe
2940	schtasks.exe
1952	schtasks.exe
3268	schtasks.exe
3580	schtasks.exe
460	schtasks.exe
3100	schtasks.exe
244	schtasks.exe
2484	schtasks.exe
4136	schtasks.exe
1920	schtasks.exe
3336	schtasks.exe
3420	schtasks.exe
4456	schtasks.exe
1456	schtasks.exe
1824	schtasks.exe
3440	schtasks.exe
3280	schtasks.exe
4672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4556	Runtimemonitor.exe
3456	Runtimemonitor.exe
3456	Runtimemonitor.exe
3456	Runtimemonitor.exe
3456	Runtimemonitor.exe
3456	Runtimemonitor.exe
2044	MoUsoCoreWorker.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4556	Runtimemonitor.exe
Token: SeDebugPrivilege	3456	Runtimemonitor.exe
Token: SeDebugPrivilege	2044	MoUsoCoreWorker.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2152	1960	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe	82
PID 1960 wrote to memory of 2152	1960	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe	82
PID 1960 wrote to memory of 2152	1960	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe	82
PID 2152 wrote to memory of 1528	2152	WScript.exe	87
PID 2152 wrote to memory of 1528	2152	WScript.exe	87
PID 2152 wrote to memory of 1528	2152	WScript.exe	87
PID 1528 wrote to memory of 4556	1528	cmd.exe	89
PID 1528 wrote to memory of 4556	1528	cmd.exe	89
PID 4556 wrote to memory of 3484	4556	Runtimemonitor.exe	96
PID 4556 wrote to memory of 3484	4556	Runtimemonitor.exe	96
PID 3484 wrote to memory of 2292	3484	cmd.exe	98
PID 3484 wrote to memory of 2292	3484	cmd.exe	98
PID 3484 wrote to memory of 3456	3484	cmd.exe	102
PID 3484 wrote to memory of 3456	3484	cmd.exe	102
PID 3456 wrote to memory of 4048	3456	Runtimemonitor.exe	127
PID 3456 wrote to memory of 4048	3456	Runtimemonitor.exe	127
PID 4048 wrote to memory of 1364	4048	cmd.exe	129
PID 4048 wrote to memory of 1364	4048	cmd.exe	129
PID 4048 wrote to memory of 2044	4048	cmd.exe	130
PID 4048 wrote to memory of 2044	4048	cmd.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe
"C:\Users\Admin\AppData\Local\Temp\9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe"
1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\PortcomAgentwinbroker\1uTBfrpLb993XlgcpIpPee79uOtZ.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\PortcomAgentwinbroker\Runtimemonitor.exe
      "C:\PortcomAgentwinbroker\Runtimemonitor.exe"
      4⤵
      DcRat
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4556
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tdnSJsnH3X.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3484
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2292
      - C:\PortcomAgentwinbroker\Runtimemonitor.exe
        
        "C:\PortcomAgentwinbroker\Runtimemonitor.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vok8NPYc2E.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1364
        
        C:\Users\Default User\MoUsoCoreWorker.exe
        
        "C:\Users\Default User\MoUsoCoreWorker.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\InputMethod\SHARED\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\InputMethod\SHARED\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Recent\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Recent\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Recent\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\PortcomAgentwinbroker\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\PortcomAgentwinbroker\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\PortcomAgentwinbroker\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\PortcomAgentwinbroker\WaaSMedicAgent.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\PortcomAgentwinbroker\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\PortcomAgentwinbroker\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\MoUsoCoreWorker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\Default User\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\lua\TrustedInstaller.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\lua\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortcomAgentwinbroker\1uTBfrpLb993XlgcpIpPee79uOtZ.bat

Filesize
45B

MD5
045087efd61d5ab94d918bfd3946a335

SHA1
3aff3cfa40d70469614e4228d91a606c83ea7919

SHA256
e482a83af3f1dfc25dc04f86b454e21d1107cc9cf5cd18c172c3e3f3b9a3b022

SHA512
047d93b004fe7ee1448eb274ee640d104aac06c00d5ea2acdd56b78581d610e93a702e9098d33c985cae2758b3cc502331747fa0979a075aa5c39a30f7910d49

Download Submit
C:\PortcomAgentwinbroker\Runtimemonitor.exe

Filesize
828KB

MD5
2effcbfe83a6e643d620bd7221b8d4cc

SHA1
37ba35e898bc1135c3be15127d1baf95ea311029

SHA256
4618a1f497b813ef1f58a9a256bbd0f418c70ec7340ce9e0a51e343d21095b40

SHA512
0dcc2febdf5ad2c5f5bda5680bde51b23ea5d5ea38bdc6bc8dda0d2f0a0ae9c4a619b9a7aabd024da9c45f4df594766d400abd4df07ee30fc4a2869da77d6999

Download Submit
C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe

Filesize
226B

MD5
965fe1cee13f15bd288f9f8d603a2769

SHA1
18ca01b1ee9a9b524ca5aaa1b750c38a1303f7c1

SHA256
b6ff2be9587c1e05b35823470a835d0dea7850ff2ed98e57722489db44033a8b

SHA512
364a403217a76567c96632741c3f0473a09af1185acff65926aafee1655df5d9f6161f2799d57f6d432e7f87a0ac592cd6ad7f6424c89eac12f793b27d4e9d72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtimemonitor.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdnSJsnH3X.bat

Filesize
208B

MD5
abde6c0ee7293f6776b9b738d1245a50

SHA1
5016f1b4c72e06bae8bddc73823085672da2e5d3

SHA256
8ed224d9f1599159161fc74e8c1b850852b620f54162e893eca1a0e0fccbcbc2

SHA512
49ebb985c5f804177bbc64bf4913ea8e399515d57e9455e6febc7f67919e72de356d07b65bd3dfe86cfecb362096d5e3489deececea56f33ab9d6bf511435fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\vok8NPYc2E.bat

Filesize
206B

MD5
a4f7d26ef9a007eb22fa17c24623d750

SHA1
0a147f20210c86e18a0a634d6c0d6178a616b6f8

SHA256
6656a76fdde19373cc866d24972b41e4895f9fe882f69e37832bdf9dc2adfbcb

SHA512
0974f7cd11d3133c6d58729d0175064e91b825cc6abcad29288ac821a3e9a57516ad9711b52c57104f6c46224de13e277f878644c39ab0c28a011a53bfd874a5

Download Submit
memory/4556-12-0x00007FFFABBE3000-0x00007FFFABBE5000-memory.dmp

Filesize
8KB

Download
memory/4556-13-0x0000000000160000-0x0000000000236000-memory.dmp

Filesize
856KB

Download