dcrat | f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d9be74be06728c10b25ef019f7ff0b3.exe
Size

2.7MB
MD5

4d9be74be06728c10b25ef019f7ff0b3
SHA1

10c41cfa6c5dbec839759e9fd6971e57311ea76a
SHA256

f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343
SHA512

5e5b6b7a1fe66625b95d83fa2c0c77defe75c328cea02418179ce674134de65a1a2e3fc1e281d12448ac931cd803238205f0a71be73deee473d562d5ca3fd96f
SSDEEP

49152:VRx6mfxiUnp3jfmEXD9KxZU9IaK3clnUezzuuLjaO7e:b40VJ5XQxZUyrctHNyse

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2360	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4d9be74be06728c10b25ef019f7ff0b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4d9be74be06728c10b25ef019f7ff0b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4d9be74be06728c10b25ef019f7ff0b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1464-1-0x00000000011D0000-0x0000000001484000-memory.dmp	dcrat
behavioral1/files/0x000500000001a4c7-28.dat	dcrat
behavioral1/files/0x000500000001c8b6-59.dat	dcrat
behavioral1/files/0x000b0000000120fd-79.dat	dcrat
behavioral1/files/0x000d0000000120fd-102.dat	dcrat
behavioral1/files/0x000600000001a4de-183.dat	dcrat
behavioral1/memory/1656-208-0x0000000000160000-0x0000000000414000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1656	System.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4d9be74be06728c10b25ef019f7ff0b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4d9be74be06728c10b25ef019f7ff0b3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\4d9be74be06728c10b25ef019f7ff0b3.exe	4d9be74be06728c10b25ef019f7ff0b3.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\a2136a5e2dbeed	4d9be74be06728c10b25ef019f7ff0b3.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\69ddcba757bf72	4d9be74be06728c10b25ef019f7ff0b3.exe
File opened for modification	C:\Program Files\VideoLAN\RCXA743.tmp	4d9be74be06728c10b25ef019f7ff0b3.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\4d9be74be06728c10b25ef019f7ff0b3.exe	4d9be74be06728c10b25ef019f7ff0b3.exe
File opened for modification	C:\Program Files\VideoLAN\System.exe	4d9be74be06728c10b25ef019f7ff0b3.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe	4d9be74be06728c10b25ef019f7ff0b3.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RCX96FE.tmp	4d9be74be06728c10b25ef019f7ff0b3.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\RCXA4B1.tmp	4d9be74be06728c10b25ef019f7ff0b3.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe	4d9be74be06728c10b25ef019f7ff0b3.exe
File opened for modification	C:\Program Files\VideoLAN\RCXA742.tmp	4d9be74be06728c10b25ef019f7ff0b3.exe
File created	C:\Program Files\VideoLAN\System.exe	4d9be74be06728c10b25ef019f7ff0b3.exe
File created	C:\Program Files\VideoLAN\27d1bcfc3c54e0	4d9be74be06728c10b25ef019f7ff0b3.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RCX96FF.tmp	4d9be74be06728c10b25ef019f7ff0b3.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\RCXA51F.tmp	4d9be74be06728c10b25ef019f7ff0b3.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\index\lsass.exe	4d9be74be06728c10b25ef019f7ff0b3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2060	schtasks.exe
2464	schtasks.exe
3036	schtasks.exe
2544	schtasks.exe
2380	schtasks.exe
2684	schtasks.exe
1256	schtasks.exe
1960	schtasks.exe
924	schtasks.exe
1872	schtasks.exe
2716	schtasks.exe
2996	schtasks.exe
864	schtasks.exe
1760	schtasks.exe
2372	schtasks.exe
696	schtasks.exe
1080	schtasks.exe
2732	schtasks.exe
1668	schtasks.exe
1980	schtasks.exe
2340	schtasks.exe
2148	schtasks.exe
3052	schtasks.exe
1016	schtasks.exe
1660	schtasks.exe
2160	schtasks.exe
3064	schtasks.exe
2940	schtasks.exe
596	schtasks.exe
1168	schtasks.exe
2912	schtasks.exe
800	schtasks.exe
2196	schtasks.exe
2328	schtasks.exe
2208	schtasks.exe
2752	schtasks.exe
2568	schtasks.exe
1200	schtasks.exe
2256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1464	4d9be74be06728c10b25ef019f7ff0b3.exe
1464	4d9be74be06728c10b25ef019f7ff0b3.exe
1464	4d9be74be06728c10b25ef019f7ff0b3.exe
1656	System.exe
1656	System.exe
1656	System.exe
1656	System.exe
1656	System.exe
1656	System.exe
1656	System.exe
1656	System.exe
1656	System.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1656	System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	4d9be74be06728c10b25ef019f7ff0b3.exe
Token: SeDebugPrivilege	1656	System.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2916	1464	4d9be74be06728c10b25ef019f7ff0b3.exe	70
PID 1464 wrote to memory of 2916	1464	4d9be74be06728c10b25ef019f7ff0b3.exe	70
PID 1464 wrote to memory of 2916	1464	4d9be74be06728c10b25ef019f7ff0b3.exe	70
PID 2916 wrote to memory of 1796	2916	cmd.exe	72
PID 2916 wrote to memory of 1796	2916	cmd.exe	72
PID 2916 wrote to memory of 1796	2916	cmd.exe	72
PID 2916 wrote to memory of 1656	2916	cmd.exe	73
PID 2916 wrote to memory of 1656	2916	cmd.exe	73
PID 2916 wrote to memory of 1656	2916	cmd.exe	73

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4d9be74be06728c10b25ef019f7ff0b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4d9be74be06728c10b25ef019f7ff0b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4d9be74be06728c10b25ef019f7ff0b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4d9be74be06728c10b25ef019f7ff0b3.exe
"C:\Users\Admin\AppData\Local\Temp\4d9be74be06728c10b25ef019f7ff0b3.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VGo5IV6I4q.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1796
- - C:\Program Files\VideoLAN\System.exe
    "C:\Program Files\VideoLAN\System.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4d9be74be06728c10b25ef019f7ff0b34" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\4d9be74be06728c10b25ef019f7ff0b3.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4d9be74be06728c10b25ef019f7ff0b3" /sc ONLOGON /tr "'C:\Users\Default\NetHood\4d9be74be06728c10b25ef019f7ff0b3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4d9be74be06728c10b25ef019f7ff0b34" /sc MINUTE /mo 11 /tr "'C:\Users\Default\NetHood\4d9be74be06728c10b25ef019f7ff0b3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4d9be74be06728c10b25ef019f7ff0b34" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\4d9be74be06728c10b25ef019f7ff0b3.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4d9be74be06728c10b25ef019f7ff0b3" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\4d9be74be06728c10b25ef019f7ff0b3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4d9be74be06728c10b25ef019f7ff0b34" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\4d9be74be06728c10b25ef019f7ff0b3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4d9be74be06728c10b25ef019f7ff0b34" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\4d9be74be06728c10b25ef019f7ff0b3.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4d9be74be06728c10b25ef019f7ff0b3" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\4d9be74be06728c10b25ef019f7ff0b3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4d9be74be06728c10b25ef019f7ff0b34" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\4d9be74be06728c10b25ef019f7ff0b3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe

Filesize
2.7MB

MD5
bf559526ddb11aa11e38c3bd8937be66

SHA1
0df9a8d2c0a55b85e7e34b2970b66e411b403ac8

SHA256
7f4a9aa8a153393f4f503231dca8f7b4b0faca3ff5d6ffa7290fc4bcc8eba68c

SHA512
8a94fc7c81d6f7dbf57ad9cfe2295de02a7d344f9d9e827103cc5f951450e20f505ccf45fa2a518038c2dff881e679166d098fa64191ca41bab259aa32cb5101

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\4d9be74be06728c10b25ef019f7ff0b3.exe

Filesize
2.7MB

MD5
4d9be74be06728c10b25ef019f7ff0b3

SHA1
10c41cfa6c5dbec839759e9fd6971e57311ea76a

SHA256
f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343

SHA512
5e5b6b7a1fe66625b95d83fa2c0c77defe75c328cea02418179ce674134de65a1a2e3fc1e281d12448ac931cd803238205f0a71be73deee473d562d5ca3fd96f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\4d9be74be06728c10b25ef019f7ff0b3.exe

Filesize
2.7MB

MD5
4719ffa2b5cfd40a4b13d9714781ade9

SHA1
0833df67577a8c783ad289e4815edd7dc53a525d

SHA256
6d60f7df1e7ff8a011d337ef3dac5649ffdc905d3b458c78a6c9e6619ca85560

SHA512
600d1ae9018e75a801e50b0a66465ee2545f74717b096e68af990483463a9739d46d190a99e361ea028b310e4ee74fb16f81e18a67aa7d912095e0a482fccb3b

Download Submit
C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe

Filesize
2.7MB

MD5
7172552645276f4677e69a6548d2d389

SHA1
e9d715f5643a257fc0e5ca155e049e39c962e2dc

SHA256
e4bc818a69aed91906e04764f5c72540cccc17d1128fa06bef868f3d0e129043

SHA512
694f79fe1558d5bc7e7d66d18e03ab27a85c1fbe41aa9c3fe090bc2c79d00c8d25acbbecf4f57022ae57ef6e9225fbba083746c786f06e6bf37da6123d9ce0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\VGo5IV6I4q.bat

Filesize
201B

MD5
f4771a1bdc9674f07792ac3435af98e1

SHA1
1bb4409022cb087802fdea800bf9514c860e7ed2

SHA256
ef1e81a3a70db721f8388e17b3dac0d1e1e369c88396bb354e169229b1ac1360

SHA512
f11e1f7ad612fca49936f7dd738a2730a75165b01dc498396cc2b48df19f0d34534aa5b7ba4e642d48ea6f5adaca0366f87b188ffb2ab0ea9d6bde7cbc86b3e3

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\4d9be74be06728c10b25ef019f7ff0b3.exe

Filesize
2.7MB

MD5
10c5b51c0c0e5159b6416a54ecbc3025

SHA1
52771bea83e03c6096a267745957a2f8f65928fe

SHA256
037aca21ef618de0b3bd193433223ccd210a8f614f198b0a7cf8e41f2b6d4c88

SHA512
cf5868db3385267d1db0c94d6657f59010909cab45b46c8e037d7f05f33642da08a043b7f11f391b5c92bbfb9a5252b1b8e030e33e8346a14f117ac0987b6995

Download Submit
memory/1464-16-0x000000001A9A0000-0x000000001A9AE000-memory.dmp

Filesize
56KB

Download
memory/1464-19-0x000000001AAD0000-0x000000001AADC000-memory.dmp

Filesize
48KB

Download
memory/1464-8-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/1464-9-0x0000000000660000-0x000000000066A000-memory.dmp

Filesize
40KB

Download
memory/1464-10-0x000000001AFF0000-0x000000001B046000-memory.dmp

Filesize
344KB

Download
memory/1464-11-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/1464-12-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/1464-13-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/1464-14-0x0000000001130000-0x0000000001138000-memory.dmp

Filesize
32KB

Download
memory/1464-15-0x00000000011C0000-0x00000000011CC000-memory.dmp

Filesize
48KB

Download
memory/1464-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/1464-17-0x000000001A9B0000-0x000000001A9BC000-memory.dmp

Filesize
48KB

Download
memory/1464-18-0x000000001AAC0000-0x000000001AACA000-memory.dmp

Filesize
40KB

Download
memory/1464-7-0x0000000000630000-0x0000000000646000-memory.dmp

Filesize
88KB

Download
memory/1464-6-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/1464-5-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/1464-4-0x0000000000470000-0x000000000048C000-memory.dmp

Filesize
112KB

Download
memory/1464-3-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/1464-174-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/1464-2-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/1464-198-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/1464-1-0x00000000011D0000-0x0000000001484000-memory.dmp

Filesize
2.7MB

Download
memory/1464-205-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/1656-208-0x0000000000160000-0x0000000000414000-memory.dmp

Filesize
2.7MB

Download
memory/1656-209-0x0000000000830000-0x0000000000886000-memory.dmp

Filesize
344KB

Download
memory/1656-210-0x00000000007A0000-0x00000000007B2000-memory.dmp

Filesize
72KB

Download