dcrat | 874a2c7f2a2f39efe570bde5a76a28199fc8a063281b75d6d59a5f1b044ccc84

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe
Size

1.1MB
MD5

08e95dabb86201eeb98188769e4fcd62
SHA1

40a819d79a67c7be05f9c0c45ee7558ec58971f9
SHA256

9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7
SHA512

7d9b35d175f4a0c90a48c44930e7f8260e4a16821b4c778bc5fcb1d5a220d29d29520f7b1809918eb5e03dfd16a6dfcfac3fcbfd4cebabcdd38776c5508cf722
SSDEEP

24576:U2G/nvxW3Ww0tE9E3RrEdapg6gnUcKnbXq5Qck:UbA30E9ldapLpkQl

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2864	schtasks.exe	34

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000018742-12.dat	dcrat
behavioral1/memory/2776-13-0x0000000000B80000-0x0000000000C56000-memory.dmp	dcrat
behavioral1/memory/1664-46-0x00000000009B0000-0x0000000000A86000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2776	Runtimemonitor.exe
1664	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
1848	cmd.exe
1848	cmd.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\ebf1f9fa8afd6d	Runtimemonitor.exe
File created	C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe	Runtimemonitor.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\services.exe	Runtimemonitor.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\c5b4cb5e9653cc	Runtimemonitor.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\sppsvc.exe	Runtimemonitor.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\csrss.exe	Runtimemonitor.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\886983d96e3d3e	Runtimemonitor.exe
File created	C:\Program Files\Windows NT\Accessories\de-DE\6ccacd8608530f	Runtimemonitor.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\0a1fd5f707cd16	Runtimemonitor.exe
File created	C:\Program Files\Windows Mail\cmd.exe	Runtimemonitor.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\cmd.exe	Runtimemonitor.exe
File created	C:\Windows\de-DE\ebf1f9fa8afd6d	Runtimemonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1548	schtasks.exe
2768	schtasks.exe
2988	schtasks.exe
2636	schtasks.exe
1496	schtasks.exe
2808	schtasks.exe
288	schtasks.exe
1580	schtasks.exe
1520	schtasks.exe
1804	schtasks.exe
1404	schtasks.exe
2796	schtasks.exe
2216	schtasks.exe
2812	schtasks.exe
2928	schtasks.exe
1160	schtasks.exe
2160	schtasks.exe
2600	schtasks.exe
2788	schtasks.exe
1768	schtasks.exe
2320	schtasks.exe
2336	schtasks.exe
2252	schtasks.exe
1376	schtasks.exe
2892	schtasks.exe
1072	schtasks.exe
1608	schtasks.exe
2724	schtasks.exe
480	schtasks.exe
2576	schtasks.exe
2684	schtasks.exe
844	schtasks.exe
2296	schtasks.exe
772	schtasks.exe
2308	schtasks.exe
984	schtasks.exe
840	schtasks.exe
2932	schtasks.exe
2712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2776	Runtimemonitor.exe
2776	Runtimemonitor.exe
2776	Runtimemonitor.exe
2776	Runtimemonitor.exe
2776	Runtimemonitor.exe
2776	Runtimemonitor.exe
2776	Runtimemonitor.exe
1664	Idle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	Runtimemonitor.exe
Token: SeDebugPrivilege	1664	Idle.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1972	2200	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe	30
PID 2200 wrote to memory of 1972	2200	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe	30
PID 2200 wrote to memory of 1972	2200	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe	30
PID 2200 wrote to memory of 1972	2200	9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe	30
PID 1972 wrote to memory of 1848	1972	WScript.exe	31
PID 1972 wrote to memory of 1848	1972	WScript.exe	31
PID 1972 wrote to memory of 1848	1972	WScript.exe	31
PID 1972 wrote to memory of 1848	1972	WScript.exe	31
PID 1848 wrote to memory of 2776	1848	cmd.exe	33
PID 1848 wrote to memory of 2776	1848	cmd.exe	33
PID 1848 wrote to memory of 2776	1848	cmd.exe	33
PID 1848 wrote to memory of 2776	1848	cmd.exe	33
PID 2776 wrote to memory of 1664	2776	Runtimemonitor.exe	74
PID 2776 wrote to memory of 1664	2776	Runtimemonitor.exe	74
PID 2776 wrote to memory of 1664	2776	Runtimemonitor.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe
"C:\Users\Admin\AppData\Local\Temp\9bf9efa06f63a21c9893e1acfa2ae7838ab3bdcb7d768ef6304756845395bfb7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\PortcomAgentwinbroker\1uTBfrpLb993XlgcpIpPee79uOtZ.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\PortcomAgentwinbroker\Runtimemonitor.exe
      "C:\PortcomAgentwinbroker\Runtimemonitor.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\de-DE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortcomAgentwinbroker\1uTBfrpLb993XlgcpIpPee79uOtZ.bat

Filesize
45B

MD5
045087efd61d5ab94d918bfd3946a335

SHA1
3aff3cfa40d70469614e4228d91a606c83ea7919

SHA256
e482a83af3f1dfc25dc04f86b454e21d1107cc9cf5cd18c172c3e3f3b9a3b022

SHA512
047d93b004fe7ee1448eb274ee640d104aac06c00d5ea2acdd56b78581d610e93a702e9098d33c985cae2758b3cc502331747fa0979a075aa5c39a30f7910d49

Download Submit
C:\PortcomAgentwinbroker\Runtimemonitor.exe

Filesize
828KB

MD5
2effcbfe83a6e643d620bd7221b8d4cc

SHA1
37ba35e898bc1135c3be15127d1baf95ea311029

SHA256
4618a1f497b813ef1f58a9a256bbd0f418c70ec7340ce9e0a51e343d21095b40

SHA512
0dcc2febdf5ad2c5f5bda5680bde51b23ea5d5ea38bdc6bc8dda0d2f0a0ae9c4a619b9a7aabd024da9c45f4df594766d400abd4df07ee30fc4a2869da77d6999

Download Submit
C:\PortcomAgentwinbroker\w1FXjdRze6k4uvStmhH3M.vbe

Filesize
226B

MD5
965fe1cee13f15bd288f9f8d603a2769

SHA1
18ca01b1ee9a9b524ca5aaa1b750c38a1303f7c1

SHA256
b6ff2be9587c1e05b35823470a835d0dea7850ff2ed98e57722489db44033a8b

SHA512
364a403217a76567c96632741c3f0473a09af1185acff65926aafee1655df5d9f6161f2799d57f6d432e7f87a0ac592cd6ad7f6424c89eac12f793b27d4e9d72

Download Submit
memory/1664-46-0x00000000009B0000-0x0000000000A86000-memory.dmp

Filesize
856KB

Download
memory/2776-13-0x0000000000B80000-0x0000000000C56000-memory.dmp

Filesize
856KB

Download