dcrat | f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343

Analysis

max time kernel
122s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Size

2.7MB
MD5

4d9be74be06728c10b25ef019f7ff0b3
SHA1

10c41cfa6c5dbec839759e9fd6971e57311ea76a
SHA256

f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343
SHA512

5e5b6b7a1fe66625b95d83fa2c0c77defe75c328cea02418179ce674134de65a1a2e3fc1e281d12448ac931cd803238205f0a71be73deee473d562d5ca3fd96f
SSDEEP

49152:VRx6mfxiUnp3jfmEXD9KxZU9IaK3clnUezzuuLjaO7e:b40VJ5XQxZUyrctHNyse

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2092	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2092	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3052-1-0x0000000000EB0000-0x0000000001164000-memory.dmp	dcrat
behavioral1/files/0x000500000001952f-28.dat	dcrat
behavioral1/files/0x0008000000019261-94.dat	dcrat
behavioral1/files/0x000800000001967f-117.dat	dcrat
behavioral1/files/0x0006000000019623-127.dat	dcrat
behavioral1/files/0x000d00000001961d-171.dat	dcrat
behavioral1/files/0x00080000000196c0-196.dat	dcrat
behavioral1/files/0x0007000000019fbc-207.dat	dcrat
behavioral1/memory/2060-220-0x00000000013A0000-0x0000000001654000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2060	lsass.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\0411\spoolsv.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Windows\System32\0411\spoolsv.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Windows\System32\0411\f3b6ecef712a24	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\System32\0411\RCXDD11.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\System32\0411\RCXDD7F.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows NT\RCXD1B2.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Windows Portable Devices\spoolsv.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXC094.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXCED2.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files\Windows Portable Devices\f3b6ecef712a24	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\RCXC305.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\explorer.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\services.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files (x86)\Windows Mail\explorer.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files (x86)\Uninstall Information\b75386f1303e64	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files (x86)\Windows Portable Devices\services.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files (x86)\Uninstall Information\taskhost.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files\Windows Portable Devices\spoolsv.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Windows NT\RCXD1B1.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files (x86)\Windows Portable Devices\c5b4cb5e9653cc	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files (x86)\Windows Mail\7a0fd90576e088	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Windows NT\lsass.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\lsass.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXCF40.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXD628.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXDAA0.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\6203df4a6bafc7	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXC083.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files\Windows NT\6203df4a6bafc7	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXD629.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXDA9F.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\taskhost.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\lsass.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Program Files\Windows NT\lsass.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\RCXC306.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\smss.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File created	C:\Windows\Registration\CRMLog\69ddcba757bf72	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXC577.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXC5E5.tmp	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
File opened for modification	C:\Windows\Registration\CRMLog\smss.exe	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3012	schtasks.exe
1728	schtasks.exe
1696	schtasks.exe
2240	schtasks.exe
2792	schtasks.exe
2184	schtasks.exe
2504	schtasks.exe
1620	schtasks.exe
2880	schtasks.exe
1468	schtasks.exe
2428	schtasks.exe
1636	schtasks.exe
2696	schtasks.exe
2536	schtasks.exe
2080	schtasks.exe
2312	schtasks.exe
1704	schtasks.exe
2604	schtasks.exe
2840	schtasks.exe
2600	schtasks.exe
1412	schtasks.exe
1640	schtasks.exe
2344	schtasks.exe
2904	schtasks.exe
2808	schtasks.exe
2672	schtasks.exe
2704	schtasks.exe
2484	schtasks.exe
1740	schtasks.exe
444	schtasks.exe
592	schtasks.exe
2760	schtasks.exe
1724	schtasks.exe
1672	schtasks.exe
304	schtasks.exe
2348	schtasks.exe
1036	schtasks.exe
700	schtasks.exe
2788	schtasks.exe
1616	schtasks.exe
2512	schtasks.exe
960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3052	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
3052	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
3052	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
2060	lsass.exe
2060	lsass.exe
2060	lsass.exe
2060	lsass.exe
2060	lsass.exe
2060	lsass.exe
2060	lsass.exe
2060	lsass.exe
2060	lsass.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2060	lsass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Token: SeDebugPrivilege	2060	lsass.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2536	3052	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe	74
PID 3052 wrote to memory of 2536	3052	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe	74
PID 3052 wrote to memory of 2536	3052	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe	74
PID 2536 wrote to memory of 1576	2536	cmd.exe	76
PID 2536 wrote to memory of 1576	2536	cmd.exe	76
PID 2536 wrote to memory of 1576	2536	cmd.exe	76
PID 2536 wrote to memory of 2060	2536	cmd.exe	77
PID 2536 wrote to memory of 2060	2536	cmd.exe	77
PID 2536 wrote to memory of 2060	2536	cmd.exe	77

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe
"C:\Users\Admin\AppData\Local\Temp\f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JVYPlprweH.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1576
- - C:\Program Files\Mozilla Firefox\browser\features\lsass.exe
    "C:\Program Files\Mozilla Firefox\browser\features\lsass.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\browser\features\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\browser\features\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows NT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\0411\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\0411\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\0411\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe

Filesize
2.7MB

MD5
cc658259286b8228715ff3addf70c60b

SHA1
ea951ebab3baf6d4e0604f9783485f20f1fa3450

SHA256
10d34a27e95fdf061c7a8d6339c20ff272879ce0dce61e6059120b447f967595

SHA512
578d64e59c0c129e7c612883d408be9dc8db9f28fb48272e4327499a170b7adcb021a4981c3f5e3677d45281d441425621990404e21c31725b92138f968262e6

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe

Filesize
2.7MB

MD5
c992a0ab6dee4ebe5bc55112c9e42d55

SHA1
f3edfc511dc20f4c6425a99e75c86824816b4994

SHA256
dfa94ee5c701858b31f2ac4035b37b6bb51ff7296dc5b9dd8b8f8090fe94bd41

SHA512
b079c160437efa60419054dbbe86c26573f4baca6d092ddd8e6ccf8ca32cfcc3e991d02f75d066a58865f3c58b0648ba407e4498189a0d1390455dd6222a1e8a

Download Submit
C:\Program Files (x86)\Windows Mail\RCXCF40.tmp

Filesize
2.7MB

MD5
d36e838f9020a1e2d9f1b82ae14b9e05

SHA1
3586295161fbf78694249ce8618cf16d69351ec5

SHA256
1f4b9dd0129bdb17fd99380f835b0d5928707929be65280a6a5604c4e04cf432

SHA512
0160cc138e2a2c78be80206e7a26736d140bb4f29a1876d627123e7ac48346960b9d2390ad4b462027a93a9269b95edf29e6196b4347e7d62b1c122da44b94fd

Download Submit
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe

Filesize
2.7MB

MD5
d4c7b2e2defe150d58db6f98e2244e84

SHA1
60eb6b1123b6105ab26e5a405a4785384731d43b

SHA256
33f3313a634ee5f36ec49981b4352493d798f50aa76ab4a7b05fece517d50476

SHA512
0954f12abfd6207d98d62a8bfe6b9970e1f5388ff6e95053fe7870c3a376a1fcaa910a76f9a9e69ec13c881da91e47e8cfbff2fff5ac55887614c8fce54d5b59

Download Submit
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe

Filesize
2.7MB

MD5
4d9be74be06728c10b25ef019f7ff0b3

SHA1
10c41cfa6c5dbec839759e9fd6971e57311ea76a

SHA256
f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343

SHA512
5e5b6b7a1fe66625b95d83fa2c0c77defe75c328cea02418179ce674134de65a1a2e3fc1e281d12448ac931cd803238205f0a71be73deee473d562d5ca3fd96f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JVYPlprweH.bat

Filesize
224B

MD5
ea00b50c8cbdf87c29c119289947441b

SHA1
e7d41e725fa3c6015127aa75c1af1d09f7d11319

SHA256
fbe118be05b69aaed04d02559dcb8304a04f3105808f757330daed79abb6733c

SHA512
f3b7e468baa060f476c3b30dbb43c8d366d6ec09654ed9b87fe620398784c01754bc18a02aa5bcac7454551b3b5421f6313b8a1aeb3776941d47e98f68b842f7

Download Submit
C:\Users\Public\Favorites\csrss.exe

Filesize
2.7MB

MD5
54e7f4f8b76e3df5446fb22746c18cf3

SHA1
d60417e2442016e6fe187d815bd82ef20eb598d7

SHA256
3517df65f02715f05ecc9e5ce99048880bb26170f7d8ac82fad7f7657c68f89a

SHA512
179166d060f8da4c78c08d69792bd0af94d73340fdd4235a07401d955f741dca7aa2a1f3380ec99d5e86ec72699b3498510988bb63729418d6374079040a4f08

Download Submit
C:\Windows\System32\0411\spoolsv.exe

Filesize
2.7MB

MD5
9862e2a0926d57acca5374a51986a4ce

SHA1
0b2211c5cde6fab8fe810babd0a1f726ebcf91c3

SHA256
e31ca78c6b434ddc1aeb78fe5df060475f6bfa3798a8733e5f21bc2513346b88

SHA512
aeaf7b70d9bf37f0a946140e2dc657acc50ad07b7032f2d7e75e936bf1b87defd76bd81bb52735de1e3989cac6c467c713904319db79b6cfa4b223f8afc11484

Download Submit
memory/2060-220-0x00000000013A0000-0x0000000001654000-memory.dmp

Filesize
2.7MB

Download
memory/3052-8-0x0000000000A40000-0x0000000000A48000-memory.dmp

Filesize
32KB

Download
memory/3052-9-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/3052-11-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/3052-12-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/3052-13-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/3052-14-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/3052-15-0x0000000000C70000-0x0000000000C7C000-memory.dmp

Filesize
48KB

Download
memory/3052-16-0x0000000000C80000-0x0000000000C8E000-memory.dmp

Filesize
56KB

Download
memory/3052-17-0x0000000000C90000-0x0000000000C9C000-memory.dmp

Filesize
48KB

Download
memory/3052-18-0x000000001A9D0000-0x000000001A9DA000-memory.dmp

Filesize
40KB

Download
memory/3052-19-0x000000001A9E0000-0x000000001A9EC000-memory.dmp

Filesize
48KB

Download
memory/3052-10-0x0000000000C00000-0x0000000000C56000-memory.dmp

Filesize
344KB

Download
memory/3052-0-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

Filesize
4KB

Download
memory/3052-7-0x0000000000A90000-0x0000000000AA6000-memory.dmp

Filesize
88KB

Download
memory/3052-6-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/3052-5-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/3052-187-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

Filesize
4KB

Download
memory/3052-4-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/3052-3-0x00000000001C0000-0x00000000001CE000-memory.dmp

Filesize
56KB

Download
memory/3052-210-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/3052-216-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/3052-2-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/3052-1-0x0000000000EB0000-0x0000000001164000-memory.dmp

Filesize
2.7MB

Download