dcrat | 65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8fd8ab8d6bffd83d24ec8c669958653.exe
Size

1.5MB
MD5

b8fd8ab8d6bffd83d24ec8c669958653
SHA1

7cf5979b3d3aa0a10d595f9a9db286b689a2d167
SHA256

65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a
SHA512

b258de30aebe40dd80112011827e23c569c776e90c79fb4d00ac25760c4ce9344d6f5104d9f79d78ea8884fb53b25ced0a12f1df5d4a232057686422611afb4a
SSDEEP

24576:U2G/nvxW3Ww0t6kS6gR4zPK3r0Y2bpq5vbf4w8IzRII4Wa6gSqJ8S:UbA306DRcIruWf7RII2vS+r

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2112	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016ca5-10.dat	dcrat
behavioral1/memory/2900-13-0x00000000011B0000-0x00000000012E6000-memory.dmp	dcrat
behavioral1/memory/2560-47-0x0000000000950000-0x0000000000A86000-memory.dmp	dcrat
behavioral1/memory/2940-54-0x0000000000F90000-0x00000000010C6000-memory.dmp	dcrat
behavioral1/memory/2872-61-0x0000000001210000-0x0000000001346000-memory.dmp	dcrat
behavioral1/memory/2212-80-0x00000000012B0000-0x00000000013E6000-memory.dmp	dcrat

Executes dropped EXE 10 IoCs

pid	Process
2900	serverperf.exe
2560	spoolsv.exe
2940	spoolsv.exe
2872	spoolsv.exe
2836	spoolsv.exe
2768	spoolsv.exe
2212	spoolsv.exe
2396	spoolsv.exe
1820	spoolsv.exe
1148	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2756	cmd.exe
2756	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
7	pastebin.com
9	pastebin.com
13	pastebin.com
17	pastebin.com
4	pastebin.com
11	pastebin.com
15	pastebin.com
19	pastebin.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\6203df4a6bafc7	serverperf.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\dwm.exe	serverperf.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\6cb0b6c459d5d3	serverperf.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\lsass.exe	serverperf.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\6203df4a6bafc7	serverperf.exe
File created	C:\Program Files\Windows Portable Devices\lsass.exe	serverperf.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\security\audit\6cb0b6c459d5d3	serverperf.exe
File created	C:\Windows\LiveKernelReports\cmd.exe	serverperf.exe
File opened for modification	C:\Windows\LiveKernelReports\cmd.exe	serverperf.exe
File created	C:\Windows\LiveKernelReports\ebf1f9fa8afd6d	serverperf.exe
File created	C:\Windows\security\audit\dwm.exe	serverperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8fd8ab8d6bffd83d24ec8c669958653.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2652	schtasks.exe
2860	schtasks.exe
2284	schtasks.exe
1852	schtasks.exe
1520	schtasks.exe
688	schtasks.exe
1720	schtasks.exe
2212	schtasks.exe
768	schtasks.exe
1496	schtasks.exe
2776	schtasks.exe
1248	schtasks.exe
1052	schtasks.exe
1632	schtasks.exe
2708	schtasks.exe
1804	schtasks.exe
788	schtasks.exe
3052	schtasks.exe
1048	schtasks.exe
1260	schtasks.exe
2572	schtasks.exe
1800	schtasks.exe
2492	schtasks.exe
1656	schtasks.exe
2808	schtasks.exe
2676	schtasks.exe
2448	schtasks.exe
1176	schtasks.exe
576	schtasks.exe
2840	schtasks.exe
1228	schtasks.exe
968	schtasks.exe
660	schtasks.exe
2856	schtasks.exe
3008	schtasks.exe
2996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2900	serverperf.exe
2900	serverperf.exe
2900	serverperf.exe
2560	spoolsv.exe
2940	spoolsv.exe
2872	spoolsv.exe
2836	spoolsv.exe
2768	spoolsv.exe
2212	spoolsv.exe
2396	spoolsv.exe
1820	spoolsv.exe
1148	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	serverperf.exe
Token: SeDebugPrivilege	2560	spoolsv.exe
Token: SeDebugPrivilege	2940	spoolsv.exe
Token: SeDebugPrivilege	2872	spoolsv.exe
Token: SeDebugPrivilege	2836	spoolsv.exe
Token: SeDebugPrivilege	2768	spoolsv.exe
Token: SeDebugPrivilege	2212	spoolsv.exe
Token: SeDebugPrivilege	2396	spoolsv.exe
Token: SeDebugPrivilege	1820	spoolsv.exe
Token: SeDebugPrivilege	1148	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1848	1916	b8fd8ab8d6bffd83d24ec8c669958653.exe	30
PID 1916 wrote to memory of 1848	1916	b8fd8ab8d6bffd83d24ec8c669958653.exe	30
PID 1916 wrote to memory of 1848	1916	b8fd8ab8d6bffd83d24ec8c669958653.exe	30
PID 1916 wrote to memory of 1848	1916	b8fd8ab8d6bffd83d24ec8c669958653.exe	30
PID 1848 wrote to memory of 2756	1848	WScript.exe	31
PID 1848 wrote to memory of 2756	1848	WScript.exe	31
PID 1848 wrote to memory of 2756	1848	WScript.exe	31
PID 1848 wrote to memory of 2756	1848	WScript.exe	31
PID 2756 wrote to memory of 2900	2756	cmd.exe	33
PID 2756 wrote to memory of 2900	2756	cmd.exe	33
PID 2756 wrote to memory of 2900	2756	cmd.exe	33
PID 2756 wrote to memory of 2900	2756	cmd.exe	33
PID 2900 wrote to memory of 2560	2900	serverperf.exe	71
PID 2900 wrote to memory of 2560	2900	serverperf.exe	71
PID 2900 wrote to memory of 2560	2900	serverperf.exe	71
PID 2560 wrote to memory of 2532	2560	spoolsv.exe	74
PID 2560 wrote to memory of 2532	2560	spoolsv.exe	74
PID 2560 wrote to memory of 2532	2560	spoolsv.exe	74
PID 2532 wrote to memory of 1856	2532	cmd.exe	76
PID 2532 wrote to memory of 1856	2532	cmd.exe	76
PID 2532 wrote to memory of 1856	2532	cmd.exe	76
PID 2532 wrote to memory of 2940	2532	cmd.exe	77
PID 2532 wrote to memory of 2940	2532	cmd.exe	77
PID 2532 wrote to memory of 2940	2532	cmd.exe	77
PID 2940 wrote to memory of 2652	2940	spoolsv.exe	78
PID 2940 wrote to memory of 2652	2940	spoolsv.exe	78
PID 2940 wrote to memory of 2652	2940	spoolsv.exe	78
PID 2652 wrote to memory of 3064	2652	cmd.exe	80
PID 2652 wrote to memory of 3064	2652	cmd.exe	80
PID 2652 wrote to memory of 3064	2652	cmd.exe	80
PID 2652 wrote to memory of 2872	2652	cmd.exe	81
PID 2652 wrote to memory of 2872	2652	cmd.exe	81
PID 2652 wrote to memory of 2872	2652	cmd.exe	81
PID 2872 wrote to memory of 2500	2872	spoolsv.exe	82
PID 2872 wrote to memory of 2500	2872	spoolsv.exe	82
PID 2872 wrote to memory of 2500	2872	spoolsv.exe	82
PID 2500 wrote to memory of 780	2500	cmd.exe	84
PID 2500 wrote to memory of 780	2500	cmd.exe	84
PID 2500 wrote to memory of 780	2500	cmd.exe	84
PID 2500 wrote to memory of 2836	2500	cmd.exe	85
PID 2500 wrote to memory of 2836	2500	cmd.exe	85
PID 2500 wrote to memory of 2836	2500	cmd.exe	85
PID 2836 wrote to memory of 2580	2836	spoolsv.exe	86
PID 2836 wrote to memory of 2580	2836	spoolsv.exe	86
PID 2836 wrote to memory of 2580	2836	spoolsv.exe	86
PID 2580 wrote to memory of 1644	2580	cmd.exe	88
PID 2580 wrote to memory of 1644	2580	cmd.exe	88
PID 2580 wrote to memory of 1644	2580	cmd.exe	88
PID 2580 wrote to memory of 2768	2580	cmd.exe	89
PID 2580 wrote to memory of 2768	2580	cmd.exe	89
PID 2580 wrote to memory of 2768	2580	cmd.exe	89
PID 2768 wrote to memory of 2120	2768	spoolsv.exe	90
PID 2768 wrote to memory of 2120	2768	spoolsv.exe	90
PID 2768 wrote to memory of 2120	2768	spoolsv.exe	90
PID 2120 wrote to memory of 1612	2120	cmd.exe	92
PID 2120 wrote to memory of 1612	2120	cmd.exe	92
PID 2120 wrote to memory of 1612	2120	cmd.exe	92
PID 2120 wrote to memory of 2212	2120	cmd.exe	93
PID 2120 wrote to memory of 2212	2120	cmd.exe	93
PID 2120 wrote to memory of 2212	2120	cmd.exe	93
PID 2212 wrote to memory of 336	2212	spoolsv.exe	94
PID 2212 wrote to memory of 336	2212	spoolsv.exe	94
PID 2212 wrote to memory of 336	2212	spoolsv.exe	94
PID 336 wrote to memory of 920	336	cmd.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b8fd8ab8d6bffd83d24ec8c669958653.exe
"C:\Users\Admin\AppData\Local\Temp\b8fd8ab8d6bffd83d24ec8c669958653.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\refhostperf\YDUzd2DburnkxzGba.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\refhostperf\24yvIrFqc9yigx6x0kwB7b7gqXz7Pn.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\refhostperf\serverperf.exe
      "C:\refhostperf\serverperf.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Users\All Users\Application Data\spoolsv.exe
        
        "C:\Users\All Users\Application Data\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1856
        
        C:\Users\All Users\Application Data\spoolsv.exe
        
        "C:\Users\All Users\Application Data\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3064
        
        C:\Users\All Users\Application Data\spoolsv.exe
        
        "C:\Users\All Users\Application Data\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:780
        
        C:\Users\All Users\Application Data\spoolsv.exe
        
        "C:\Users\All Users\Application Data\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1644
        
        C:\Users\All Users\Application Data\spoolsv.exe
        
        "C:\Users\All Users\Application Data\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1612
        
        C:\Users\All Users\Application Data\spoolsv.exe
        
        "C:\Users\All Users\Application Data\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:920
        
        C:\Users\All Users\Application Data\spoolsv.exe
        
        "C:\Users\All Users\Application Data\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"
        18⤵
        
        PID:2668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2068
        
        C:\Users\All Users\Application Data\spoolsv.exe
        
        "C:\Users\All Users\Application Data\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"
        20⤵
        
        PID:2116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1784
        
        C:\Users\All Users\Application Data\spoolsv.exe
        
        "C:\Users\All Users\Application Data\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\refhostperf\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\refhostperf\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\refhostperf\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\refhostperf\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\refhostperf\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\refhostperf\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\refhostperf\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\refhostperf\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\refhostperf\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\security\audit\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\security\audit\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\security\audit\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat

Filesize
212B

MD5
73250f16103f01c09c5617566950d184

SHA1
d832cbd1e0f3e83f9128f0f3dc4c1574d5b7b2d2

SHA256
148fec7d346593a3da98cdbf0248a16318d725fb715c76ee9f88904bb1857b1f

SHA512
c6dbbaa72e93f7a18ec2b310b7b8d07300b2cdabc56effbb369a2c367fc1fbfdcedeea5e7ca15225c15dd1bcf6ecb02d4a199d3dd049a1441ac99af50f6274e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
212B

MD5
6bef13a983ca6df5ff600d53dd4a7361

SHA1
026d8f8b7d2c69d97dfaa757d00ddcc8376718b3

SHA256
bb0c6d935ee91dec0dfe9a971aae5dd7a51ee96500b015aa9630cfa7b0685ec1

SHA512
51c6f480fe418100829e251cfac9a2f7b2e319e57a427ce0e4eec0852a2ea5a2942039d7001739847a5ac6087ff395ddf8a779894d48b56323e6e0a1dff8bea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat

Filesize
212B

MD5
50beb920c019e214f88cc167ad2c9dd2

SHA1
dda8c2d6f58de9eac359c309d85f56057083513c

SHA256
cde5ddab8d7d845ff27828079701890723f91c9a55a36fb6240127387bfc6046

SHA512
88991c6033e773a082c32d503a56ff42d058166a7fc49081901ec524de3205312786af493ff147d22f350d3b0a447b983a88c30a447f961da18fd860214feca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat

Filesize
212B

MD5
9085a461764ec44a4f9e82c24c937821

SHA1
33e28bded8395c1b5407c4cced56a7c5a4d3e322

SHA256
aaaf1578aa31aa8da5bd8088910e74aa1b4f2a6521054c4e1103d90c3d9326ce

SHA512
aef27242ee027bc907920d9a72734ffab4756b465565bfc6d75c1c6ba417fccbb59978d84a5beb9fc7e175cdf297c50aa4ae6609443613900bcb03928b2fa478

Download Submit
C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat

Filesize
212B

MD5
9764190b405ef836088aca7efe01c734

SHA1
35813e6ad9c5f86101b5c79400409be01a49bc0d

SHA256
209d5b6a818454aa4eeefabc521b721e72131638216f73a8245e279bf2c2461b

SHA512
8d9ef3197c3d74c427365aa107cb02c290d4d3c282dd812c311604ef856fda377c547420b60db5396b1b51a27173590c9cb8558ec397d018ab7472e2ab56f4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat

Filesize
212B

MD5
9e6d21f9f445cc7ec8b6d2942dbb8f0d

SHA1
e0608a50539c16f5dbf1e0aaefd779986fc09406

SHA256
ebfe420d9125a54bc855f125b007f7810d929afeee0c99bbfd2b4330f04a83ba

SHA512
ae6dd48249d006899f8f785e1ee1929e15750527e1abca28eea676adb3d4d1b680c0f082b4df57a65865bdd4523cfdbf15199f69b457ac0a4d805dc2ab630c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat

Filesize
212B

MD5
b7fc06354dd082cc75bfecb68ce7367b

SHA1
198a854346e6519f1b7761a216b78c63367de6b0

SHA256
61152a59a286fc0a1a636f17054b8936cabcd985248b79614299efecace15383

SHA512
7e3be574dba742907618a82ccbe0da553fb5fd7805ca64f61ca31a20588e6c34a993a1c26c4b29a373d749775cae5aea29f4dc1e7b65d93d9ee92673374a2adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat

Filesize
212B

MD5
3c9b514f1cea846858c4239d0c9e2c75

SHA1
721965e494446a88125ef5ef06f92d726c736c57

SHA256
18cabeda955d6cce00d8b6b04dc0499bbf5f85fadaf5b3f49c909f1c518317c5

SHA512
9717aa2b6010086ad737ab0a7c3c3dbb9749174422c1614dc8418c2ec2c7597952f8b971e23408057178c0defb000cc9c97d88fae9b388050b42555b58d85af6

Download Submit
C:\refhostperf\24yvIrFqc9yigx6x0kwB7b7gqXz7Pn.bat

Filesize
31B

MD5
659397b18711665774947ed6189e91ae

SHA1
73006ef2a02a72132f180e873324e8a6e4c593df

SHA256
a939eb9c97b5aad7a4aa9cc522e93a81399fffc03b7536f603175a90d3fc6130

SHA512
f68315f1f2aad292176dc1f845da4fa4acb59bedf4f446130edc73481bf6bcc2e765258fbc558b1b3b3a08590e25e6937e9046adf4f00eb2afbb172646298c30

Download Submit
C:\refhostperf\YDUzd2DburnkxzGba.vbe

Filesize
218B

MD5
693da7c1e4c7e39bb88041ca03bbf61e

SHA1
87ff5e77258e4ff5833a04ce4168d287510d32d6

SHA256
3ea997020623cbd40f68cff156f5ede16b0a4c2418b07ee5dacf64770a7fff99

SHA512
f64a9f10099e9cc009160ead27a6c6420a78a7265ffeb754fc3819f418bc02ccea0be2c3b24dd9849b90a7423e850ae4fb5253958ccd5cc92867e094508da837

Download Submit
C:\refhostperf\serverperf.exe

Filesize
1.2MB

MD5
7fec3eebd710313f7b35254d792228fc

SHA1
e55a429782c6f78e6fc8c80d6fb71a85ce1d01aa

SHA256
3d32ef71bff87e2ac881484cea6b82bd52090a7252c8719f11fb73bb8f63a405

SHA512
83932d7ac29af18c3a0f1424d2cd3e2a1810e908c828377f5c0d6e72240820c3778378c9c3f0c7b86ca94a8265d9c7c0e2b9460de288f07b62c98cd89d699af4

Download Submit
memory/2212-80-0x00000000012B0000-0x00000000013E6000-memory.dmp

Filesize
1.2MB

Download
memory/2560-47-0x0000000000950000-0x0000000000A86000-memory.dmp

Filesize
1.2MB

Download
memory/2872-61-0x0000000001210000-0x0000000001346000-memory.dmp

Filesize
1.2MB

Download
memory/2900-13-0x00000000011B0000-0x00000000012E6000-memory.dmp

Filesize
1.2MB

Download
memory/2900-14-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/2900-16-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2900-15-0x0000000000170000-0x0000000000186000-memory.dmp

Filesize
88KB

Download
memory/2940-54-0x0000000000F90000-0x00000000010C6000-memory.dmp

Filesize
1.2MB

Download