dcrat | d239fc2c02176544f563b8af3a91751613a9c1e85e36372c49ed132976888259

Analysis

max time kernel
93s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eba23ee4fa3441dd8972973ac7665007.exe
Size

828KB
MD5

eba23ee4fa3441dd8972973ac7665007
SHA1

a8416561dd666fbeb01688ea9e17dc2cfae18a24
SHA256

d239fc2c02176544f563b8af3a91751613a9c1e85e36372c49ed132976888259
SHA512

c209b7d8535b5be51dd56fecade2f8ea6b853d48d45877ba9ea708face3031ed01ad85d4ac42a7ffb93568c1f2c58475e8f1fa07f54c5321dd44a5bc8ff53e96
SSDEEP

12288:qTwIZR2pvarT1TZnszQGEfIjvOOK2elbuXH82x7F:iZR2pvmpszQcvOOeYsaF

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1520	schtasks.exe
		5080	schtasks.exe
		688	schtasks.exe
		3988	schtasks.exe
File created	C:\Program Files\Microsoft Office\6203df4a6bafc7		eba23ee4fa3441dd8972973ac7665007.exe
		1396	schtasks.exe
		1508	schtasks.exe
		2568	schtasks.exe
		4584	schtasks.exe
		4436	schtasks.exe
		1088	schtasks.exe
		1632	schtasks.exe
		3184	schtasks.exe
		3708	schtasks.exe
		4128	schtasks.exe
		4320	schtasks.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\0a1fd5f707cd16		eba23ee4fa3441dd8972973ac7665007.exe
		2428	schtasks.exe
		3704	schtasks.exe
		3964	schtasks.exe
		1304	schtasks.exe
		3720	schtasks.exe
		5016	schtasks.exe
		2292	schtasks.exe
		5052	schtasks.exe
		3292	schtasks.exe
File created	C:\Program Files (x86)\Common Files\Oracle\38384e6a620884		eba23ee4fa3441dd8972973ac7665007.exe
		3768	schtasks.exe
		1604	schtasks.exe
		2876	schtasks.exe
		3176	schtasks.exe
		5104	schtasks.exe
		3976	schtasks.exe
		3328	schtasks.exe
		1032	schtasks.exe
File created	C:\Windows\L2Schemas\27d1bcfc3c54e0		eba23ee4fa3441dd8972973ac7665007.exe
		3736	schtasks.exe
		4292	schtasks.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1036\56085415360792		eba23ee4fa3441dd8972973ac7665007.exe
		4416	schtasks.exe
		4044	schtasks.exe
		3008	schtasks.exe
		1928	schtasks.exe
		2612	schtasks.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\e1ef82546f0b02		eba23ee4fa3441dd8972973ac7665007.exe
		3088	schtasks.exe
		4876	schtasks.exe
		4352	schtasks.exe
		2096	schtasks.exe
		4640	schtasks.exe
		2068	schtasks.exe
		1408	schtasks.exe
		4632	schtasks.exe
		1308	schtasks.exe
		2284	schtasks.exe
		4504	schtasks.exe
		1384	schtasks.exe
		1596	schtasks.exe
		388	schtasks.exe
File created	C:\Windows\Migration\WTR\5940a34987c991		eba23ee4fa3441dd8972973ac7665007.exe
		732	schtasks.exe
		4488	schtasks.exe
		4520	schtasks.exe
		1112	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	1932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	1932	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2220-1-0x0000000000100000-0x00000000001D6000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cb6-11.dat	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	eba23ee4fa3441dd8972973ac7665007.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	eba23ee4fa3441dd8972973ac7665007.exe

Executes dropped EXE 1 IoCs

pid	Process
1312	Registry.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Oracle\38384e6a620884	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Program Files\Google\Chrome\22eafd247d37c3	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Registry.exe	eba23ee4fa3441dd8972973ac7665007.exe
File opened for modification	C:\Program Files\Microsoft Office\lsass.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Program Files (x86)\Windows Media Player\27d1bcfc3c54e0	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\ee2ad38f3d4382	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\fontdrvhost.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Program Files (x86)\Common Files\Oracle\SearchApp.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\SppExtComObj.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\e1ef82546f0b02	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Program Files\7-Zip\Lang\services.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\5940a34987c991	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Program Files\Microsoft Office\6203df4a6bafc7	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Program Files (x86)\Windows Media Player\System.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Program Files\Google\Chrome\TextInputHost.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Program Files\Microsoft Office\lsass.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Program Files\7-Zip\Lang\c5b4cb5e9653cc	eba23ee4fa3441dd8972973ac7665007.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\AppReadiness\9e8d7a4ca61bd9	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Windows\ServiceState\EventLog\smss.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Windows\tracing\explorer.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Windows\tracing\7a0fd90576e088	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Windows\ShellExperiences\sppsvc.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Windows\ShellExperiences\0a1fd5f707cd16	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Windows\L2Schemas\System.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Windows\L2Schemas\27d1bcfc3c54e0	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Windows\AppReadiness\RuntimeBroker.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\0a1fd5f707cd16	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Windows\OCR\System.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1036\56085415360792	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Windows\Migration\WTR\dllhost.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1036\wininit.exe	eba23ee4fa3441dd8972973ac7665007.exe
File created	C:\Windows\Migration\WTR\5940a34987c991	eba23ee4fa3441dd8972973ac7665007.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	eba23ee4fa3441dd8972973ac7665007.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	eba23ee4fa3441dd8972973ac7665007.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1596	schtasks.exe
1396	schtasks.exe
3328	schtasks.exe
2952	schtasks.exe
4708	schtasks.exe
3184	schtasks.exe
3988	schtasks.exe
4044	schtasks.exe
3172	schtasks.exe
4488	schtasks.exe
1408	schtasks.exe
2532	schtasks.exe
4292	schtasks.exe
2284	schtasks.exe
1632	schtasks.exe
1840	schtasks.exe
5016	schtasks.exe
1464	schtasks.exe
3704	schtasks.exe
1508	schtasks.exe
624	schtasks.exe
2192	schtasks.exe
4012	schtasks.exe
2876	schtasks.exe
1604	schtasks.exe
5080	schtasks.exe
4520	schtasks.exe
3088	schtasks.exe
3284	schtasks.exe
4584	schtasks.exe
2096	schtasks.exe
1928	schtasks.exe
1032	schtasks.exe
4744	schtasks.exe
4504	schtasks.exe
388	schtasks.exe
1088	schtasks.exe
3976	schtasks.exe
1520	schtasks.exe
5052	schtasks.exe
1304	schtasks.exe
2428	schtasks.exe
732	schtasks.exe
1876	schtasks.exe
688	schtasks.exe
4416	schtasks.exe
4632	schtasks.exe
4436	schtasks.exe
1308	schtasks.exe
4128	schtasks.exe
4808	schtasks.exe
1112	schtasks.exe
3292	schtasks.exe
5020	schtasks.exe
1544	schtasks.exe
2292	schtasks.exe
2068	schtasks.exe
4352	schtasks.exe
1912	schtasks.exe
4788	schtasks.exe
2568	schtasks.exe
5104	schtasks.exe
3736	schtasks.exe
3008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
2220	eba23ee4fa3441dd8972973ac7665007.exe
4620	eba23ee4fa3441dd8972973ac7665007.exe
4620	eba23ee4fa3441dd8972973ac7665007.exe
4620	eba23ee4fa3441dd8972973ac7665007.exe
4620	eba23ee4fa3441dd8972973ac7665007.exe
4620	eba23ee4fa3441dd8972973ac7665007.exe
4620	eba23ee4fa3441dd8972973ac7665007.exe
4620	eba23ee4fa3441dd8972973ac7665007.exe
4620	eba23ee4fa3441dd8972973ac7665007.exe
4620	eba23ee4fa3441dd8972973ac7665007.exe
1312	Registry.exe
1312	Registry.exe
1312	Registry.exe
1312	Registry.exe
1312	Registry.exe
1312	Registry.exe
1312	Registry.exe
1312	Registry.exe
1312	Registry.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	eba23ee4fa3441dd8972973ac7665007.exe
Token: SeDebugPrivilege	4620	eba23ee4fa3441dd8972973ac7665007.exe
Token: SeDebugPrivilege	1312	Registry.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1380	2220	eba23ee4fa3441dd8972973ac7665007.exe	138
PID 2220 wrote to memory of 1380	2220	eba23ee4fa3441dd8972973ac7665007.exe	138
PID 1380 wrote to memory of 460	1380	cmd.exe	140
PID 1380 wrote to memory of 460	1380	cmd.exe	140
PID 1380 wrote to memory of 4620	1380	cmd.exe	142
PID 1380 wrote to memory of 4620	1380	cmd.exe	142
PID 4620 wrote to memory of 3216	4620	eba23ee4fa3441dd8972973ac7665007.exe	169
PID 4620 wrote to memory of 3216	4620	eba23ee4fa3441dd8972973ac7665007.exe	169
PID 3216 wrote to memory of 2620	3216	cmd.exe	171
PID 3216 wrote to memory of 2620	3216	cmd.exe	171
PID 3216 wrote to memory of 1312	3216	cmd.exe	178
PID 3216 wrote to memory of 1312	3216	cmd.exe	178

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eba23ee4fa3441dd8972973ac7665007.exe
"C:\Users\Admin\AppData\Local\Temp\eba23ee4fa3441dd8972973ac7665007.exe"
1⤵
- DcRat
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nno5U9b2pA.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:460
- - C:\Users\Admin\AppData\Local\Temp\eba23ee4fa3441dd8972973ac7665007.exe
    "C:\Users\Admin\AppData\Local\Temp\eba23ee4fa3441dd8972973ac7665007.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VjVkBtnutg.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3216
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2620
    - - C:\Program Files (x86)\Windows Sidebar\Gadgets\Registry.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Gadgets\Registry.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Application Data\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellExperiences\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellExperiences\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1036\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1036\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1036\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\L2Schemas\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Oracle\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Oracle\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\tracing\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- DcRat
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Registry.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\ea9f0e6c9e2dcd

Filesize
841B

MD5
4c47b819da8b958273764656f847fa0e

SHA1
ed84fa8d2a7f3b8ee58c2c93a9e76c9f8bcbf612

SHA256
e44602c38e284c2fdf340b8321ffde0db42f36d3dd1aaa18afdd0d1d554c3ea9

SHA512
c34f95cd6a151445515476c2b78b4ece1f20aedf15339203e6d7d090607d993d7f270d1ffe26e341add43c8db3c0d330cbd5dba2e7c188cffa733ea99848f5e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\eba23ee4fa3441dd8972973ac7665007.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nno5U9b2pA.bat

Filesize
235B

MD5
a994fee51a4961118f231bce0e1ba6d1

SHA1
842ddf5204b33a3138073034f0fbe86b4895aa34

SHA256
f6047de408b4bd79a724bdbf1a6c48acebf2c77370d5e9472aa9628fe417242c

SHA512
819084f8cb165786cfd3b266df23a0c1026c0ae9cbbafc536fd2dce62e38473664565709dd7ebb3dd3a81e69ed5dd74453510d622d7d7c766fecfe3fc2799707

Download Submit
C:\Users\Admin\AppData\Local\Temp\VjVkBtnutg.bat

Filesize
224B

MD5
fe22763acdabf4b1cd2d82edd2d2aaaa

SHA1
181ba7f889c872f2c7e4443c49c3fdb5fd05cbc8

SHA256
cf3ced729a4db97eb6e6f282d38862a4942ea94f5b3c2d3c3c278121518ca117

SHA512
34a680c9f0e9019370dc62620866fea781df65d48caa2c78c67d8701714a439355f69d3c24310dedc3112ea538baa6d9877dc218bc555cac636394cb822397bb

Download Submit
C:\Users\Admin\Music\sppsvc.exe

Filesize
828KB

MD5
eba23ee4fa3441dd8972973ac7665007

SHA1
a8416561dd666fbeb01688ea9e17dc2cfae18a24

SHA256
d239fc2c02176544f563b8af3a91751613a9c1e85e36372c49ed132976888259

SHA512
c209b7d8535b5be51dd56fecade2f8ea6b853d48d45877ba9ea708face3031ed01ad85d4ac42a7ffb93568c1f2c58475e8f1fa07f54c5321dd44a5bc8ff53e96

Download Submit
memory/2220-0-0x00007FFEB3CD3000-0x00007FFEB3CD5000-memory.dmp

Filesize
8KB

Download
memory/2220-1-0x0000000000100000-0x00000000001D6000-memory.dmp

Filesize
856KB

Download
memory/2220-4-0x00007FFEB3CD0000-0x00007FFEB4791000-memory.dmp

Filesize
10.8MB

Download
memory/2220-44-0x00007FFEB3CD0000-0x00007FFEB4791000-memory.dmp

Filesize
10.8MB

Download