dcrat | 65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a.exe
Size

1.5MB
MD5

b8fd8ab8d6bffd83d24ec8c669958653
SHA1

7cf5979b3d3aa0a10d595f9a9db286b689a2d167
SHA256

65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a
SHA512

b258de30aebe40dd80112011827e23c569c776e90c79fb4d00ac25760c4ce9344d6f5104d9f79d78ea8884fb53b25ced0a12f1df5d4a232057686422611afb4a
SSDEEP

24576:U2G/nvxW3Ww0t6kS6gR4zPK3r0Y2bpq5vbf4w8IzRII4Wa6gSqJ8S:UbA306DRcIruWf7RII2vS+r

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2688	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2688	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2688	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2688	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2688	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2688	schtasks.exe	33

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016be9-12.dat	dcrat
behavioral1/memory/2472-13-0x00000000011A0000-0x00000000012D6000-memory.dmp	dcrat
behavioral1/memory/780-28-0x0000000000800000-0x0000000000936000-memory.dmp	dcrat
behavioral1/memory/1196-35-0x0000000000EF0000-0x0000000001026000-memory.dmp	dcrat
behavioral1/memory/1568-48-0x0000000000260000-0x0000000000396000-memory.dmp	dcrat
behavioral1/memory/2312-55-0x00000000009B0000-0x0000000000AE6000-memory.dmp	dcrat
behavioral1/memory/2704-62-0x0000000000E20000-0x0000000000F56000-memory.dmp	dcrat
behavioral1/memory/2424-69-0x00000000001F0000-0x0000000000326000-memory.dmp	dcrat
behavioral1/memory/1340-76-0x0000000000B70000-0x0000000000CA6000-memory.dmp	dcrat
behavioral1/memory/1156-83-0x0000000000290000-0x00000000003C6000-memory.dmp	dcrat
behavioral1/memory/1772-90-0x0000000000040000-0x0000000000176000-memory.dmp	dcrat
behavioral1/memory/2576-97-0x0000000000190000-0x00000000002C6000-memory.dmp	dcrat

Executes dropped EXE 12 IoCs

pid	Process
2472	serverperf.exe
780	WmiPrvSE.exe
1196	WmiPrvSE.exe
280	WmiPrvSE.exe
1568	WmiPrvSE.exe
2312	WmiPrvSE.exe
2704	WmiPrvSE.exe
2424	WmiPrvSE.exe
1340	WmiPrvSE.exe
1156	WmiPrvSE.exe
1772	WmiPrvSE.exe
2576	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2860	cmd.exe
2860	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
17	pastebin.com
19	pastebin.com
5	pastebin.com
7	pastebin.com
9	pastebin.com
11	pastebin.com
13	pastebin.com
15	pastebin.com
21	pastebin.com
23	pastebin.com
25	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2716	schtasks.exe
2672	schtasks.exe
2724	schtasks.exe
2612	schtasks.exe
2328	schtasks.exe
448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2472	serverperf.exe
2472	serverperf.exe
2472	serverperf.exe
780	WmiPrvSE.exe
1196	WmiPrvSE.exe
280	WmiPrvSE.exe
1568	WmiPrvSE.exe
2312	WmiPrvSE.exe
2704	WmiPrvSE.exe
2424	WmiPrvSE.exe
1340	WmiPrvSE.exe
1156	WmiPrvSE.exe
1772	WmiPrvSE.exe
2576	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	serverperf.exe
Token: SeDebugPrivilege	780	WmiPrvSE.exe
Token: SeDebugPrivilege	1196	WmiPrvSE.exe
Token: SeDebugPrivilege	280	WmiPrvSE.exe
Token: SeDebugPrivilege	1568	WmiPrvSE.exe
Token: SeDebugPrivilege	2312	WmiPrvSE.exe
Token: SeDebugPrivilege	2704	WmiPrvSE.exe
Token: SeDebugPrivilege	2424	WmiPrvSE.exe
Token: SeDebugPrivilege	1340	WmiPrvSE.exe
Token: SeDebugPrivilege	1156	WmiPrvSE.exe
Token: SeDebugPrivilege	1772	WmiPrvSE.exe
Token: SeDebugPrivilege	2576	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2752	2140	65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a.exe	29
PID 2140 wrote to memory of 2752	2140	65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a.exe	29
PID 2140 wrote to memory of 2752	2140	65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a.exe	29
PID 2140 wrote to memory of 2752	2140	65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a.exe	29
PID 2752 wrote to memory of 2860	2752	WScript.exe	30
PID 2752 wrote to memory of 2860	2752	WScript.exe	30
PID 2752 wrote to memory of 2860	2752	WScript.exe	30
PID 2752 wrote to memory of 2860	2752	WScript.exe	30
PID 2860 wrote to memory of 2472	2860	cmd.exe	32
PID 2860 wrote to memory of 2472	2860	cmd.exe	32
PID 2860 wrote to memory of 2472	2860	cmd.exe	32
PID 2860 wrote to memory of 2472	2860	cmd.exe	32
PID 2472 wrote to memory of 2460	2472	serverperf.exe	40
PID 2472 wrote to memory of 2460	2472	serverperf.exe	40
PID 2472 wrote to memory of 2460	2472	serverperf.exe	40
PID 2460 wrote to memory of 2516	2460	cmd.exe	42
PID 2460 wrote to memory of 2516	2460	cmd.exe	42
PID 2460 wrote to memory of 2516	2460	cmd.exe	42
PID 2460 wrote to memory of 780	2460	cmd.exe	43
PID 2460 wrote to memory of 780	2460	cmd.exe	43
PID 2460 wrote to memory of 780	2460	cmd.exe	43
PID 780 wrote to memory of 1004	780	WmiPrvSE.exe	44
PID 780 wrote to memory of 1004	780	WmiPrvSE.exe	44
PID 780 wrote to memory of 1004	780	WmiPrvSE.exe	44
PID 1004 wrote to memory of 1248	1004	cmd.exe	46
PID 1004 wrote to memory of 1248	1004	cmd.exe	46
PID 1004 wrote to memory of 1248	1004	cmd.exe	46
PID 1004 wrote to memory of 1196	1004	cmd.exe	47
PID 1004 wrote to memory of 1196	1004	cmd.exe	47
PID 1004 wrote to memory of 1196	1004	cmd.exe	47
PID 1196 wrote to memory of 2396	1196	WmiPrvSE.exe	48
PID 1196 wrote to memory of 2396	1196	WmiPrvSE.exe	48
PID 1196 wrote to memory of 2396	1196	WmiPrvSE.exe	48
PID 2396 wrote to memory of 560	2396	cmd.exe	50
PID 2396 wrote to memory of 560	2396	cmd.exe	50
PID 2396 wrote to memory of 560	2396	cmd.exe	50
PID 2396 wrote to memory of 280	2396	cmd.exe	51
PID 2396 wrote to memory of 280	2396	cmd.exe	51
PID 2396 wrote to memory of 280	2396	cmd.exe	51
PID 280 wrote to memory of 2260	280	WmiPrvSE.exe	52
PID 280 wrote to memory of 2260	280	WmiPrvSE.exe	52
PID 280 wrote to memory of 2260	280	WmiPrvSE.exe	52
PID 2260 wrote to memory of 352	2260	cmd.exe	54
PID 2260 wrote to memory of 352	2260	cmd.exe	54
PID 2260 wrote to memory of 352	2260	cmd.exe	54
PID 2260 wrote to memory of 1568	2260	cmd.exe	55
PID 2260 wrote to memory of 1568	2260	cmd.exe	55
PID 2260 wrote to memory of 1568	2260	cmd.exe	55
PID 1568 wrote to memory of 1624	1568	WmiPrvSE.exe	56
PID 1568 wrote to memory of 1624	1568	WmiPrvSE.exe	56
PID 1568 wrote to memory of 1624	1568	WmiPrvSE.exe	56
PID 1624 wrote to memory of 1944	1624	cmd.exe	58
PID 1624 wrote to memory of 1944	1624	cmd.exe	58
PID 1624 wrote to memory of 1944	1624	cmd.exe	58
PID 1624 wrote to memory of 2312	1624	cmd.exe	59
PID 1624 wrote to memory of 2312	1624	cmd.exe	59
PID 1624 wrote to memory of 2312	1624	cmd.exe	59
PID 2312 wrote to memory of 2800	2312	WmiPrvSE.exe	60
PID 2312 wrote to memory of 2800	2312	WmiPrvSE.exe	60
PID 2312 wrote to memory of 2800	2312	WmiPrvSE.exe	60
PID 2800 wrote to memory of 2836	2800	cmd.exe	62
PID 2800 wrote to memory of 2836	2800	cmd.exe	62
PID 2800 wrote to memory of 2836	2800	cmd.exe	62
PID 2800 wrote to memory of 2704	2800	cmd.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a.exe
"C:\Users\Admin\AppData\Local\Temp\65063fcd5a9010a706580e11f6abf886a45fa6dd15743bdc41a49b1f9ac5761a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\refhostperf\YDUzd2DburnkxzGba.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\refhostperf\24yvIrFqc9yigx6x0kwB7b7gqXz7Pn.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\refhostperf\serverperf.exe
      "C:\refhostperf\serverperf.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M1Qlnzdq6L.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2460
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2516
      - C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1248
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:560
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XhdmdigGiX.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:352
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1944
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2836
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
        17⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2156
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat"
        19⤵
        
        PID:2452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1404
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat"
        21⤵
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2168
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"
        23⤵
        
        PID:1804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2624
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"
        25⤵
        
        PID:1668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3040
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat"
        27⤵
        
        PID:3048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat

Filesize
240B

MD5
7b97f6b833f6bc9b59cf270b3fdfc7ce

SHA1
3a8a26da91a8f153c2db5784609d1e9d2ad3164c

SHA256
24fd14f18d5ca9059a99da8da6a009e9abeae500094f6fb9527000488ef33024

SHA512
d9886efebe497963d1808cbc9feb0f8bf7123d2db8cfea96f0da8de1e71f0fd6d607912fef0730298b9bd61a6742b46563852b48a48135130c8ea90911e98a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat

Filesize
240B

MD5
5f7ed7797bc4753480c7290f0268b32a

SHA1
82f8d7efda89b837e4d2339554892a41944c41a1

SHA256
7627ec47bacd73a6058e84b561678df2ca3b4bac7aa679f0be1a55a2dba38f5d

SHA512
3a42d532e9ed1021845b5de9eba4cdb938c5d95a4814ad524a44ee9ff78818f65f04469ac99bbbecfef308e11592286d7e92e6b4f7f3a1469b3a26278a7ef52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat

Filesize
240B

MD5
22b518215fe5a80a062998ee00808148

SHA1
1ccd2782816b6e5b72f7e02fb1420d6ca10b3fa5

SHA256
df4c1e543b7913ff96741450fbe944176624de8f55be64e9d86369e22c9033de

SHA512
4714c607b45e43f20c5d3f33df778a751f03c2afdb88a1ed6385be690225752e59827e2993ba15be39f59cd66f25b4f5ee47b9ed921d8e3c82e31205ce8ecd1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat

Filesize
240B

MD5
abb44f25d72e3fddc5ed62fe1abdb8e6

SHA1
a7c59504261c766ce4f18abf4c08344a55a391b1

SHA256
774aafe1490833738f6b1a8aeede58fd77ceb7e6d6c94cb4e60d5f564fbaa7a1

SHA512
0155db13f3e5eea965aa17ea4df44500ec8d8016132f399a0c4a2f29a2675a5ff009a99dc296c0b17bf7774f1523ea029a346d8d437a538c737b35204a303326

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1Qlnzdq6L.bat

Filesize
240B

MD5
b9bb7bbb16206627e73a64aef8736c6c

SHA1
011485d2e2cc22d40d78be29025ea3e639e4174e

SHA256
48b7c28b87bea09b26edc723cdb8f5c55126894d1c3a17a5b02773bc89a72ff7

SHA512
e0139e9a99e818ff7a349b364439cf38728300d53315a7b3774c3efc8de455b1d06932abad9f99dd0ba0b74668f8ec9e68ea3850f5da302128225fc5019ab7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat

Filesize
240B

MD5
40e1ca96a0f5859ee8a7d94e70c0f04c

SHA1
83e7e130faae6c7a583f3b429eb239156739ae4d

SHA256
be8937867ce58caff13525204ba8f0a2ca0dd1995105f973466e8292ef8787c2

SHA512
636642b9f9da340f9ff855726df77791578982011c51e5c1863671a3e510673c86f1cbf521f3309bb362e10b6db54c6692449d7ca11cfe0305d1376ace4513e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat

Filesize
240B

MD5
c6814b6eb9505cfde984fe205bf7a967

SHA1
9ec183cec107d065557822363f939cefc59c8d46

SHA256
47ced86e033725a96646c986a45bd4c4280858ca5660596d3b09512d2f7f28fc

SHA512
b4691251e3cabd73b7fde51f41f6cfc5d1b0066a9e632504b6032501fa70d1baab3b97d3aa2f056f30a3833c349cd4d08158dda387ffb6f85b1c55a375b229a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XhdmdigGiX.bat

Filesize
240B

MD5
cc113457edfcd3ba5264d460540b1fd4

SHA1
1e52712fb33f6cb06b1b49967144128e9659e232

SHA256
30427a6b4190536dfe354552f7821f26a1d7079d00ab080c8ee5317668b77467

SHA512
2e77100eb99562b249a169a7ec375fa70bd9b3f1591b641ead504710da0af86c1d5af813674ca700e851daa9ef7e83e64b36d2d25cc046335e23fd6813fa3f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat

Filesize
240B

MD5
65c56f3bc864a17a3e9edd495c1e959e

SHA1
5150762b4c67cb8016ca746807554a4e8feb6164

SHA256
e449fbe3d2ff3f3e09a8277c94c7e506540265a58b1796f30b7551411c933c6f

SHA512
7b1ad16ec038c7cdfd730c6764fa9c49db3d47ba4a5b85c6531c4506aed33fe5932885ecf645f072a564b18ae287612eac82a43cafad0fae5cac0e6a2bd1a2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat

Filesize
240B

MD5
becd00632c59c55d34524847b2df0e07

SHA1
f9678eba26275d6c9ace7a3620d43a65e205d77b

SHA256
2c11c3cbf28cb93a86287393af6502fbc2754b8190bc7bc095785f4361fc43a2

SHA512
2725eceee4c92795e4d67cdcad16a726b1e1e2ae3935bb81d9d7be410826d83f673ed68db64268d10e432fa0807b9626ad3c04bb0f0e717169e542d490333359

Download Submit
C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat

Filesize
240B

MD5
059a904558cbfcb8e2f3e5eefee49a1c

SHA1
8eff4181de8fd1438e2a2d045d18dfa6fa961673

SHA256
a07d51743d8bb40b31891c29de27e59464a8235f513ca555843c613ca4442ae6

SHA512
d5542a332a9f1de4c31742402996d8f4a78929f5f867d4c451b0d7d7670f2aa4094e1fb5cecbc5be9d05e1022d43f9c17049d8a55d740408df9361703747c35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

Filesize
240B

MD5
9cf4fa2c63ce53dd33e3a75e7e3d9c74

SHA1
b755fd10e25d10d0d17e6988b69526393ce5f4ac

SHA256
f4c96695d42d4b932646f15e52cd41d4e80c82ae423815a2aa98b8961a8d6378

SHA512
dcd8d0856834777b1060e886a6f8434c37dca9c37732c8d6dbecc52cb4f1298bff63df1e37bcad54d4978cec894fb7b39dcaaed3a6e04e33c813a07376c1df79

Download Submit
C:\refhostperf\24yvIrFqc9yigx6x0kwB7b7gqXz7Pn.bat

Filesize
31B

MD5
659397b18711665774947ed6189e91ae

SHA1
73006ef2a02a72132f180e873324e8a6e4c593df

SHA256
a939eb9c97b5aad7a4aa9cc522e93a81399fffc03b7536f603175a90d3fc6130

SHA512
f68315f1f2aad292176dc1f845da4fa4acb59bedf4f446130edc73481bf6bcc2e765258fbc558b1b3b3a08590e25e6937e9046adf4f00eb2afbb172646298c30

Download Submit
C:\refhostperf\YDUzd2DburnkxzGba.vbe

Filesize
218B

MD5
693da7c1e4c7e39bb88041ca03bbf61e

SHA1
87ff5e77258e4ff5833a04ce4168d287510d32d6

SHA256
3ea997020623cbd40f68cff156f5ede16b0a4c2418b07ee5dacf64770a7fff99

SHA512
f64a9f10099e9cc009160ead27a6c6420a78a7265ffeb754fc3819f418bc02ccea0be2c3b24dd9849b90a7423e850ae4fb5253958ccd5cc92867e094508da837

Download Submit
C:\refhostperf\serverperf.exe

Filesize
1.2MB

MD5
7fec3eebd710313f7b35254d792228fc

SHA1
e55a429782c6f78e6fc8c80d6fb71a85ce1d01aa

SHA256
3d32ef71bff87e2ac881484cea6b82bd52090a7252c8719f11fb73bb8f63a405

SHA512
83932d7ac29af18c3a0f1424d2cd3e2a1810e908c828377f5c0d6e72240820c3778378c9c3f0c7b86ca94a8265d9c7c0e2b9460de288f07b62c98cd89d699af4

Download Submit
memory/780-28-0x0000000000800000-0x0000000000936000-memory.dmp

Filesize
1.2MB

Download
memory/1156-83-0x0000000000290000-0x00000000003C6000-memory.dmp

Filesize
1.2MB

Download
memory/1196-35-0x0000000000EF0000-0x0000000001026000-memory.dmp

Filesize
1.2MB

Download
memory/1340-76-0x0000000000B70000-0x0000000000CA6000-memory.dmp

Filesize
1.2MB

Download
memory/1568-48-0x0000000000260000-0x0000000000396000-memory.dmp

Filesize
1.2MB

Download
memory/1772-90-0x0000000000040000-0x0000000000176000-memory.dmp

Filesize
1.2MB

Download
memory/2312-55-0x00000000009B0000-0x0000000000AE6000-memory.dmp

Filesize
1.2MB

Download
memory/2424-69-0x00000000001F0000-0x0000000000326000-memory.dmp

Filesize
1.2MB

Download
memory/2472-15-0x0000000000370000-0x0000000000386000-memory.dmp

Filesize
88KB

Download
memory/2472-13-0x00000000011A0000-0x00000000012D6000-memory.dmp

Filesize
1.2MB

Download
memory/2472-14-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/2472-16-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/2576-97-0x0000000000190000-0x00000000002C6000-memory.dmp

Filesize
1.2MB

Download
memory/2704-62-0x0000000000E20000-0x0000000000F56000-memory.dmp

Filesize
1.2MB

Download