Overview

overview

10

Static

static

10

7fb943a550...fd.exe

windows7-x64

10

7fb943a550...fd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2025 17:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7fb943a550881e7c59acdbba1164cbfd.exe

  • Size

    2.2MB

  • MD5

    7fb943a550881e7c59acdbba1164cbfd

  • SHA1

    ed5bb95d080cbcc5fafaaa0949fdcdfaece4dabe

  • SHA256

    f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510

  • SHA512

    a4b7e40e07f1d5b24fd2bec828c433d984087ee22478f11da9a2ab4bfb42c3c4609e3d24ba19e8fd0239bfffa532c6e4526d6ff9eb7e3a3d1788cb3e5f6e66fc

  • SSDEEP

    49152:K31tZUmbFNH1wLJDPqTo9lIS/MXU2F4/1l5eQ7K6:KltZUE6NDyTo9lv2F+VvK6

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 26 IoCs
    persistence
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 15 IoCs
    evasiontrojan
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 10 IoCs
    evasiontrojan
  • Drops file in Program Files directory 34 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • System policy modification 1 TTPs 15 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7fb943a550881e7c59acdbba1164cbfd.exe
    "C:\Users\Admin\AppData\Local\Temp\7fb943a550881e7c59acdbba1164cbfd.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1404
    • C:\Users\Admin\AppData\Local\Temp\7fb943a550881e7c59acdbba1164cbfd.exe
      "C:\Users\Admin\AppData\Local\Temp\7fb943a550881e7c59acdbba1164cbfd.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:908
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d08pZfDwmG.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2992
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          4⤵
            PID:2712
          • C:\Program Files\Windows Defender\wininit.exe
            "C:\Program Files\Windows Defender\wininit.exe"
            4⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2456
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d12f7815-25ea-4c52-b176-f728ebf46e94.vbs"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2580
              • C:\Program Files\Windows Defender\wininit.exe
                "C:\Program Files\Windows Defender\wininit.exe"
                6⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2224
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1de8c8c4-57e3-4444-a4db-34d132410788.vbs"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:828
                  • C:\Program Files\Windows Defender\wininit.exe
                    "C:\Program Files\Windows Defender\wininit.exe"
                    8⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:572
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f75b27db-4f51-4d09-b5db-2e795f8117cf.vbs"
                      9⤵
                        PID:1500
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3385104a-5a88-4c04-989b-4049d45e8fd6.vbs"
                        9⤵
                          PID:2300
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07f6e61e-96e8-4595-92a2-1d85eeefccc6.vbs"
                      7⤵
                        PID:2980
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8011f14-8311-4fc5-aff1-2711881dfa41.vbs"
                    5⤵
                      PID:2440
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\System.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2436
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              PID:3004
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Recorded TV\Sample Media\System.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              PID:2764
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\services.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2584
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\services.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2616
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\services.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              PID:2736
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Idle.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2636
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              PID:1636
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2860
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1132
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1788
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2904
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Music\explorer.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:844
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Music\explorer.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2304
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Music\explorer.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              PID:1952
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2620
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2884
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              PID:2012
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1572
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1840
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2920
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\ja-JP\lsm.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2976
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\lsm.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2928
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\ja-JP\lsm.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2924
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1848
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1484
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2132
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1500
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2992
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:284
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2020
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1712
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1928
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\RemoteApps\dllhost.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              PID:2708
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2832
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteApps\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2688
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Local Settings\taskhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2728
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              PID:2580
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1728
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2724
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1268
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1720
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe'" /f
              1⤵
              • Process spawned unexpected child process
              PID:2660
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2764
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2584
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2280
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1224
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2636
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\en-US\WmiPrvSE.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2732
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2956
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3004
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2792
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1952
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1072
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2304
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1016
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              PID:924
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Sample Videos\spoolsv.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1764
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2648
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\Sample Videos\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1840
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2168
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              PID:2328
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2120
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1396
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              PID:1876
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Scheduled Task/Job: Scheduled Task
              PID:1608
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\WMIADAP.exe'" /f
              1⤵
              • DcRat
              • Scheduled Task/Job: Scheduled Task
              PID:1888
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\WMIADAP.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Scheduled Task/Job: Scheduled Task
              PID:684
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\WMIADAP.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Scheduled Task/Job: Scheduled Task
              PID:1576
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /f
              1⤵
              • DcRat
              • Scheduled Task/Job: Scheduled Task
              PID:1108
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Scheduled Task/Job: Scheduled Task
              PID:2416
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Scheduled Task/Job: Scheduled Task
              PID:344
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /f
              1⤵
              • DcRat
              PID:1704
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Scheduled Task/Job: Scheduled Task
              PID:1228
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Scheduled Task/Job: Scheduled Task
              PID:1480
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\wininit.exe'" /f
              1⤵
              • DcRat
              • Scheduled Task/Job: Scheduled Task
              PID:1680
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\wininit.exe'" /rl HIGHEST /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2184
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\wininit.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              PID:2320

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Impair Defenses

            1
            T1562

            Disable or Modify Tools

            1
            T1562.001

            Modify Registry

            4
            T1112

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\1de8c8c4-57e3-4444-a4db-34d132410788.vbs
              Filesize

              721B

              MD5

              08774439aa43f7a2068dbb75a52d8c34

              SHA1

              4bc0b627a4e4ac9fc509779b6ea89581562300c4

              SHA256

              fff8e65cb6711d8dfb4a1ead2d00f2a488ddd889a9e06e51e2a7315c012bc044

              SHA512

              4ca328326af8c19b533ce12d5371a752c07bff7464b51e3fba9334098f2de1fa986d62fdc84afa797df9f9db9c53f77caecdc2d50a05f936c28cb0c094ea03fa

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\b8011f14-8311-4fc5-aff1-2711881dfa41.vbs
              Filesize

              497B

              MD5

              8c94c4182c1ea489340bd3fd46e2359a

              SHA1

              ff488c59e50fe9670f6e9e049a043f3bb82b740a

              SHA256

              c27ec9d444e610d154c5a02d668113366efb5ace170bf0d3ad45a32047695336

              SHA512

              199c0550f79a9a6aac577d0b3810f1ee34d100567eed5fc2a857f95b8d0dd48fa535c3af0dc89350459be27a8fe56763d6dfaf58ba0649c3624a5b88943084bc

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\d08pZfDwmG.bat
              Filesize

              210B

              MD5

              249cf51bfb0f53f125ddb945f946e11c

              SHA1

              f3b8c4501d5bca819d77eaf9942d487415c44bee

              SHA256

              aab2d61aee5c792a60bf8a7ce4659b1aabd5cd6dfb4ee222bf197eff61c946b3

              SHA512

              a00d5e8acf19c7db49cc4fab48897cc542b74e2973883cfbd32cff8dc6eff248bf37b2d4ed76858d0627bdee4b67197daaa6e6fe9f32b28e8b9bb5c110e3b4ca

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\d12f7815-25ea-4c52-b176-f728ebf46e94.vbs
              Filesize

              721B

              MD5

              32a624bae6e5e7520f6cb2f97a1909d9

              SHA1

              27cf468b62ea00e07aaf1b56e91837d41f7b70fd

              SHA256

              8ebbea01f7abe9316041dd9520bfb7713a5884bbab301344d6bc9cd4b59f4c77

              SHA512

              8973ed929c295d6a5a48839f7e672b3af955995ef8a4615491130eb57a0a68f16e69984ce80fce70c1d7787464fe627fb6578a397578bef3ddea7d814872a6b1

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\f75b27db-4f51-4d09-b5db-2e795f8117cf.vbs
              Filesize

              720B

              MD5

              6b4b58da6e3daca671b12c0906f322fe

              SHA1

              cdff5440db3fb8cc9bdea516e312be3dc6dbdd4a

              SHA256

              1d23281a6050000f12633cbee5fd0f54769383f947aeff91fad4014802c4e31b

              SHA512

              b90c1c7d3e179a7395d84ca5a7c8dc1c593fda7c9cb61cbb6d591392ad9f2e8502bad9f0b02cc34a049deb4bc2c046c9f9e0afdcc83f98b8660f4139ca87da29

              Download Submit

            • C:\Users\Default\Music\explorer.exe
              Filesize

              2.2MB

              MD5

              7fb943a550881e7c59acdbba1164cbfd

              SHA1

              ed5bb95d080cbcc5fafaaa0949fdcdfaece4dabe

              SHA256

              f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510

              SHA512

              a4b7e40e07f1d5b24fd2bec828c433d984087ee22478f11da9a2ab4bfb42c3c4609e3d24ba19e8fd0239bfffa532c6e4526d6ff9eb7e3a3d1788cb3e5f6e66fc

              Download Submit

            • C:\Users\Public\Recorded TV\Sample Media\RCXE572.tmp
              Filesize

              2.2MB

              MD5

              94060e2436b9c8daff38404d423bd6e1

              SHA1

              b3c8c82cb21f0218d38eb28e9a90d69b65995611

              SHA256

              9fa2d348529d65108585877675e26ddffe341556c3c21e13bdacfd6cf23be2a9

              SHA512

              78918cd9475a9441160b076ee7e8ff4f27a03c7e857323f0005c86a839638467dc1a17e8955f077304013e89a629dbb2bb8313bb62b0ddd23bacaf6d40f3c0c0

              Download Submit

            • memory/1404-19-0x00000000023E0000-0x00000000023EC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1404-23-0x0000000002420000-0x000000000242E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1404-9-0x0000000000A80000-0x0000000000A8C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1404-10-0x0000000000A90000-0x0000000000A98000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1404-11-0x0000000000B40000-0x0000000000B50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1404-12-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1404-13-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1404-14-0x0000000002300000-0x0000000002308000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1404-15-0x0000000002310000-0x000000000231C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1404-16-0x0000000002320000-0x0000000002328000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1404-18-0x00000000023B0000-0x00000000023C2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1404-0-0x000007FEF6573000-0x000007FEF6574000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1404-20-0x00000000023F0000-0x00000000023FC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1404-21-0x0000000002400000-0x000000000240C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1404-22-0x0000000002410000-0x000000000241A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1404-8-0x0000000000A60000-0x0000000000A76000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1404-25-0x0000000002440000-0x000000000244E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1404-24-0x0000000002430000-0x0000000002438000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1404-26-0x000000001A8D0000-0x000000001A8DC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1404-27-0x000000001A8E0000-0x000000001A8E8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1404-29-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1404-28-0x000000001A8F0000-0x000000001A8FC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1404-7-0x00000000009D0000-0x00000000009E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1404-6-0x00000000009C0000-0x00000000009C8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1404-145-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1404-5-0x0000000000700000-0x000000000071C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/1404-1-0x0000000000B50000-0x0000000000D7E000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/1404-4-0x0000000000550000-0x000000000055E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1404-3-0x0000000000540000-0x000000000054E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1404-2-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2224-236-0x0000000000B70000-0x0000000000B82000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2456-225-0x0000000000E10000-0x000000000103E000-memory.dmp

              Filesize

              2.2MB

              Download