dcrat | 3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bridgenet.exe.bin.exe
Size

1.6MB
MD5

13a9fe232c423531f428e7ebf5bcc3ce
SHA1

7940d3296d943f8f54e6d2e58982812de6f66a79
SHA256

3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3
SHA512

ed6f68b31f034c49b6ef9a79a793d5ba46d6a8cffca33f1f5cdbb3db51ac6ae9ea5aa39ea7dede138c832b2a47c9f484441f549b163254bdbf5566a4590042f5
SSDEEP

24576:Dl2UpmjCMYU6XtQCBRSybXZgRRNsSSzUcYUHcAtRTjeXRE7QSvMllsWH4Xsmnobb:BdtdQCBRZX3HYUPtRTjmcQSTWH4Xshb

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2528	schtasks.exe	30

Executes dropped EXE 11 IoCs

pid	Process
2288	lsass.exe
2364	lsass.exe
3044	lsass.exe
1632	lsass.exe
1568	lsass.exe
1832	lsass.exe
1140	lsass.exe
1680	lsass.exe
2448	lsass.exe
2348	lsass.exe
880	lsass.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\ras\lsass.exe	bridgenet.exe.bin.exe
File opened for modification	C:\Windows\System32\ras\lsass.exe	bridgenet.exe.bin.exe
File created	C:\Windows\System32\ras\6203df4a6bafc7	bridgenet.exe.bin.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\lsass.exe	bridgenet.exe.bin.exe
File created	C:\Program Files\Windows Mail\6203df4a6bafc7	bridgenet.exe.bin.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\dwm.exe	bridgenet.exe.bin.exe
File created	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\6cb0b6c459d5d3	bridgenet.exe.bin.exe
File created	C:\Windows\IME\imekr8\help\csrss.exe	bridgenet.exe.bin.exe
File created	C:\Windows\IME\imekr8\help\886983d96e3d3e	bridgenet.exe.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2384	PING.EXE
3044	PING.EXE
2852	PING.EXE
2792	PING.EXE
916	PING.EXE
932	PING.EXE
1432	PING.EXE
692	PING.EXE
2704	PING.EXE
980	PING.EXE
2136	PING.EXE

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
932	PING.EXE
1432	PING.EXE
692	PING.EXE
2384	PING.EXE
3044	PING.EXE
2852	PING.EXE
2136	PING.EXE
916	PING.EXE
2792	PING.EXE
2704	PING.EXE
980	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2604	schtasks.exe
1860	schtasks.exe
1552	schtasks.exe
1924	schtasks.exe
3016	schtasks.exe
568	schtasks.exe
2320	schtasks.exe
1724	schtasks.exe
3000	schtasks.exe
2372	schtasks.exe
2800	schtasks.exe
2772	schtasks.exe
2416	schtasks.exe
2804	schtasks.exe
3004	schtasks.exe
2388	schtasks.exe
2392	schtasks.exe
2000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2816	bridgenet.exe.bin.exe
2288	lsass.exe
2288	lsass.exe
2288	lsass.exe
2288	lsass.exe
2288	lsass.exe
2288	lsass.exe
2288	lsass.exe
2288	lsass.exe
2288	lsass.exe
2288	lsass.exe
2288	lsass.exe
2288	lsass.exe
2364	lsass.exe
2364	lsass.exe
2364	lsass.exe
2364	lsass.exe
2364	lsass.exe
2364	lsass.exe
2364	lsass.exe
2364	lsass.exe
2364	lsass.exe
2364	lsass.exe
2364	lsass.exe
2364	lsass.exe
3044	lsass.exe
3044	lsass.exe
3044	lsass.exe
3044	lsass.exe
3044	lsass.exe
3044	lsass.exe
3044	lsass.exe
3044	lsass.exe
3044	lsass.exe
3044	lsass.exe
3044	lsass.exe
3044	lsass.exe
1632	lsass.exe
1632	lsass.exe
1632	lsass.exe
1632	lsass.exe
1632	lsass.exe
1632	lsass.exe
1632	lsass.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	bridgenet.exe.bin.exe
Token: SeDebugPrivilege	2288	lsass.exe
Token: SeDebugPrivilege	2364	lsass.exe
Token: SeDebugPrivilege	3044	lsass.exe
Token: SeDebugPrivilege	1632	lsass.exe
Token: SeDebugPrivilege	1568	lsass.exe
Token: SeDebugPrivilege	1832	lsass.exe
Token: SeDebugPrivilege	1140	lsass.exe
Token: SeDebugPrivilege	1680	lsass.exe
Token: SeDebugPrivilege	2448	lsass.exe
Token: SeDebugPrivilege	2348	lsass.exe
Token: SeDebugPrivilege	880	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 1928	2816	bridgenet.exe.bin.exe	49
PID 2816 wrote to memory of 1928	2816	bridgenet.exe.bin.exe	49
PID 2816 wrote to memory of 1928	2816	bridgenet.exe.bin.exe	49
PID 1928 wrote to memory of 348	1928	cmd.exe	51
PID 1928 wrote to memory of 348	1928	cmd.exe	51
PID 1928 wrote to memory of 348	1928	cmd.exe	51
PID 1928 wrote to memory of 2136	1928	cmd.exe	52
PID 1928 wrote to memory of 2136	1928	cmd.exe	52
PID 1928 wrote to memory of 2136	1928	cmd.exe	52
PID 1928 wrote to memory of 2288	1928	cmd.exe	53
PID 1928 wrote to memory of 2288	1928	cmd.exe	53
PID 1928 wrote to memory of 2288	1928	cmd.exe	53
PID 2288 wrote to memory of 1512	2288	lsass.exe	54
PID 2288 wrote to memory of 1512	2288	lsass.exe	54
PID 2288 wrote to memory of 1512	2288	lsass.exe	54
PID 1512 wrote to memory of 1264	1512	cmd.exe	56
PID 1512 wrote to memory of 1264	1512	cmd.exe	56
PID 1512 wrote to memory of 1264	1512	cmd.exe	56
PID 1512 wrote to memory of 916	1512	cmd.exe	57
PID 1512 wrote to memory of 916	1512	cmd.exe	57
PID 1512 wrote to memory of 916	1512	cmd.exe	57
PID 1512 wrote to memory of 2364	1512	cmd.exe	58
PID 1512 wrote to memory of 2364	1512	cmd.exe	58
PID 1512 wrote to memory of 2364	1512	cmd.exe	58
PID 2364 wrote to memory of 1636	2364	lsass.exe	60
PID 2364 wrote to memory of 1636	2364	lsass.exe	60
PID 2364 wrote to memory of 1636	2364	lsass.exe	60
PID 1636 wrote to memory of 884	1636	cmd.exe	62
PID 1636 wrote to memory of 884	1636	cmd.exe	62
PID 1636 wrote to memory of 884	1636	cmd.exe	62
PID 1636 wrote to memory of 932	1636	cmd.exe	63
PID 1636 wrote to memory of 932	1636	cmd.exe	63
PID 1636 wrote to memory of 932	1636	cmd.exe	63
PID 1636 wrote to memory of 3044	1636	cmd.exe	64
PID 1636 wrote to memory of 3044	1636	cmd.exe	64
PID 1636 wrote to memory of 3044	1636	cmd.exe	64
PID 3044 wrote to memory of 3036	3044	lsass.exe	65
PID 3044 wrote to memory of 3036	3044	lsass.exe	65
PID 3044 wrote to memory of 3036	3044	lsass.exe	65
PID 3036 wrote to memory of 1428	3036	cmd.exe	67
PID 3036 wrote to memory of 1428	3036	cmd.exe	67
PID 3036 wrote to memory of 1428	3036	cmd.exe	67
PID 3036 wrote to memory of 1432	3036	cmd.exe	68
PID 3036 wrote to memory of 1432	3036	cmd.exe	68
PID 3036 wrote to memory of 1432	3036	cmd.exe	68
PID 3036 wrote to memory of 1632	3036	cmd.exe	69
PID 3036 wrote to memory of 1632	3036	cmd.exe	69
PID 3036 wrote to memory of 1632	3036	cmd.exe	69
PID 1632 wrote to memory of 2688	1632	lsass.exe	70
PID 1632 wrote to memory of 2688	1632	lsass.exe	70
PID 1632 wrote to memory of 2688	1632	lsass.exe	70
PID 2688 wrote to memory of 1740	2688	cmd.exe	72
PID 2688 wrote to memory of 1740	2688	cmd.exe	72
PID 2688 wrote to memory of 1740	2688	cmd.exe	72
PID 2688 wrote to memory of 692	2688	cmd.exe	73
PID 2688 wrote to memory of 692	2688	cmd.exe	73
PID 2688 wrote to memory of 692	2688	cmd.exe	73
PID 2688 wrote to memory of 1568	2688	cmd.exe	74
PID 2688 wrote to memory of 1568	2688	cmd.exe	74
PID 2688 wrote to memory of 1568	2688	cmd.exe	74
PID 1568 wrote to memory of 1492	1568	lsass.exe	75
PID 1568 wrote to memory of 1492	1568	lsass.exe	75
PID 1568 wrote to memory of 1492	1568	lsass.exe	75
PID 1492 wrote to memory of 2768	1492	cmd.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bridgenet.exe.bin.exe
"C:\Users\Admin\AppData\Local\Temp\bridgenet.exe.bin.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\51M4H3d6pS.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:348
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2136
- - C:\Program Files\Windows Mail\lsass.exe
    "C:\Program Files\Windows Mail\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LHuPvvKEnU.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1264
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:916
    - - C:\Program Files\Windows Mail\lsass.exe
        
        "C:\Program Files\Windows Mail\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lvud1u8Gv5.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:932
        
        C:\Program Files\Windows Mail\lsass.exe
        
        "C:\Program Files\Windows Mail\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1LArpmQ7xZ.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1432
        
        C:\Program Files\Windows Mail\lsass.exe
        
        "C:\Program Files\Windows Mail\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sJRdaZOVrD.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:692
        
        C:\Program Files\Windows Mail\lsass.exe
        
        "C:\Program Files\Windows Mail\lsass.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0zcoxmH8Pr.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2792
        
        C:\Program Files\Windows Mail\lsass.exe
        
        "C:\Program Files\Windows Mail\lsass.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6EJ44dmIex.bat"
        14⤵
        
        PID:2440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2588
        
        C:\Program Files\Windows Mail\lsass.exe
        
        "C:\Program Files\Windows Mail\lsass.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3REiUSKTh.bat"
        16⤵
        
        PID:2208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2704
        
        C:\Program Files\Windows Mail\lsass.exe
        
        "C:\Program Files\Windows Mail\lsass.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UgSSpTGNbI.bat"
        18⤵
        
        PID:2056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:980
        
        C:\Program Files\Windows Mail\lsass.exe
        
        "C:\Program Files\Windows Mail\lsass.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yJr0BespZg.bat"
        20⤵
        
        PID:956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2384
        
        C:\Program Files\Windows Mail\lsass.exe
        
        "C:\Program Files\Windows Mail\lsass.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4ZZGHVO0om.bat"
        22⤵
        
        PID:1412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3044
        
        C:\Program Files\Windows Mail\lsass.exe
        
        "C:\Program Files\Windows Mail\lsass.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Vae5M4yv92.bat"
        24⤵
        
        PID:2716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\IME\imekr8\help\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\IME\imekr8\help\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\imekr8\help\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\ras\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\ras\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\ras\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgenet.exe.binb" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\bridgenet.exe.bin.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgenet.exe.bin" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\bridgenet.exe.bin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgenet.exe.binb" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\bridgenet.exe.bin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0zcoxmH8Pr.bat

Filesize
167B

MD5
1c681fe717ed7834683cab80aaa521bb

SHA1
9df36b91d22ba2382d6aa4c269767fa73f13bc13

SHA256
a2750281a586a0ba4e0678b146574996cfaa3c54e1fd744cb8194d77f054a877

SHA512
c06aec3735453da038c7d548cda7309aa84dfa628cbd9f465f9f8417a0fdabe7b3f3aadd7286c221da9ef8b65379d64eaa34360b0abcf1b9add8778e4f17faac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1LArpmQ7xZ.bat

Filesize
167B

MD5
911ea51e61a28165f0c1d73bbe3bcfc8

SHA1
415c37f518eb3501e3138e42f9fe9466038283f8

SHA256
34183f72237269a8f7b71f19157c9041583ad08d2b652115cd45460c733e63a5

SHA512
c326b1599b0d5da7957125ac0ad650c686b83d4d66f28d990f874298ab727581ff61d63ffc8680a075895baaa3b5fe759edba03fe05bbf7ae42db6236bb184be

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ZZGHVO0om.bat

Filesize
167B

MD5
5042a3d1452262d7e1e789403d5a48fc

SHA1
5f121926f5491ebe61620e62d17fdd95ac22b9e7

SHA256
09a2f8a4c59f4436e53abf6396dc9384db9d360b084f6342068eeb143a9f324d

SHA512
cd1ea000ae5ae474c2a62cdb9792a50f1732449948eaaf397d68d323ee448d823099330c30bc349b50405516875462c16e898afd29d722c780d5d826cc4e1636

Download Submit
C:\Users\Admin\AppData\Local\Temp\51M4H3d6pS.bat

Filesize
167B

MD5
a071821e5c0918542465e3816b809a12

SHA1
fde048382bd92da6c877396f4923b11b98a8bb81

SHA256
2a033ffafd4fb3c18e094c52d62fd9952fed852dff9194cb6d21625ba419502d

SHA512
b1845f3104aa00f43fd2e9789e5b2911c43fd08076db04b763b067b9007879a1b8c645e20539c57a8897955360b117938b55d089a3b54cd9f01d9ee8d84a571e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EJ44dmIex.bat

Filesize
215B

MD5
bed015423da99251a630d28186ced64a

SHA1
d44c11652bf37326cb13b0d4331895885684fb84

SHA256
840605ac7ce01f90222881cdf9958fdcef54950be219c1f057ee8e2e344d2866

SHA512
e64b10151514841c8348c13386358bb545a10ffd03ff002ef5f2943b7607b4aea4bff9d4635510f009bf371fb022db5ea85426747785bf43f23c112658438e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHuPvvKEnU.bat

Filesize
167B

MD5
4fd88c2f95b6e0e8b9785ba5b4fa7f6d

SHA1
284689b71b93566477d47ea2f6c42028be96a096

SHA256
5ff8a1df9abd64b636a8d57095b50d3e643906e07a7c0da1f11f88f79500cbb0

SHA512
f9b5a87df6e47ebb6f0d76c53e3e64d527ca323b67cc4afdec713fe200c44c3116ab95532af014a493b4e399ffc6bc200dacd00c2fdf703488ec3c5761df51aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lvud1u8Gv5.bat

Filesize
167B

MD5
3fb7800a8458548a9d000e4005765fb1

SHA1
30e5faab2f9e05c7882148b377d679eb4c448e35

SHA256
ea60924091735a5bac5a59957235bfa620a6fe7a269fa30bbcd727994e53d21b

SHA512
779d627836e6b3aa410b6f13ff3df3dedf837708b4b3c9f19fdaf60f325a9281c0567918045321fb49538f88223e656071667f9ab93ef1faa262667e0fb0a5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\T3REiUSKTh.bat

Filesize
167B

MD5
88a07da1d13589dd6b30ac0132424f5a

SHA1
c5398b797df8d50293e11bc0cc62bb5e2e1242da

SHA256
49a3cdc70d4cc1cea98bb0325e534e718156666ccbc934f7622443103dadb661

SHA512
6c7e15aecadc0922484bd023bb5d5b922870a2b1cfe86ce088b34dafb27e602af77417f1755848da83f8a868a20fa15008a3092ac7c9cc0e3c81511da175c9cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgSSpTGNbI.bat

Filesize
167B

MD5
c72edf4088b53f78d0ce5768b4387ffa

SHA1
a165a7578b126379dc1f6bfe88bef874bd86ac37

SHA256
25a13dbcf7049500834d92b024e2046982badf76e6b7a120855cadbff0e14dc4

SHA512
e854413819e701ceb4edddeed49f5a60bd5c68ab7c32c7c177358282664afdf5e4ea3696cf02f9b4114154d197527bec790b395544c94774fa3c71d8ed2363d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vae5M4yv92.bat

Filesize
167B

MD5
13d0864c5203ddbaadebf7adf24927e1

SHA1
60fdc5178f0d6358c6cfd133c51bce68e5f5b5f7

SHA256
36a8f0980a01b45a04f5d994a7f9d081f9e5b64bffc6282d0bcc065349ea9b48

SHA512
90e447665d76abbcca24b296140890ca344a4ce17cedfd37757c3f0ccb69fce828a14b3d6eaab51a176f6ed7a8471c873c82e881c7b03a216e37d7bd290d996c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sJRdaZOVrD.bat

Filesize
167B

MD5
c1e8042d9e886d2ca5c6b2a1107d3360

SHA1
bb033e2a1ecb1e8fbb6f0f3b73870921594ca250

SHA256
b46653ae0f5a714998aa7670f70acdce59aae80f05e3651cd1735782d72326ce

SHA512
f998b79fe9f5cae99b35fc5c672d52766b4489229866e3387219e146985449c6eb063544391e6f600f3f4d412687fa36b9757f17f84eeaa5c42404b1b7e8c972

Download Submit
C:\Users\Admin\AppData\Local\Temp\yJr0BespZg.bat

Filesize
167B

MD5
84db9809d2fe732f5aac7cb02c0c82df

SHA1
651afddd31b7c19190767c64254180264a87c678

SHA256
7e0e6700a42e6be6c7e911d98c17969c9d66cd618907841e2b85eeaff5169247

SHA512
17d06f9772730bff88f215ddaa248a93a8506e1666c5c445d08e9fadd2eb6157c3f32558bbba200cd07dba9b83467eac7e927df9dcf097423a94e71466be2056

Download Submit
C:\Windows\IME\imekr8\help\csrss.exe

Filesize
1.6MB

MD5
13a9fe232c423531f428e7ebf5bcc3ce

SHA1
7940d3296d943f8f54e6d2e58982812de6f66a79

SHA256
3e60ac6ac6c4fc9f90b87dde23d1261ac236782de1b00cca97bdf950019ee3a3

SHA512
ed6f68b31f034c49b6ef9a79a793d5ba46d6a8cffca33f1f5cdbb3db51ac6ae9ea5aa39ea7dede138c832b2a47c9f484441f549b163254bdbf5566a4590042f5

Download Submit
memory/880-105-0x00000000013C0000-0x0000000001562000-memory.dmp

Filesize
1.6MB

Download
memory/1632-52-0x00000000010F0000-0x0000000001292000-memory.dmp

Filesize
1.6MB

Download
memory/2288-28-0x0000000000AD0000-0x0000000000C72000-memory.dmp

Filesize
1.6MB

Download
memory/2348-96-0x0000000000E80000-0x0000000001022000-memory.dmp

Filesize
1.6MB

Download
memory/2364-36-0x0000000000250000-0x00000000003F2000-memory.dmp

Filesize
1.6MB

Download
memory/2448-88-0x0000000000360000-0x0000000000502000-memory.dmp

Filesize
1.6MB

Download
memory/2816-3-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2816-2-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2816-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

Filesize
4KB

Download
memory/2816-4-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2816-5-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2816-6-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2816-1-0x0000000000E50000-0x0000000000FF2000-memory.dmp

Filesize
1.6MB

Download
memory/2816-8-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2816-24-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/3044-44-0x00000000002D0000-0x0000000000472000-memory.dmp

Filesize
1.6MB

Download