dcrat | 60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2

Analysis

max time kernel
131s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18-01-2025 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
Size

2.7MB
MD5

d1793da857eca536d0d06e1bdfa657ab
SHA1

bb07044f5867554c74063d4c9509248657322040
SHA256

60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2
SHA512

8d35eab524e898a14e17185c64e092c56e310f15e3cd2e0bfd533b15c55b78078dfc2dbaeba3d3a5027a96967fca11cf3c60a4fb859e5ecee28addda04238e4b
SSDEEP

49152:yqyJUSQelMhlk1w19BlUobhENGZXxRWi0UAuqYqqnc:PyJlQgGk1wPko1oO30UA7Yqq

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	492	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2116	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2116	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2656-1-0x00000000009A0000-0x0000000000C54000-memory.dmp	dcrat
behavioral1/files/0x0005000000019cba-28.dat	dcrat
behavioral1/files/0x0009000000019246-90.dat	dcrat
behavioral1/files/0x00090000000193b3-101.dat	dcrat
behavioral1/files/0x0007000000019cba-112.dat	dcrat
behavioral1/files/0x0007000000019dbf-123.dat	dcrat
behavioral1/files/0x000c00000001a075-169.dat	dcrat
behavioral1/memory/2388-181-0x00000000013B0000-0x0000000001664000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2388	WmiPrvSE.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\RCX35D3.tmp	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCX3EBF.tmp	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\services.exe	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\c5b4cb5e9653cc	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File created	C:\Program Files\Windows NT\TableTextService\fr-FR\60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File created	C:\Program Files\Windows NT\TableTextService\fr-FR\390cb726597e67	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsm.exe	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\886983d96e3d3e	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX3CBB.tmp	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCX3F2D.tmp	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\services.exe	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\fr-FR\RCX37D6.tmp	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\fr-FR\RCX37D7.tmp	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\fr-FR\60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsm.exe	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\101b941d020240	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\RCX35D2.tmp	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX3C4D.tmp	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\dwm.exe	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1932	schtasks.exe
2556	schtasks.exe
2992	schtasks.exe
2252	schtasks.exe
2440	schtasks.exe
592	schtasks.exe
3068	schtasks.exe
1952	schtasks.exe
2392	schtasks.exe
784	schtasks.exe
2192	schtasks.exe
2628	schtasks.exe
1420	schtasks.exe
2924	schtasks.exe
1104	schtasks.exe
2840	schtasks.exe
2336	schtasks.exe
2104	schtasks.exe
2140	schtasks.exe
1752	schtasks.exe
2076	schtasks.exe
584	schtasks.exe
1152	schtasks.exe
1164	schtasks.exe
492	schtasks.exe
780	schtasks.exe
2572	schtasks.exe
2824	schtasks.exe
2200	schtasks.exe
2004	schtasks.exe
1628	schtasks.exe
2172	schtasks.exe
1880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2656	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
2656	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
2656	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
2656	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
2656	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
2656	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
2656	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
2388	WmiPrvSE.exe
2388	WmiPrvSE.exe
2388	WmiPrvSE.exe
2388	WmiPrvSE.exe
2388	WmiPrvSE.exe
2388	WmiPrvSE.exe
2388	WmiPrvSE.exe
2388	WmiPrvSE.exe
2388	WmiPrvSE.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2388	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
Token: SeDebugPrivilege	2388	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 3044	2656	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe	64
PID 2656 wrote to memory of 3044	2656	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe	64
PID 2656 wrote to memory of 3044	2656	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe	64
PID 3044 wrote to memory of 3064	3044	cmd.exe	66
PID 3044 wrote to memory of 3064	3044	cmd.exe	66
PID 3044 wrote to memory of 3064	3044	cmd.exe	66
PID 3044 wrote to memory of 2388	3044	cmd.exe	67
PID 3044 wrote to memory of 2388	3044	cmd.exe	67
PID 3044 wrote to memory of 2388	3044	cmd.exe	67

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe
"C:\Users\Admin\AppData\Local\Temp\60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OjgayVTRCH.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3064
- - C:\MSOCache\All Users\WmiPrvSE.exe
    "C:\MSOCache\All Users\WmiPrvSE.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c26" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c26" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Documents\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Public\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Local Settings\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Local Settings\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe

Filesize
2.7MB

MD5
b8a7d6d11b641fbc17fd5352d91d128d

SHA1
be2262410c32fc249fa490d650f6647748a935e0

SHA256
4af4f89391b4a634635d3e2f833fca91f65c5f2bab63ab2dc24309286714faff

SHA512
76d7e83134a3c1869d6d9a2be8ec798b647903d271ea406ad4c48c95d5dc40f27c91a82776039e8af93e865ee38537592a7ebddfa92edd9f62f12b35afdff32b

Download Submit
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsm.exe

Filesize
2.7MB

MD5
12c4c7dc6e39204475ebd3e65451a465

SHA1
b5a81fe460a1625b3dc6f0d0ee85c2e503a6a6e1

SHA256
167cdf49889e04048d2a2ea0cca520db069b33d5f8ea7d2be00a8d257aa936eb

SHA512
a8b03a4a22acdfb22fdc9a29799f4d82125202930871eeec3706c58fd6e8d0b704e48f2896bbfd2a0c8ab4d7fd6caa7d19fa4f90788f7fb24876fb9b2e4bf6ab

Download Submit
C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe

Filesize
2.7MB

MD5
d1793da857eca536d0d06e1bdfa657ab

SHA1
bb07044f5867554c74063d4c9509248657322040

SHA256
60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2

SHA512
8d35eab524e898a14e17185c64e092c56e310f15e3cd2e0bfd533b15c55b78078dfc2dbaeba3d3a5027a96967fca11cf3c60a4fb859e5ecee28addda04238e4b

Download Submit
C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe

Filesize
2.7MB

MD5
c9e3a4138cf8347222b95b45074d0fe9

SHA1
3309203573f612cb10ff5e05f39fdc4e9e1425ef

SHA256
ae8d7ebb1dcc38cd971d59646d0ed70cb9d9fa545725ef50dd1f926b10ce20c4

SHA512
87e6618c5a81cb648bd8312ac7ce8d674519c7cab5c8f643fb3a5c60081f9bf63f55cc0018f7d1de14ca7eccc5daa1601b44d738ab6b0be5fcdecd00f0b87aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OjgayVTRCH.bat

Filesize
199B

MD5
ba27ca99b4efd3c32a0497a6267d4b12

SHA1
2e9d7ded8501496ce41cb6e9291b998ee4b39d00

SHA256
5f0a5728f69b45da56a6b3704b624181c0d4dafda260bf900c59698cc3815fd4

SHA512
a73e83e61948df10184f01ccc655aea1bd550f1b68923b77bb11e480fa3271eb6d643e812ccfb7ff1a8d25137d1c40993dfe698f719127bc2a49e76cbfa3aa00

Download Submit
C:\Users\Admin\AppData\Local\spoolsv.exe

Filesize
2.7MB

MD5
6d149e569942e9bf245b3635bb97d49a

SHA1
0b6d939a2b63557ae476c0f8b5ac90f7450fa67f

SHA256
28a3227c91115800cb7617c9256f4dd540c5644201723646ac54548d057a4dd2

SHA512
65bf9b70689e2508f17903b3afd8fa4aa5c337a4acbd114a5b671645027e0f95adeac3ada657f0c32f058b7d052f9bfc5b2d15047a4db83de8eee7297c0a1119

Download Submit
C:\Users\Public\Documents\wininit.exe

Filesize
2.7MB

MD5
a78e6ab3270411847973855d47c6b0fb

SHA1
90fefd20fcd4f4229edbcf6a2d30d71d5f4bafc5

SHA256
bbcc35dc486094758df8fc1869e517086985179d7bf1cfb149d4a5405d491b40

SHA512
21165b3f9ba7aa0b2d7572c18c68660b5b8bed8234c29ae47ba0b0cc442f19998198819571ab16483f74aab2ac109ef1287bc7591df1999498986ac5bbdec4a5

Download Submit
memory/2388-182-0x0000000000870000-0x0000000000882000-memory.dmp

Filesize
72KB

Download
memory/2388-181-0x00000000013B0000-0x0000000001664000-memory.dmp

Filesize
2.7MB

Download
memory/2656-8-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/2656-9-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/2656-11-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2656-12-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2656-14-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/2656-13-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/2656-15-0x0000000002370000-0x000000000237C000-memory.dmp

Filesize
48KB

Download
memory/2656-16-0x0000000002380000-0x000000000238E000-memory.dmp

Filesize
56KB

Download
memory/2656-17-0x000000001A980000-0x000000001A98C000-memory.dmp

Filesize
48KB

Download
memory/2656-18-0x000000001A990000-0x000000001A99A000-memory.dmp

Filesize
40KB

Download
memory/2656-19-0x000000001A9A0000-0x000000001A9AC000-memory.dmp

Filesize
48KB

Download
memory/2656-10-0x0000000002310000-0x0000000002366000-memory.dmp

Filesize
344KB

Download
memory/2656-7-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/2656-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

Filesize
4KB

Download
memory/2656-6-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/2656-5-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/2656-4-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/2656-177-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-3-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/2656-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-1-0x00000000009A0000-0x0000000000C54000-memory.dmp

Filesize
2.7MB

Download