dcrat | 92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f

Analysis

max time kernel
121s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

E37ECDC4437E46A9E712EDF5AC610E65.exe
Size

769KB
MD5

e37ecdc4437e46a9e712edf5ac610e65
SHA1

e5e93b92d37911f342f93c636ecb4954862b62dc
SHA256

92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f
SHA512

5941dc1676e3b0a5c9f4bee93bc9d542ed829a4f7263fecad6f870aa084d34ce0f9f16bb794832d4b67fb81fc76ed115ad05aa3692132750132298427034c04b
SSDEEP

12288:7pTnTz9dJuydpYHA9VvNEJJMA+AppW3Ari4VVyZC0+1ctHNt8KF4AXDWZ6:7pTn5uy19V1WJMA+Ap3iE0n3c6

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\taskhost.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\lsass.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\lsass.exe\", \"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\lsass.exe\", \"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\lsass.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\lsass.exe\", \"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\MSOCache\\All Users\\smss.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\lsass.exe\", \"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\lsass.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\E37ECDC4437E46A9E712EDF5AC610E65.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2892	schtasks.exe	30

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/3032-1-0x0000000000EB0000-0x0000000000F76000-memory.dmp	family_dcrat_v2
behavioral1/files/0x000500000001975a-23.dat	family_dcrat_v2
behavioral1/memory/2340-45-0x0000000001180000-0x0000000001246000-memory.dmp	family_dcrat_v2

Executes dropped EXE 1 IoCs

pid	Process
2340	lsass.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\taskhost.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\taskhost.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\lsass.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\smss.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\smss.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\E37ECDC4437E46A9E712EDF5AC610E65 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\E37ECDC4437E46A9E712EDF5AC610E65.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E37ECDC4437E46A9E712EDF5AC610E65 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\E37ECDC4437E46A9E712EDF5AC610E65.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\lsass.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\lsass.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Portable Devices\\winlogon.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\lsass.exe\""	E37ECDC4437E46A9E712EDF5AC610E65.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC5E95A8A3B7334A738B3C4A9C81A42C0.TMP	csc.exe
File created	\??\c:\Windows\System32\hi5-9c.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\winlogon.exe	E37ECDC4437E46A9E712EDF5AC610E65.exe
File created	C:\Program Files\Windows Portable Devices\cc11b995f2a76d	E37ECDC4437E46A9E712EDF5AC610E65.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1840	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1840	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2932	schtasks.exe
2952	schtasks.exe
2988	schtasks.exe
1564	schtasks.exe
2680	schtasks.exe
2364	schtasks.exe
2380	schtasks.exe
2700	schtasks.exe
1500	schtasks.exe
2388	schtasks.exe
612	schtasks.exe
524	schtasks.exe
1128	schtasks.exe
1788	schtasks.exe
2628	schtasks.exe
2396	schtasks.exe
2996	schtasks.exe
2312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
2340	lsass.exe
2340	lsass.exe
2340	lsass.exe
2340	lsass.exe
2340	lsass.exe
2340	lsass.exe
2340	lsass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	E37ECDC4437E46A9E712EDF5AC610E65.exe
Token: SeDebugPrivilege	2340	lsass.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2428	3032	E37ECDC4437E46A9E712EDF5AC610E65.exe	34
PID 3032 wrote to memory of 2428	3032	E37ECDC4437E46A9E712EDF5AC610E65.exe	34
PID 3032 wrote to memory of 2428	3032	E37ECDC4437E46A9E712EDF5AC610E65.exe	34
PID 2428 wrote to memory of 2728	2428	csc.exe	36
PID 2428 wrote to memory of 2728	2428	csc.exe	36
PID 2428 wrote to memory of 2728	2428	csc.exe	36
PID 3032 wrote to memory of 2432	3032	E37ECDC4437E46A9E712EDF5AC610E65.exe	52
PID 3032 wrote to memory of 2432	3032	E37ECDC4437E46A9E712EDF5AC610E65.exe	52
PID 3032 wrote to memory of 2432	3032	E37ECDC4437E46A9E712EDF5AC610E65.exe	52
PID 2432 wrote to memory of 2464	2432	cmd.exe	54
PID 2432 wrote to memory of 2464	2432	cmd.exe	54
PID 2432 wrote to memory of 2464	2432	cmd.exe	54
PID 2432 wrote to memory of 1840	2432	cmd.exe	55
PID 2432 wrote to memory of 1840	2432	cmd.exe	55
PID 2432 wrote to memory of 1840	2432	cmd.exe	55
PID 2432 wrote to memory of 2340	2432	cmd.exe	56
PID 2432 wrote to memory of 2340	2432	cmd.exe	56
PID 2432 wrote to memory of 2340	2432	cmd.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\E37ECDC4437E46A9E712EDF5AC610E65.exe
"C:\Users\Admin\AppData\Local\Temp\E37ECDC4437E46A9E712EDF5AC610E65.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jpqircfq\jpqircfq.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9167.tmp" "c:\Windows\System32\CSC5E95A8A3B7334A738B3C4A9C81A42C0.TMP"
    3⤵
    PID:2728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VMxtW7l203.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2464
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1840
- - C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\lsass.exe
    "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "E37ECDC4437E46A9E712EDF5AC610E65E" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\E37ECDC4437E46A9E712EDF5AC610E65.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "E37ECDC4437E46A9E712EDF5AC610E65" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\E37ECDC4437E46A9E712EDF5AC610E65.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "E37ECDC4437E46A9E712EDF5AC610E65E" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\E37ECDC4437E46A9E712EDF5AC610E65.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\taskhost.exe

Filesize
769KB

MD5
e37ecdc4437e46a9e712edf5ac610e65

SHA1
e5e93b92d37911f342f93c636ecb4954862b62dc

SHA256
92d18c8505319ad84f1487e8a67cfe2b29d077fafb50dbe1ebfeeabd8b59d43f

SHA512
5941dc1676e3b0a5c9f4bee93bc9d542ed829a4f7263fecad6f870aa084d34ce0f9f16bb794832d4b67fb81fc76ed115ad05aa3692132750132298427034c04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9167.tmp

Filesize
1KB

MD5
933fb25d45dd25b0183bcfa85e6dfb2a

SHA1
9d4b612786eae75618b27534dc1adf21c24291db

SHA256
c29c4d83fc49567c6f127282906138dd73773c398eb465e0aca822b1373333a8

SHA512
c3c2cb4f23ec84a4f2006d5c268d51745a8f8815f16486f7511b62dd4d0721b812c6f888d8c70244be8c14756ed927b7c0ceebf08ac3968e342267c6e92f33c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMxtW7l203.bat

Filesize
226B

MD5
45a24ed7d6722fdc68ecb77f216985af

SHA1
196c6aaae7b3c8eea455d03e1fd5225a5a806156

SHA256
deb9723165385173b11c54f377a7956273fe5c3cc0cfbf08ef68dc24ddeb6663

SHA512
023f65ba44468607e26733b5de0ef6f50aad020ca84c10dc19a2be9e1d89296cccb667dce35c5be452a4d543c4a7be9f650f68a520f3e882564a4a9860d74654

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jpqircfq\jpqircfq.0.cs

Filesize
366B

MD5
7903cc698e920aba12e113200e9a121d

SHA1
7cc903f324596d984edc414ecae95ea359912619

SHA256
83c99dc997f21a3cce60e6529c94f39920fedbd37cfb5ac0b0b2c0128f4c137d

SHA512
a4d566b563b1e1e6370bb07e3313b1f00c58c5fe86c604928ccd775a0840cf121351a93c23479bbde572c5b3391f6b05a2bbe0421430db21feba2395bc5730cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jpqircfq\jpqircfq.cmdline

Filesize
235B

MD5
9e2bc377a798386899525e432d36d82d

SHA1
19d19c5e29a8a2e0b6bdf825bd75a899a6807c83

SHA256
4bb014d02a9db6d607d891e6ad4d98a2856605e7b3ec7cdb0aedb59700ed7aa3

SHA512
af6908364e373179ebe52a8bfd7657d9fb340d12560d176296cb2a76e8fa3c5cd9181d76f350544af3e89f58c8b88fcad33159cbc43a0d9b90027bddf2accc34

Download Submit
\??\c:\Windows\System32\CSC5E95A8A3B7334A738B3C4A9C81A42C0.TMP

Filesize
1KB

MD5
60a1ebb8f840aad127346a607d80fc19

SHA1
c8b7e9ad601ac19ab90b3e36f811960e8badf354

SHA256
9d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243

SHA512
44830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4

Download Submit
memory/2340-45-0x0000000001180000-0x0000000001246000-memory.dmp

Filesize
792KB

Download
memory/3032-7-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-11-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-13-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/3032-9-0x0000000000420000-0x0000000000438000-memory.dmp

Filesize
96KB

Download
memory/3032-10-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-6-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/3032-0-0x000007FEF6BB3000-0x000007FEF6BB4000-memory.dmp

Filesize
4KB

Download
memory/3032-4-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/3032-2-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-42-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-1-0x0000000000EB0000-0x0000000000F76000-memory.dmp

Filesize
792KB

Download