dcrat | 5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
Size

827KB
MD5

ee9f2d79c47d1d8f5e12135af3b6e51b
SHA1

05f8199fdf6946c81239af918b51a03ccb6e8ef2
SHA256

5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762
SHA512

5146db40a9e977a352ed4b25684ca65b21b0716e9b0f55d06d94c2af8dae80ace1036588e34c7dcc489b148255ba0a3a916581eb525cdea2984d3ef4c5ad9305
SSDEEP

12288:+PjbkdQsEdvdRDnB0WmNN3D+nvIsmnxkmt7IxcC1AE:+rbQQsE9WWmNNz+wpxlyxcMAE

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		888	schtasks.exe
		232	schtasks.exe
		4280	schtasks.exe
		4784	schtasks.exe
		3012	schtasks.exe
		1148	schtasks.exe
		1684	schtasks.exe
		3908	schtasks.exe
		2384	schtasks.exe
		4792	schtasks.exe
		4216	schtasks.exe
		1372	schtasks.exe
		868	schtasks.exe
File created	C:\Windows\Provisioning\winlogon.exe		5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
		1224	schtasks.exe
		4848	schtasks.exe
		4864	schtasks.exe
		2316	schtasks.exe
		3044	schtasks.exe
		920	schtasks.exe
		1472	schtasks.exe
		1896	schtasks.exe
		5052	schtasks.exe
		2808	schtasks.exe
		2072	schtasks.exe
		4768	schtasks.exe
		2572	schtasks.exe
		4384	schtasks.exe
File created	C:\Windows\Provisioning\cc11b995f2a76d		5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
		1004	schtasks.exe
		1532	schtasks.exe
		3752	schtasks.exe
		3144	schtasks.exe
		4120	schtasks.exe
		1216	schtasks.exe
		4236	schtasks.exe
		2136	schtasks.exe
		4872	schtasks.exe
		3080	schtasks.exe
		2020	schtasks.exe
		3100	schtasks.exe
		536	schtasks.exe
		1640	schtasks.exe
		3384	schtasks.exe
		2864	schtasks.exe
		3508	schtasks.exe
		932	schtasks.exe
		860	schtasks.exe
		2064	schtasks.exe
		1300	schtasks.exe
		2536	schtasks.exe
		2012	schtasks.exe
		3928	schtasks.exe
		5112	schtasks.exe
		1756	schtasks.exe
		3428	schtasks.exe
		448	schtasks.exe
		2344	schtasks.exe
		4912	schtasks.exe
		4824	schtasks.exe
		4112	schtasks.exe
		3248	schtasks.exe
		2904	schtasks.exe
		348	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	1844	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	1844	schtasks.exe	82

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2600-1-0x0000000000C80000-0x0000000000D56000-memory.dmp	dcrat
behavioral2/files/0x0008000000023c29-19.dat	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe

Executes dropped EXE 1 IoCs

pid	Process
4024	winlogon.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\ModifiableWindowsApps\dwm.exe	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files\Crashpad\reports\fontdrvhost.exe	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\taskhostw.exe	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files\Windows Multimedia Platform\ea9f0e6c9e2dcd	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\sysmon.exe	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files (x86)\Internet Explorer\images\SearchApp.exe	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files (x86)\Microsoft.NET\66fc9ff0ee96c2	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files\Microsoft Office\dllhost.exe	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\121e5b5079f7c0	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\csrss.exe	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\886983d96e3d3e	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cc11b995f2a76d	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files (x86)\Microsoft.NET\sihost.exe	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files\Windows Multimedia Platform\taskhostw.exe	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files (x86)\Internet Explorer\images\38384e6a620884	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files\Crashpad\reports\5b884080fd4f94	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Program Files\Microsoft Office\5940a34987c991	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Provisioning\winlogon.exe	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File opened for modification	C:\Windows\Provisioning\winlogon.exe	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Windows\Provisioning\cc11b995f2a76d	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Windows\Performance\explorer.exe	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Windows\Performance\7a0fd90576e088	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Windows\rescache\sysmon.exe	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Windows\addins\Idle.exe	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
File created	C:\Windows\addins\6ccacd8608530f	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4792	schtasks.exe
4120	schtasks.exe
3100	schtasks.exe
3752	schtasks.exe
448	schtasks.exe
1300	schtasks.exe
3508	schtasks.exe
4236	schtasks.exe
3080	schtasks.exe
4872	schtasks.exe
1292	schtasks.exe
1640	schtasks.exe
4912	schtasks.exe
2072	schtasks.exe
860	schtasks.exe
3928	schtasks.exe
5112	schtasks.exe
1372	schtasks.exe
2808	schtasks.exe
4216	schtasks.exe
868	schtasks.exe
232	schtasks.exe
3384	schtasks.exe
1216	schtasks.exe
4848	schtasks.exe
1224	schtasks.exe
4824	schtasks.exe
5052	schtasks.exe
3908	schtasks.exe
4784	schtasks.exe
3012	schtasks.exe
1004	schtasks.exe
116	schtasks.exe
1148	schtasks.exe
920	schtasks.exe
1472	schtasks.exe
3144	schtasks.exe
536	schtasks.exe
888	schtasks.exe
2904	schtasks.exe
4384	schtasks.exe
2384	schtasks.exe
2572	schtasks.exe
4840	schtasks.exe
4112	schtasks.exe
2064	schtasks.exe
3248	schtasks.exe
348	schtasks.exe
4864	schtasks.exe
2536	schtasks.exe
932	schtasks.exe
3044	schtasks.exe
2020	schtasks.exe
1756	schtasks.exe
2428	schtasks.exe
1684	schtasks.exe
2012	schtasks.exe
4280	schtasks.exe
2136	schtasks.exe
3428	schtasks.exe
1896	schtasks.exe
2316	schtasks.exe
2344	schtasks.exe
2864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2600	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
4624	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
4624	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
4624	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
4988	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
4988	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
4988	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
4988	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
4988	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
4988	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
4988	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
4988	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
4988	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
4988	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
4988	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
4024	winlogon.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
Token: SeDebugPrivilege	4624	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
Token: SeDebugPrivilege	4988	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
Token: SeDebugPrivilege	4024	winlogon.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 316	2600	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe	89
PID 2600 wrote to memory of 316	2600	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe	89
PID 316 wrote to memory of 4028	316	cmd.exe	91
PID 316 wrote to memory of 4028	316	cmd.exe	91
PID 316 wrote to memory of 4624	316	cmd.exe	92
PID 316 wrote to memory of 4624	316	cmd.exe	92
PID 4624 wrote to memory of 4988	4624	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe	105
PID 4624 wrote to memory of 4988	4624	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe	105
PID 4988 wrote to memory of 2956	4988	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe	154
PID 4988 wrote to memory of 2956	4988	5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe	154
PID 2956 wrote to memory of 516	2956	cmd.exe	156
PID 2956 wrote to memory of 516	2956	cmd.exe	156
PID 2956 wrote to memory of 4024	2956	cmd.exe	161
PID 2956 wrote to memory of 4024	2956	cmd.exe	161

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
"C:\Users\Admin\AppData\Local\Temp\5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe"
1⤵
- DcRat
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GEujOzFY9Y.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4028
- - C:\Users\Admin\AppData\Local\Temp\5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
    "C:\Users\Admin\AppData\Local\Temp\5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe
      "C:\Users\Admin\AppData\Local\Temp\5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe"
      4⤵
      Checks computer location settings
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uuPajUMwL4.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2956
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:516
      - C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Provisioning\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Provisioning\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Music\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Music\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\images\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\images\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Performance\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\reports\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Crashpad\reports\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Favorites\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Favorites\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEujOzFY9Y.bat

Filesize
267B

MD5
1d9afa7de0d5901897f697a42e4751d4

SHA1
abcbd4c991d7060621eb996d5efc4145f07584d0

SHA256
fab42bcb3ab1d6d0c69edff727555fd3f6be7905ff15c937c90fce859d4b3d9d

SHA512
7eb9a3af60bf235ba22925c2fa2373813228d845deda06a747012527c7f3eb26a69eca90bbd52d995012d1bf468371300bbd65bf4ebec4425b9c0782b9f0ea75

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuPajUMwL4.bat

Filesize
231B

MD5
50e00fe99f6090540ce8488ca2fc6ba3

SHA1
5167ef7f069d5e4fc25edbebbc30f322f43185b7

SHA256
6b5aaae47f679c1e09f0a0147e780d4bbc76c153f8f3ba9ab2008d1da1ab8588

SHA512
d1fbed3396a4b69db45d34a02722eba9096fe7492eb1d5580d1325d640f4aa876834136c2056ea45689f901d9701635f805c1d9c399fa3c1097a4ff947fae5ba

Download Submit
C:\Users\Admin\csrss.exe

Filesize
827KB

MD5
ee9f2d79c47d1d8f5e12135af3b6e51b

SHA1
05f8199fdf6946c81239af918b51a03ccb6e8ef2

SHA256
5b72b675d312dc805dcd399812e636e3f27fd1814975f9906daccb1f64e86762

SHA512
5146db40a9e977a352ed4b25684ca65b21b0716e9b0f55d06d94c2af8dae80ace1036588e34c7dcc489b148255ba0a3a916581eb525cdea2984d3ef4c5ad9305

Download Submit
memory/2600-0-0x00007FFBF2B73000-0x00007FFBF2B75000-memory.dmp

Filesize
8KB

Download
memory/2600-1-0x0000000000C80000-0x0000000000D56000-memory.dmp

Filesize
856KB

Download
memory/2600-2-0x00007FFBF2B70000-0x00007FFBF3631000-memory.dmp

Filesize
10.8MB

Download
memory/2600-12-0x00007FFBF2B70000-0x00007FFBF3631000-memory.dmp

Filesize
10.8MB

Download