dcrat | 52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fed24fca9235528a9e0a686ff60b723d.exe
Size

1.2MB
MD5

fed24fca9235528a9e0a686ff60b723d
SHA1

e497808ca573e7dfd2e4d99d2c085ab9724707e0
SHA256

52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288
SHA512

2c1699f394a6c8708cd13f53e7df631b7548d72bb46b035963044c1f6c73b84ebba1e1adc02fe5f22d2aae31470bc9e61cce623cbdee3682c54b387befb7b999
SSDEEP

12288:90b329aw7HMGuBrwRCRa+XplQBuK7hEefjf05gRyC7Z3M6xqPhbqOEJv005vnhJb:98yaw7HMHXRa+y7htfxRr2EgKt0O8C3

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2572	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2572	schtasks.exe	31

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2436-1-0x0000000001020000-0x000000000115C000-memory.dmp	dcrat
behavioral1/files/0x00050000000193cc-16.dat	dcrat
behavioral1/memory/1264-48-0x0000000001060000-0x000000000119C000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1264	services.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Network Sharing\audiodg.exe	fed24fca9235528a9e0a686ff60b723d.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\42af1c969fbb7b	fed24fca9235528a9e0a686ff60b723d.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\dllhost.exe	fed24fca9235528a9e0a686ff60b723d.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\27d1bcfc3c54e0	fed24fca9235528a9e0a686ff60b723d.exe
File created	C:\Program Files (x86)\Google\faa4c0b4c088c4	fed24fca9235528a9e0a686ff60b723d.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\audiodg.exe	fed24fca9235528a9e0a686ff60b723d.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\5940a34987c991	fed24fca9235528a9e0a686ff60b723d.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\System.exe	fed24fca9235528a9e0a686ff60b723d.exe
File created	C:\Program Files\Windows Media Player\Icons\smss.exe	fed24fca9235528a9e0a686ff60b723d.exe
File created	C:\Program Files\Java\jre7\lib\management\WMIADAP.exe	fed24fca9235528a9e0a686ff60b723d.exe
File created	C:\Program Files\Java\jre7\lib\management\75a57c1bdf437c	fed24fca9235528a9e0a686ff60b723d.exe
File created	C:\Program Files (x86)\Google\fed24fca9235528a9e0a686ff60b723d.exe	fed24fca9235528a9e0a686ff60b723d.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\AppPatch\it-IT\b75386f1303e64	fed24fca9235528a9e0a686ff60b723d.exe
File created	C:\Windows\Boot\System.exe	fed24fca9235528a9e0a686ff60b723d.exe
File created	C:\Windows\Performance\WinSAT\DataStore\services.exe	fed24fca9235528a9e0a686ff60b723d.exe
File created	C:\Windows\Performance\WinSAT\DataStore\c5b4cb5e9653cc	fed24fca9235528a9e0a686ff60b723d.exe
File created	C:\Windows\Web\Wallpaper\Scenes\services.exe	fed24fca9235528a9e0a686ff60b723d.exe
File created	C:\Windows\Web\Wallpaper\Scenes\c5b4cb5e9653cc	fed24fca9235528a9e0a686ff60b723d.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..drivermanager-trace_31bf3856ad364e35_6.1.7601.17514_none_817af6649fbc1ed4\csrss.exe	fed24fca9235528a9e0a686ff60b723d.exe
File created	C:\Windows\AppPatch\it-IT\taskhost.exe	fed24fca9235528a9e0a686ff60b723d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1944	schtasks.exe
3044	schtasks.exe
1224	schtasks.exe
2224	schtasks.exe
2076	schtasks.exe
2296	schtasks.exe
1712	schtasks.exe
2684	schtasks.exe
1160	schtasks.exe
2324	schtasks.exe
2584	schtasks.exe
1876	schtasks.exe
2892	schtasks.exe
1948	schtasks.exe
1760	schtasks.exe
2192	schtasks.exe
3020	schtasks.exe
332	schtasks.exe
1684	schtasks.exe
2320	schtasks.exe
1616	schtasks.exe
2900	schtasks.exe
2604	schtasks.exe
2196	schtasks.exe
764	schtasks.exe
2456	schtasks.exe
2416	schtasks.exe
2360	schtasks.exe
3064	schtasks.exe
1956	schtasks.exe
1192	schtasks.exe
2444	schtasks.exe
1688	schtasks.exe
1720	schtasks.exe
2600	schtasks.exe
1892	schtasks.exe
1500	schtasks.exe
2976	schtasks.exe
804	schtasks.exe
1804	schtasks.exe
1448	schtasks.exe
2352	schtasks.exe
2832	schtasks.exe
2868	schtasks.exe
2932	schtasks.exe
2428	schtasks.exe
2412	schtasks.exe
1676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
2436	fed24fca9235528a9e0a686ff60b723d.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe
1264	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	fed24fca9235528a9e0a686ff60b723d.exe
Token: SeDebugPrivilege	1264	services.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 1660	2436	fed24fca9235528a9e0a686ff60b723d.exe	80
PID 2436 wrote to memory of 1660	2436	fed24fca9235528a9e0a686ff60b723d.exe	80
PID 2436 wrote to memory of 1660	2436	fed24fca9235528a9e0a686ff60b723d.exe	80
PID 1660 wrote to memory of 2024	1660	cmd.exe	82
PID 1660 wrote to memory of 2024	1660	cmd.exe	82
PID 1660 wrote to memory of 2024	1660	cmd.exe	82
PID 1660 wrote to memory of 1264	1660	cmd.exe	83
PID 1660 wrote to memory of 1264	1660	cmd.exe	83
PID 1660 wrote to memory of 1264	1660	cmd.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fed24fca9235528a9e0a686ff60b723d.exe
"C:\Users\Admin\AppData\Local\Temp\fed24fca9235528a9e0a686ff60b723d.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUtQUyZ08P.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2024
- - C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe
    "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Network Sharing\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Network Sharing\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Scenes\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Scenes\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Wallpaper\Scenes\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\AppPatch\it-IT\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\AppPatch\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\lib\management\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\management\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\lib\management\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fed24fca9235528a9e0a686ff60b723df" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\fed24fca9235528a9e0a686ff60b723d.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fed24fca9235528a9e0a686ff60b723d" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\fed24fca9235528a9e0a686ff60b723d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fed24fca9235528a9e0a686ff60b723df" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\fed24fca9235528a9e0a686ff60b723d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YUtQUyZ08P.bat

Filesize
240B

MD5
430715a58e4a04238fd88e4f922af5b9

SHA1
dcab6da0c4b607f3d14b1b1861608dd977bfe400

SHA256
93a8b2534cf8a07de324845eeda8e547e0d79e2fb8f38de323f285d73fbe1af6

SHA512
a870084c816323d2c876e46aa4ecd22b9f52cc377ddfe3b9b4847c258838c5ef845910e6865771fead576b43b481b5e5ce75be3a6b456ee5ee83294308532f40

Download Submit
C:\Windows\AppPatch\it-IT\taskhost.exe

Filesize
1.2MB

MD5
fed24fca9235528a9e0a686ff60b723d

SHA1
e497808ca573e7dfd2e4d99d2c085ab9724707e0

SHA256
52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288

SHA512
2c1699f394a6c8708cd13f53e7df631b7548d72bb46b035963044c1f6c73b84ebba1e1adc02fe5f22d2aae31470bc9e61cce623cbdee3682c54b387befb7b999

Download Submit
memory/1264-48-0x0000000001060000-0x000000000119C000-memory.dmp

Filesize
1.2MB

Download
memory/2436-0-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

Filesize
4KB

Download
memory/2436-1-0x0000000001020000-0x000000000115C000-memory.dmp

Filesize
1.2MB

Download
memory/2436-2-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2436-3-0x0000000000450000-0x000000000045E000-memory.dmp

Filesize
56KB

Download
memory/2436-4-0x0000000000460000-0x000000000047C000-memory.dmp

Filesize
112KB

Download
memory/2436-5-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2436-6-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/2436-7-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/2436-44-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download