dcrat | a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-02-2025 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
Size

827KB
MD5

23d0dbe545edf5e3f6d5f89306091acb
SHA1

d2aa733c6e5bcfd64030c810014c09e52eb64474
SHA256

a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6
SHA512

65e3f360ccf29130b709ca6ba06f7809578bd860e7bc12da1631467899db017feeaf92fa804c797ccbcaa96c97ed7911a1e7021a8c5df84779e66caa8bf8f69a
SSDEEP

12288:THO6O1v7cpNWrqV908Etd+U4UCrw3EO9VENXJMV5SEZd0ju:b0v7cpXVe8EtwUtD3ET6SEZR

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 44 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2928	schtasks.exe
		2604	schtasks.exe
		1744	schtasks.exe
		1616	schtasks.exe
		1988	schtasks.exe
		1548	schtasks.exe
		2648	schtasks.exe
		2900	schtasks.exe
		2844	schtasks.exe
		1900	schtasks.exe
		1372	schtasks.exe
		1700	schtasks.exe
		2228	schtasks.exe
		2696	schtasks.exe
		2760	schtasks.exe
		2304	schtasks.exe
		1480	schtasks.exe
		2324	schtasks.exe
		2656	schtasks.exe
		2660	schtasks.exe
		2756	schtasks.exe
		1016	schtasks.exe
		1680	schtasks.exe
		3024	schtasks.exe
		2256	schtasks.exe
		2792	schtasks.exe
		2832	schtasks.exe
		2044	schtasks.exe
		2248	schtasks.exe
		572	schtasks.exe
		640	schtasks.exe
		2208	schtasks.exe
		1240	schtasks.exe
File created	C:\Windows\Performance\WinSAT\DataStore\56085415360792		a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
		1712	schtasks.exe
		1980	schtasks.exe
		2984	schtasks.exe
		996	schtasks.exe
		2216	schtasks.exe
		2112	schtasks.exe
		2424	schtasks.exe
File created	C:\Windows\Microsoft.NET\authman\6203df4a6bafc7		a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
		1560	schtasks.exe
		920	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2956	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1628-1-0x0000000000930000-0x0000000000A06000-memory.dmp	dcrat
behavioral1/files/0x0005000000019621-11.dat	dcrat
behavioral1/memory/2012-44-0x0000000000300000-0x00000000003D6000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2012	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\DataStore\56085415360792	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
File created	C:\Windows\IME\27d1bcfc3c54e0	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
File created	C:\Windows\Help\Help\it-IT\csrss.exe	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
File opened for modification	C:\Windows\IME\System.exe	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
File created	C:\Windows\Help\Help\it-IT\886983d96e3d3e	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
File created	C:\Windows\Performance\WinSAT\DataStore\wininit.exe	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
File created	C:\Windows\Microsoft.NET\authman\lsass.exe	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
File created	C:\Windows\Microsoft.NET\authman\6203df4a6bafc7	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
File created	C:\Windows\IME\System.exe	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1480	schtasks.exe
920	schtasks.exe
2696	schtasks.exe
1712	schtasks.exe
1900	schtasks.exe
2208	schtasks.exe
2984	schtasks.exe
2112	schtasks.exe
2248	schtasks.exe
996	schtasks.exe
2216	schtasks.exe
2656	schtasks.exe
2648	schtasks.exe
2844	schtasks.exe
1016	schtasks.exe
1680	schtasks.exe
1616	schtasks.exe
2424	schtasks.exe
1548	schtasks.exe
1560	schtasks.exe
1700	schtasks.exe
1240	schtasks.exe
2756	schtasks.exe
2324	schtasks.exe
2044	schtasks.exe
1988	schtasks.exe
2832	schtasks.exe
572	schtasks.exe
1980	schtasks.exe
3024	schtasks.exe
2256	schtasks.exe
640	schtasks.exe
2228	schtasks.exe
2900	schtasks.exe
2792	schtasks.exe
1744	schtasks.exe
2304	schtasks.exe
1372	schtasks.exe
2760	schtasks.exe
2660	schtasks.exe
2604	schtasks.exe
2928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1628	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
1628	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
1628	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
1992	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
1992	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
1992	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
2012	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
Token: SeDebugPrivilege	1992	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
Token: SeDebugPrivilege	2012	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1888	1628	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe	46
PID 1628 wrote to memory of 1888	1628	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe	46
PID 1628 wrote to memory of 1888	1628	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe	46
PID 1888 wrote to memory of 1456	1888	cmd.exe	48
PID 1888 wrote to memory of 1456	1888	cmd.exe	48
PID 1888 wrote to memory of 1456	1888	cmd.exe	48
PID 1888 wrote to memory of 1992	1888	cmd.exe	49
PID 1888 wrote to memory of 1992	1888	cmd.exe	49
PID 1888 wrote to memory of 1992	1888	cmd.exe	49
PID 1992 wrote to memory of 2484	1992	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe	77
PID 1992 wrote to memory of 2484	1992	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe	77
PID 1992 wrote to memory of 2484	1992	a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe	77
PID 2484 wrote to memory of 2976	2484	cmd.exe	79
PID 2484 wrote to memory of 2976	2484	cmd.exe	79
PID 2484 wrote to memory of 2976	2484	cmd.exe	79
PID 2484 wrote to memory of 2012	2484	cmd.exe	81
PID 2484 wrote to memory of 2012	2484	cmd.exe	81
PID 2484 wrote to memory of 2012	2484	cmd.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
"C:\Users\Admin\AppData\Local\Temp\a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe"
1⤵
- DcRat
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dhnZNzwT1Q.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1456
- - C:\Users\Admin\AppData\Local\Temp\a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
    "C:\Users\Admin\AppData\Local\Temp\a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CJ6bG7yDry.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2976
    - - C:\MSOCache\All Users\a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe
        
        "C:\MSOCache\All Users\a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\DataStore\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\DataStore\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\authman\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\authman\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\IME\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\SendTo\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Default\SendTo\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Help\it-IT\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Help\Help\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\Help\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6a" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6" /sc ONLOGON /tr "'C:\MSOCache\All Users\a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6a" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CJ6bG7yDry.bat

Filesize
255B

MD5
9f9f30ff553c29d25522f3eca881fda4

SHA1
f3f6c4d3837376b859c90ff6ef035407914c2abc

SHA256
5bb95bc3b3aa175a6bf2e4c9584adba8a379dffa9604f5069bd962c71a7b0ab2

SHA512
433c22a11f772128f3ffda1ada9ce2c39aa387680bf0fa38296e043b9c59e65ddcec23f6be70f9907fc1fd06359465aa1f7ab97f5d11a2c0c5e353eb5a274a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhnZNzwT1Q.bat

Filesize
267B

MD5
e0d9d458a0a2e1fdc20f22cb783961db

SHA1
f5bd592affd563b2425b35f92fb315988928aac4

SHA256
beca377605903191d153bf2d5bd4949b4a88f94746c2a04ffe36f40865fa08de

SHA512
5254e0a8d5073df4f5bf856a974c71fd9cceecd0471458459d924c330954801f1f1b6d39579591b0fecf9487790aa7866213680a913840636cf007837aeceacd

Download Submit
C:\Windows\Microsoft.NET\authman\lsass.exe

Filesize
827KB

MD5
23d0dbe545edf5e3f6d5f89306091acb

SHA1
d2aa733c6e5bcfd64030c810014c09e52eb64474

SHA256
a2bf0fc5a323073723c337d9a90e5141bd2ff9ad0b3f70459ee695962f87f8e6

SHA512
65e3f360ccf29130b709ca6ba06f7809578bd860e7bc12da1631467899db017feeaf92fa804c797ccbcaa96c97ed7911a1e7021a8c5df84779e66caa8bf8f69a

Download Submit
memory/1628-0-0x000007FEF5AC3000-0x000007FEF5AC4000-memory.dmp

Filesize
4KB

Download
memory/1628-1-0x0000000000930000-0x0000000000A06000-memory.dmp

Filesize
856KB

Download
memory/1628-2-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/1628-18-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-44-0x0000000000300000-0x00000000003D6000-memory.dmp

Filesize
856KB

Download