dcrat | 848feeb5b4b55aef6fbd560d0800ee2370d4cb935495abb82f2870169c42aae5

Analysis

max time kernel
122s
max time network
163s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-02-2025 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e7538073640e94a8d277d5c455e88d8.exe
Size

1.7MB
MD5

0e7538073640e94a8d277d5c455e88d8
SHA1

23320607446a750d0f0b79b75facd0e15c881e85
SHA256

848feeb5b4b55aef6fbd560d0800ee2370d4cb935495abb82f2870169c42aae5
SHA512

225a5d1863ada9d82d51ee9b4f073ca1d964b237fa1994970adb07b0b16ba3c6c759ce11f2f0806f96be75f688ac4674e33cba0de39ea40ab96d64654323d844
SSDEEP

49152:aLUbMVuHF+xDNs7Y8R7mY58jJlMUwgUK:agbCvxDNIY8hujEJK

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Windows\\SysWOW64\\et-EE\\WmiPrvSE.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Windows\\SysWOW64\\et-EE\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\WmiPrvSE.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Windows\\SysWOW64\\et-EE\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\services.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Windows\\SysWOW64\\et-EE\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\services.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\", \"C:\\Windows\\SysWOW64\\et-EE\\WmiPrvSE.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\services.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\0e7538073640e94a8d277d5c455e88d8.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\""	0e7538073640e94a8d277d5c455e88d8.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2632	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2632	schtasks.exe	30

Executes dropped EXE 1 IoCs

pid	Process
1864	lsm.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\WmiPrvSE.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\services.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\SysWOW64\\et-EE\\WmiPrvSE.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\WmiPrvSE.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\SysWOW64\\et-EE\\WmiPrvSE.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\services.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\0e7538073640e94a8d277d5c455e88d8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0e7538073640e94a8d277d5c455e88d8.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0e7538073640e94a8d277d5c455e88d8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0e7538073640e94a8d277d5c455e88d8.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Sidebar\\de-DE\\lsm.exe\""	0e7538073640e94a8d277d5c455e88d8.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\et-EE\24dbde2999530e	0e7538073640e94a8d277d5c455e88d8.exe
File created	\??\c:\Windows\System32\CSC3A912BD8E7E405EB25DDF1C1CF9ACC5.TMP	csc.exe
File created	\??\c:\Windows\System32\hi5-9c.exe	csc.exe
File created	C:\Windows\SysWOW64\et-EE\WmiPrvSE.exe	0e7538073640e94a8d277d5c455e88d8.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe	0e7538073640e94a8d277d5c455e88d8.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\c5b4cb5e9653cc	0e7538073640e94a8d277d5c455e88d8.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\WmiPrvSE.exe	0e7538073640e94a8d277d5c455e88d8.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\24dbde2999530e	0e7538073640e94a8d277d5c455e88d8.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe	0e7538073640e94a8d277d5c455e88d8.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\101b941d020240	0e7538073640e94a8d277d5c455e88d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2068	schtasks.exe
2964	schtasks.exe
1272	schtasks.exe
1104	schtasks.exe
1776	schtasks.exe
1780	schtasks.exe
1152	schtasks.exe
2108	schtasks.exe
2144	schtasks.exe
1292	schtasks.exe
2324	schtasks.exe
1816	schtasks.exe
1452	schtasks.exe
2920	schtasks.exe
1488	schtasks.exe
2688	schtasks.exe
1700	schtasks.exe
2104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
2768	0e7538073640e94a8d277d5c455e88d8.exe
1864	lsm.exe
1864	lsm.exe
1864	lsm.exe
1864	lsm.exe
1864	lsm.exe
1864	lsm.exe
1864	lsm.exe
1864	lsm.exe
1864	lsm.exe
1864	lsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	0e7538073640e94a8d277d5c455e88d8.exe
Token: SeDebugPrivilege	1864	lsm.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 1820	2768	0e7538073640e94a8d277d5c455e88d8.exe	34
PID 2768 wrote to memory of 1820	2768	0e7538073640e94a8d277d5c455e88d8.exe	34
PID 2768 wrote to memory of 1820	2768	0e7538073640e94a8d277d5c455e88d8.exe	34
PID 1820 wrote to memory of 3016	1820	csc.exe	36
PID 1820 wrote to memory of 3016	1820	csc.exe	36
PID 1820 wrote to memory of 3016	1820	csc.exe	36
PID 2768 wrote to memory of 2556	2768	0e7538073640e94a8d277d5c455e88d8.exe	52
PID 2768 wrote to memory of 2556	2768	0e7538073640e94a8d277d5c455e88d8.exe	52
PID 2768 wrote to memory of 2556	2768	0e7538073640e94a8d277d5c455e88d8.exe	52
PID 2556 wrote to memory of 2560	2556	cmd.exe	54
PID 2556 wrote to memory of 2560	2556	cmd.exe	54
PID 2556 wrote to memory of 2560	2556	cmd.exe	54
PID 2556 wrote to memory of 2496	2556	cmd.exe	55
PID 2556 wrote to memory of 2496	2556	cmd.exe	55
PID 2556 wrote to memory of 2496	2556	cmd.exe	55
PID 2556 wrote to memory of 1864	2556	cmd.exe	56
PID 2556 wrote to memory of 1864	2556	cmd.exe	56
PID 2556 wrote to memory of 1864	2556	cmd.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0e7538073640e94a8d277d5c455e88d8.exe
"C:\Users\Admin\AppData\Local\Temp\0e7538073640e94a8d277d5c455e88d8.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4e2fxx4w\4e2fxx4w.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA43B.tmp" "c:\Windows\System32\CSC3A912BD8E7E405EB25DDF1C1CF9ACC5.TMP"
    3⤵
    PID:3016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K01chf9Inx.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2560
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2496
- - C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe
    "C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\et-EE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\SysWOW64\et-EE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\et-EE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0e7538073640e94a8d277d5c455e88d80" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\0e7538073640e94a8d277d5c455e88d8.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0e7538073640e94a8d277d5c455e88d8" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\0e7538073640e94a8d277d5c455e88d8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0e7538073640e94a8d277d5c455e88d80" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\0e7538073640e94a8d277d5c455e88d8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe

Filesize
1.7MB

MD5
0e7538073640e94a8d277d5c455e88d8

SHA1
23320607446a750d0f0b79b75facd0e15c881e85

SHA256
848feeb5b4b55aef6fbd560d0800ee2370d4cb935495abb82f2870169c42aae5

SHA512
225a5d1863ada9d82d51ee9b4f073ca1d964b237fa1994970adb07b0b16ba3c6c759ce11f2f0806f96be75f688ac4674e33cba0de39ea40ab96d64654323d844

Download Submit
C:\Users\Admin\AppData\Local\Temp\K01chf9Inx.bat

Filesize
228B

MD5
7b557bc95bbc627ae9951f391df11998

SHA1
23f1820e47fa84c4c8bdfec340e3a9600e0476e1

SHA256
e3833294701d4171869db61ce0f52a4d0b6e233015c99f9a567bb12fb0e1feaf

SHA512
908f4f6ec25eb55583647677f8ac928445876d746f0327e337ef2d5f49b4300982fffbaabfeb538ca8bd839b9d2afcd0ad56b5358a4014cede05cc81e5cc1014

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA43B.tmp

Filesize
1KB

MD5
8bfe43a646a1587df515a8bdc9f8314f

SHA1
353b969e7a6a8dfa8984ff6a0bd533a771606e86

SHA256
57a6221a96ab2bb5af24068d7f4eefdc7153439009d5bd0fd1052c5e9d19932e

SHA512
b82f74f1966984a7ad0dc025f0188fd9490764cf69a15f0247e6405210f2c29b11d7b276c7b93bcf51dfd99cdf2756e481ffbd6542c5054107f9ee24f8bf7c6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4e2fxx4w\4e2fxx4w.0.cs

Filesize
384B

MD5
88ea666c3c6443e414faf880a3441bd0

SHA1
dab57231a380258cdd0ae4b73e71bc8955de28af

SHA256
a66701f94929062cab256f0561e3dc13754798e4323fe9be0ed3bc4d9bf8ec60

SHA512
26836e9ae739b240b7f9aa10ad055a6cd88120f8f64205a8bb0389eac43be14454b70a41a63ea3906d41daf0fd96dc5f67394a1c2bc6d2f34c56576864b967ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4e2fxx4w\4e2fxx4w.cmdline

Filesize
235B

MD5
33f05c17febe8eea0f2b04c6bab45cd6

SHA1
529dc2b5e220101eca3cab18528e065308b775bf

SHA256
e3550c27151c70fd9ae9f64f01f6549e85d832dcb5088566180620e496a4dbbb

SHA512
858c093e3fd0508aae88409d3b4f82839fef6772f1333d55d0ebd02ea443d8421db9daf4e1f9f872972150e63d2fd72ccf18daebb043930f8ded0364d26c3a36

Download Submit
\??\c:\Windows\System32\CSC3A912BD8E7E405EB25DDF1C1CF9ACC5.TMP

Filesize
1KB

MD5
60a1ebb8f840aad127346a607d80fc19

SHA1
c8b7e9ad601ac19ab90b3e36f811960e8badf354

SHA256
9d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243

SHA512
44830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4

Download Submit
memory/1864-51-0x0000000000B60000-0x0000000000D20000-memory.dmp

Filesize
1.8MB

Download
memory/2768-9-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-6-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/2768-11-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2768-13-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-15-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-14-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2768-8-0x0000000000420000-0x0000000000438000-memory.dmp

Filesize
96KB

Download
memory/2768-27-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-0-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2768-12-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-4-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-3-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-40-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-2-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-46-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-47-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-48-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-1-0x0000000000DB0000-0x0000000000F70000-memory.dmp

Filesize
1.8MB

Download