dcrat | 4f54be07cc25b4d61afd354db8f85494a8de5d6e382056e658b14a4ae528da62

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
17/02/2025, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f54be07cc25b4d61afd354db8f85494a8de5d6e382056e658b14a4ae528da62N.exe
Size

1.1MB
MD5

96762861297137fcb398d06650143520
SHA1

0a3f0d2f09598f0b2ad81e1f0de0534246a66658
SHA256

4f54be07cc25b4d61afd354db8f85494a8de5d6e382056e658b14a4ae528da62
SHA512

18e1421334bd89d28859e2c29b6d7ed139fd36f1ab881bf1fe6f6ff07670f14b2a2f9d34f99015376055a776872da70a47c33e8ab3e9b55f5305ce6f49adf87a
SSDEEP

24576:U2G/nvxW3Ww0t7CZRYAhTSMw5jwtI87ULgJDN6/:UbA307U1hwi97rDs

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2804	schtasks.exe	34

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015d89-12.dat	dcrat
behavioral1/memory/536-13-0x0000000000FA0000-0x0000000001076000-memory.dmp	dcrat
behavioral1/memory/2744-57-0x0000000001140000-0x0000000001216000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
536	MsNet.exe
2744	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2200	cmd.exe
2200	cmd.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\5940a34987c991	MsNet.exe
File created	C:\Program Files (x86)\Windows NT\b75386f1303e64	MsNet.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe	MsNet.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\lsm.exe	MsNet.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\101b941d020240	MsNet.exe
File created	C:\Program Files\Windows Mail\fr-FR\6203df4a6bafc7	MsNet.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\WmiPrvSE.exe	MsNet.exe
File created	C:\Program Files (x86)\Uninstall Information\csrss.exe	MsNet.exe
File created	C:\Program Files\Google\Chrome\Application\42af1c969fbb7b	MsNet.exe
File created	C:\Program Files (x86)\Windows NT\taskhost.exe	MsNet.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	MsNet.exe
File created	C:\Program Files\Google\Chrome\Application\audiodg.exe	MsNet.exe
File created	C:\Program Files (x86)\Uninstall Information\886983d96e3d3e	MsNet.exe
File created	C:\Program Files\Windows Mail\fr-FR\lsass.exe	MsNet.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\24dbde2999530e	MsNet.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\886983d96e3d3e	MsNet.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\0a1fd5f707cd16	MsNet.exe
File created	C:\Windows\Panther\UnattendGC\dllhost.exe	MsNet.exe
File created	C:\Windows\Panther\UnattendGC\5940a34987c991	MsNet.exe
File created	C:\Windows\TAPI\sppsvc.exe	MsNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f54be07cc25b4d61afd354db8f85494a8de5d6e382056e658b14a4ae528da62N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2792	schtasks.exe
2516	schtasks.exe
2652	schtasks.exe
2524	schtasks.exe
1724	schtasks.exe
1700	schtasks.exe
3044	schtasks.exe
2232	schtasks.exe
2896	schtasks.exe
1936	schtasks.exe
2984	schtasks.exe
1748	schtasks.exe
1720	schtasks.exe
1820	schtasks.exe
972	schtasks.exe
1032	schtasks.exe
1948	schtasks.exe
1536	schtasks.exe
2800	schtasks.exe
1052	schtasks.exe
548	schtasks.exe
1832	schtasks.exe
868	schtasks.exe
576	schtasks.exe
1972	schtasks.exe
812	schtasks.exe
1600	schtasks.exe
2148	schtasks.exe
1764	schtasks.exe
780	schtasks.exe
2968	schtasks.exe
2972	schtasks.exe
3028	schtasks.exe
2136	schtasks.exe
1632	schtasks.exe
1560	schtasks.exe
304	schtasks.exe
604	schtasks.exe
924	schtasks.exe
344	schtasks.exe
2484	schtasks.exe
456	schtasks.exe
1752	schtasks.exe
2680	schtasks.exe
872	schtasks.exe
2320	schtasks.exe
1736	schtasks.exe
2396	schtasks.exe
2180	schtasks.exe
1288	schtasks.exe
2192	schtasks.exe
2356	schtasks.exe
1512	schtasks.exe
1268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
536	MsNet.exe
2744	lsm.exe
2744	lsm.exe
2744	lsm.exe
2744	lsm.exe
2744	lsm.exe
2744	lsm.exe
2744	lsm.exe
2744	lsm.exe
2744	lsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	MsNet.exe
Token: SeDebugPrivilege	2744	lsm.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2112	2116	4f54be07cc25b4d61afd354db8f85494a8de5d6e382056e658b14a4ae528da62N.exe	30
PID 2116 wrote to memory of 2112	2116	4f54be07cc25b4d61afd354db8f85494a8de5d6e382056e658b14a4ae528da62N.exe	30
PID 2116 wrote to memory of 2112	2116	4f54be07cc25b4d61afd354db8f85494a8de5d6e382056e658b14a4ae528da62N.exe	30
PID 2116 wrote to memory of 2112	2116	4f54be07cc25b4d61afd354db8f85494a8de5d6e382056e658b14a4ae528da62N.exe	30
PID 2112 wrote to memory of 2200	2112	WScript.exe	31
PID 2112 wrote to memory of 2200	2112	WScript.exe	31
PID 2112 wrote to memory of 2200	2112	WScript.exe	31
PID 2112 wrote to memory of 2200	2112	WScript.exe	31
PID 2200 wrote to memory of 536	2200	cmd.exe	33
PID 2200 wrote to memory of 536	2200	cmd.exe	33
PID 2200 wrote to memory of 536	2200	cmd.exe	33
PID 2200 wrote to memory of 536	2200	cmd.exe	33
PID 536 wrote to memory of 2308	536	MsNet.exe	89
PID 536 wrote to memory of 2308	536	MsNet.exe	89
PID 536 wrote to memory of 2308	536	MsNet.exe	89
PID 2308 wrote to memory of 2836	2308	cmd.exe	91
PID 2308 wrote to memory of 2836	2308	cmd.exe	91
PID 2308 wrote to memory of 2836	2308	cmd.exe	91
PID 2308 wrote to memory of 2744	2308	cmd.exe	93
PID 2308 wrote to memory of 2744	2308	cmd.exe	93
PID 2308 wrote to memory of 2744	2308	cmd.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4f54be07cc25b4d61afd354db8f85494a8de5d6e382056e658b14a4ae528da62N.exe
"C:\Users\Admin\AppData\Local\Temp\4f54be07cc25b4d61afd354db8f85494a8de5d6e382056e658b14a4ae528da62N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\blockBrowserreviewHostNet\xY4XW4YtsslkN8YkwUCHQrB1.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\blockBrowserreviewHostNet\87bfrCyVy.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\blockBrowserreviewHostNet\MsNet.exe
      "C:\blockBrowserreviewHostNet\MsNet.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:536
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NZd6JbcN2f.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2308
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2836
      - C:\Program Files (x86)\Common Files\DESIGNER\lsm.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\blockBrowserreviewHostNet\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\blockBrowserreviewHostNet\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\blockBrowserreviewHostNet\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\fr-FR\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Favorites\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\blockBrowserreviewHostNet\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\blockBrowserreviewHostNet\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\blockBrowserreviewHostNet\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\TAPI\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\UnattendGC\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\UnattendGC\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Music\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Music\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NZd6JbcN2f.bat

Filesize
217B

MD5
9b384f933d9d1b9bec67bd16ef061499

SHA1
0735a57b2a0e70743b898673d5b3230d39a63a88

SHA256
907648d4d3053853637a1050d948cc341be29b9653270544808bc9740533ba77

SHA512
bec7243641971d95e0b55b9ecc9f1bd136953a8830352dc4a784af49188001b19ab62e36ea41ae804381bc274eb897e267496b71452c58dcc9ae84e8bbdeff87

Download Submit
C:\blockBrowserreviewHostNet\87bfrCyVy.bat

Filesize
40B

MD5
a690f6e0c6d43487eedaae5b8721661e

SHA1
f0e210dff9aa0dcc326c6577ad5199803b3f66f1

SHA256
18722e015c6a07d67ca50a098185e1af251f5f674347a9c69eb9cb5adc1301ce

SHA512
6cdd3069caf010cd1c3377799866bda5b8e72e41a708e4ed5f90ea6be699083c02e98c2f000545c04fe605e4b748881e108140bce784f23e99030b0750a8f034

Download Submit
C:\blockBrowserreviewHostNet\MsNet.exe

Filesize
828KB

MD5
33c65cd1ae7664ac1d8fae6aeec4349a

SHA1
d4346a7c78b34112f27f2aa00fa85b9355fde4c8

SHA256
046c832bbe0d9da1405f4074c47ff461eee6b1132d8f24ae76cdea982f470348

SHA512
bed32cc887d01236847d92b00437fc13fc6157bd9f668565cd5975f1158ee1d4baccc0daf9466cd02d5626ed18df8fd4bd0917d8d20db5237c4e476e9b7df3d6

Download Submit
C:\blockBrowserreviewHostNet\xY4XW4YtsslkN8YkwUCHQrB1.vbe

Filesize
211B

MD5
2e5288c585bc259f4b5f835eed2a7db2

SHA1
e77c36f0c62b9b375d0e1cd28569b62ca06061b3

SHA256
ce92b84237a2da62b260ed2bcaa5c3ea57635e1a26e269c526b64eabe8ba6080

SHA512
e2ee7af7b5bf9ea47f5cb6eb0a96e23262fb6948089baefe9b95bafca52e48ffff0198a06dfea0ad12b6b4e6fd024095b79ac56cd31c8784a2d745f963e06359

Download Submit
memory/536-13-0x0000000000FA0000-0x0000000001076000-memory.dmp

Filesize
856KB

Download
memory/2744-57-0x0000000001140000-0x0000000001216000-memory.dmp

Filesize
856KB

Download