dcrat | 5de218dd00c5b6536a8ea373bbe9b9f2079f788a113b847fbd5c39932170a6e6

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1ec8c3742e4e01173d709df1353dc5d.exe
Size

885KB
MD5

d1ec8c3742e4e01173d709df1353dc5d
SHA1

30c91b20f0ced765718860cbb2a9f39ca19cf20b
SHA256

e50d685dc91548b2786aaff53e3b0e3a0779a6e41304a59607c042a2ad12482d
SHA512

1ba0dc8ff62291ca5d6213a1b7b6e473ee34b3b5dd5e56d6e6880c9a954f4682144785bd43f5e0e357913e465f53b9e78424dc8bb4146b479303597ecd2e3b65
SSDEEP

12288:+lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:+lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2840	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2840	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2840	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2840	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2840	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2840	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2840	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2840	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2840	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2840	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2840	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2840	schtasks.exe	31

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral17/memory/2256-1-0x00000000012C0000-0x00000000013A4000-memory.dmp	dcrat
behavioral17/files/0x000500000001a4e6-21.dat	dcrat
behavioral17/memory/860-76-0x0000000000960000-0x0000000000A44000-memory.dmp	dcrat
behavioral17/memory/1600-87-0x00000000000E0000-0x00000000001C4000-memory.dmp	dcrat
behavioral17/memory/2408-99-0x0000000000A30000-0x0000000000B14000-memory.dmp	dcrat
behavioral17/memory/1136-111-0x0000000000F20000-0x0000000001004000-memory.dmp	dcrat
behavioral17/memory/2712-123-0x0000000001270000-0x0000000001354000-memory.dmp	dcrat
behavioral17/memory/2364-135-0x0000000000320000-0x0000000000404000-memory.dmp	dcrat
behavioral17/memory/2028-147-0x00000000010D0000-0x00000000011B4000-memory.dmp	dcrat
behavioral17/memory/1828-170-0x00000000001E0000-0x00000000002C4000-memory.dmp	dcrat
behavioral17/memory/2808-182-0x0000000001130000-0x0000000001214000-memory.dmp	dcrat
behavioral17/memory/1600-205-0x0000000000140000-0x0000000000224000-memory.dmp	dcrat

Executes dropped EXE 12 IoCs

pid	Process
860	smss.exe
1600	smss.exe
2408	smss.exe
1136	smss.exe
2712	smss.exe
2364	smss.exe
2028	smss.exe
2280	smss.exe
1828	smss.exe
2808	smss.exe
2520	smss.exe
1600	smss.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\69ddcba757bf72	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\RCXE394.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\RCXE395.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2760	schtasks.exe
2968	schtasks.exe
1848	schtasks.exe
2868	schtasks.exe
2560	schtasks.exe
2680	schtasks.exe
2212	schtasks.exe
2756	schtasks.exe
2592	schtasks.exe
2732	schtasks.exe
2588	schtasks.exe
2280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2256	d1ec8c3742e4e01173d709df1353dc5d.exe
2256	d1ec8c3742e4e01173d709df1353dc5d.exe
2256	d1ec8c3742e4e01173d709df1353dc5d.exe
2256	d1ec8c3742e4e01173d709df1353dc5d.exe
2256	d1ec8c3742e4e01173d709df1353dc5d.exe
860	smss.exe
1600	smss.exe
2408	smss.exe
1136	smss.exe
2712	smss.exe
2364	smss.exe
2028	smss.exe
2280	smss.exe
1828	smss.exe
2808	smss.exe
2520	smss.exe
1600	smss.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	d1ec8c3742e4e01173d709df1353dc5d.exe
Token: SeDebugPrivilege	860	smss.exe
Token: SeDebugPrivilege	1600	smss.exe
Token: SeDebugPrivilege	2408	smss.exe
Token: SeDebugPrivilege	1136	smss.exe
Token: SeDebugPrivilege	2712	smss.exe
Token: SeDebugPrivilege	2364	smss.exe
Token: SeDebugPrivilege	2028	smss.exe
Token: SeDebugPrivilege	2280	smss.exe
Token: SeDebugPrivilege	1828	smss.exe
Token: SeDebugPrivilege	2808	smss.exe
Token: SeDebugPrivilege	2520	smss.exe
Token: SeDebugPrivilege	1600	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2896	2256	d1ec8c3742e4e01173d709df1353dc5d.exe	44
PID 2256 wrote to memory of 2896	2256	d1ec8c3742e4e01173d709df1353dc5d.exe	44
PID 2256 wrote to memory of 2896	2256	d1ec8c3742e4e01173d709df1353dc5d.exe	44
PID 2896 wrote to memory of 1508	2896	cmd.exe	46
PID 2896 wrote to memory of 1508	2896	cmd.exe	46
PID 2896 wrote to memory of 1508	2896	cmd.exe	46
PID 2896 wrote to memory of 860	2896	cmd.exe	47
PID 2896 wrote to memory of 860	2896	cmd.exe	47
PID 2896 wrote to memory of 860	2896	cmd.exe	47
PID 860 wrote to memory of 2196	860	smss.exe	48
PID 860 wrote to memory of 2196	860	smss.exe	48
PID 860 wrote to memory of 2196	860	smss.exe	48
PID 860 wrote to memory of 236	860	smss.exe	49
PID 860 wrote to memory of 236	860	smss.exe	49
PID 860 wrote to memory of 236	860	smss.exe	49
PID 2196 wrote to memory of 1600	2196	WScript.exe	50
PID 2196 wrote to memory of 1600	2196	WScript.exe	50
PID 2196 wrote to memory of 1600	2196	WScript.exe	50
PID 1600 wrote to memory of 1888	1600	smss.exe	51
PID 1600 wrote to memory of 1888	1600	smss.exe	51
PID 1600 wrote to memory of 1888	1600	smss.exe	51
PID 1600 wrote to memory of 2372	1600	smss.exe	52
PID 1600 wrote to memory of 2372	1600	smss.exe	52
PID 1600 wrote to memory of 2372	1600	smss.exe	52
PID 1888 wrote to memory of 2408	1888	WScript.exe	53
PID 1888 wrote to memory of 2408	1888	WScript.exe	53
PID 1888 wrote to memory of 2408	1888	WScript.exe	53
PID 2408 wrote to memory of 1572	2408	smss.exe	54
PID 2408 wrote to memory of 1572	2408	smss.exe	54
PID 2408 wrote to memory of 1572	2408	smss.exe	54
PID 2408 wrote to memory of 2100	2408	smss.exe	55
PID 2408 wrote to memory of 2100	2408	smss.exe	55
PID 2408 wrote to memory of 2100	2408	smss.exe	55
PID 1572 wrote to memory of 1136	1572	WScript.exe	56
PID 1572 wrote to memory of 1136	1572	WScript.exe	56
PID 1572 wrote to memory of 1136	1572	WScript.exe	56
PID 1136 wrote to memory of 1644	1136	smss.exe	57
PID 1136 wrote to memory of 1644	1136	smss.exe	57
PID 1136 wrote to memory of 1644	1136	smss.exe	57
PID 1136 wrote to memory of 1984	1136	smss.exe	58
PID 1136 wrote to memory of 1984	1136	smss.exe	58
PID 1136 wrote to memory of 1984	1136	smss.exe	58
PID 1644 wrote to memory of 2712	1644	WScript.exe	59
PID 1644 wrote to memory of 2712	1644	WScript.exe	59
PID 1644 wrote to memory of 2712	1644	WScript.exe	59
PID 2712 wrote to memory of 2484	2712	smss.exe	60
PID 2712 wrote to memory of 2484	2712	smss.exe	60
PID 2712 wrote to memory of 2484	2712	smss.exe	60
PID 2712 wrote to memory of 1748	2712	smss.exe	61
PID 2712 wrote to memory of 1748	2712	smss.exe	61
PID 2712 wrote to memory of 1748	2712	smss.exe	61
PID 2484 wrote to memory of 2364	2484	WScript.exe	62
PID 2484 wrote to memory of 2364	2484	WScript.exe	62
PID 2484 wrote to memory of 2364	2484	WScript.exe	62
PID 2364 wrote to memory of 1604	2364	smss.exe	63
PID 2364 wrote to memory of 1604	2364	smss.exe	63
PID 2364 wrote to memory of 1604	2364	smss.exe	63
PID 2364 wrote to memory of 1528	2364	smss.exe	64
PID 2364 wrote to memory of 1528	2364	smss.exe	64
PID 2364 wrote to memory of 1528	2364	smss.exe	64
PID 1604 wrote to memory of 2028	1604	WScript.exe	65
PID 1604 wrote to memory of 2028	1604	WScript.exe	65
PID 1604 wrote to memory of 2028	1604	WScript.exe	65
PID 2028 wrote to memory of 2348	2028	smss.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d1ec8c3742e4e01173d709df1353dc5d.exe
"C:\Users\Admin\AppData\Local\Temp\d1ec8c3742e4e01173d709df1353dc5d.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9aSt0P4zas.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1508
- - C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe
    "C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65d87b70-5ae0-40ef-91e7-2dd294e94da7.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d1c7701-9c91-4872-ada9-3b3fa14b5d23.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\942d964b-0d9f-4deb-9e1c-9ca2be8377e6.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70a3a99e-6240-4bc3-8800-a799b2bc8ac2.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f3289f0-8341-49ca-85cd-fc209bc69e58.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e55719f-9638-4550-9d1f-8516e3a198b3.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dc3d58d-88e8-4ded-a1b3-420e36c1ceaf.vbs"
        16⤵
        
        PID:2348
        
        C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fabb1d66-0338-481f-bca1-60fe3501fd4f.vbs"
        18⤵
        
        PID:2884
        
        C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\564e7453-a53e-4d51-af58-15ca225fbb5a.vbs"
        20⤵
        
        PID:1624
        
        C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edcfdcb1-ba32-47f6-967a-901545007c50.vbs"
        22⤵
        
        PID:2800
        
        C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bc50ab9-1abf-4d10-ad72-449485e423a8.vbs"
        24⤵
        
        PID:2036
        
        C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3f47583-50f1-49ac-aa25-b3fc499fe61b.vbs"
        24⤵
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8818be4-20ea-406a-9071-c0fb8794c19d.vbs"
        22⤵
        
        PID:1112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9c0228d-c68c-4ac4-819c-a270bb182a0d.vbs"
        20⤵
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8db3d72-fc67-4c8b-a750-006e194d61c7.vbs"
        18⤵
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\255d325e-6829-40c0-bf1b-ab960d383e99.vbs"
        16⤵
        
        PID:1888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d82a129-a836-4f68-b7da-0775e89c67c1.vbs"
        14⤵
        
        PID:1528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78d2cb42-9d61-489c-83e6-de7524427232.vbs"
        12⤵
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67d76d54-6b9f-4285-8b1c-94870f561cbb.vbs"
        10⤵
        
        PID:1984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a5b41b2-10be-4596-af2d-18c0fa1dd06f.vbs"
        8⤵
        
        PID:2100
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faec06b1-9e93-44fb-ba60-002c5e398943.vbs"
        6⤵
        
        PID:2372
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccf37791-6349-4f5d-8d6f-d3699e10b333.vbs"
      4⤵
      PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\System\msadc\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2e55719f-9638-4550-9d1f-8516e3a198b3.vbs

Filesize
733B

MD5
55dfa79a30e56fa66e1dfe7ed8053d34

SHA1
6d40c7f6fe9dc7b1baced982b9f9c7bd143f4bef

SHA256
f6dd1f6ae94ff091eaa4455a2866dc59247d6959d7c1e05a5d63a64ff324e4ca

SHA512
eddfb2a81a240ca5044a1850e957b4efe92fe9b3644de4894302fa3b893b66355adf7a2509dd93f9bbb17551ba2398d54b827b49f5ea5e5b2dc05cf24218224c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f3289f0-8341-49ca-85cd-fc209bc69e58.vbs

Filesize
733B

MD5
4d9917c978576d3f67a6db578cd040f8

SHA1
df04796768caed0c232859a491f1d5fae5b316b2

SHA256
89431e1bc09c85121f08aa9726eee8acc4eee61f824796d0debdaaaa289b142f

SHA512
7d768cddb05db1539474bd8b136a3e87f03e6dd96c16c0fba5bd003e054b5d9864ce051256a037eac77cd66351bf5a2e8f03f4d51cabf39113004db522043963

Download Submit
C:\Users\Admin\AppData\Local\Temp\564e7453-a53e-4d51-af58-15ca225fbb5a.vbs

Filesize
733B

MD5
59a9529efef298c8a9737c596d8f8927

SHA1
6c0905f2705f17650be1b1182a28b080946b7398

SHA256
c3b04bb3dbe66d809a5d39ced51883cef2d9e2e93c2044f1372e38974576eaae

SHA512
214ea55b540191c8de3cd3ee6c53baf719ca7e0594f1f53783b65d49fc7bc7dc6e3de1b6131cd8f39526022167a1ce6b661e98bced825733f5662c63761edc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d1c7701-9c91-4872-ada9-3b3fa14b5d23.vbs

Filesize
733B

MD5
cdd1d370d44d87125e9ddd0ad8dd3879

SHA1
9eb0086310d2e7fc788353b57e2df75d26c0149c

SHA256
5c8ca2525e166d18a87bb9256c7b35ca5c728844af62e1ee063c1b4a22756bf4

SHA512
d202f9d83cbdf854b2b83de95bd2f06a058a95eb52495dbc8abb4db9f473028cf5b8bf12a00bdb1e78f112745b7b1562cb7945a9c0449c65a1e7df17e2c0118f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dc3d58d-88e8-4ded-a1b3-420e36c1ceaf.vbs

Filesize
733B

MD5
45c940afbea411068dc8183709ca8c93

SHA1
96ab54e3b253318dc035d235e07b1f3bcec3285b

SHA256
9ff658f981af9d5ed12a3e8ecb51f4e59d62d781c0b378199145784aa7a413a1

SHA512
27d3007988c0d2b0c1bc48607f7bdcdfab4ea6a91c8ad3631a8dbc33ff8e5687f39e2d3e7b09466f1cfac6ead8d89725fbc0c63129e897916692c2ebe3c742e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\65d87b70-5ae0-40ef-91e7-2dd294e94da7.vbs

Filesize
732B

MD5
a2f8ee4b9b912b5a6837d5ce1b50adcd

SHA1
7a6d77e2a219b52ef7b9c2086ed2283f08461cd9

SHA256
ad2cf85984cb2a812f330ae626bdbbeed08293fe54f1ebee1fc35542f1b9524c

SHA512
423492375c9f341573e2865ea81535348690f306d3fe03ae9ce77f9c3078caa2ea6e05667e662872fa931183db141f539859dc8dcae2bc2e7681c7e9ea9367aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bc50ab9-1abf-4d10-ad72-449485e423a8.vbs

Filesize
733B

MD5
10e77da9a95a9490447ff41c2af16999

SHA1
142a70a4482a3b36b52a446e0f549f1dff12c69c

SHA256
a49bffb7da59982aea7bfc1d5363f0e46fc6bc0c9bca30826dc064de0e552432

SHA512
cfb0a5df09069fa41ec8e4b48a38dfc0ec74ce549dff59f5dbc62c328e10ee3ff47865e49c75cca2787a1b51ae78fa4c9a376308192e5569d48b735c3501c075

Download Submit
C:\Users\Admin\AppData\Local\Temp\70a3a99e-6240-4bc3-8800-a799b2bc8ac2.vbs

Filesize
733B

MD5
142d6be10224944aa7482e4ecb0f7e2e

SHA1
f6dda96e549779770fc68f8be937a16d207e6f78

SHA256
9f54d3d1e3f42d5180df7781cd2a86a8544fb54d53b75c31e9ad11154058b075

SHA512
db737709cab8f7dfc146e8d24b622e46238eef07426e78a5d2bd2ad542e75699c1f5ea5c80a04e23a703fd2ebf7a5c59a4f69df5b0badee18b85328f46aba09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\942d964b-0d9f-4deb-9e1c-9ca2be8377e6.vbs

Filesize
733B

MD5
5226a633b3cc23dbc110a8f617587a14

SHA1
5b5a717747270c9405e8387ac7e197495a5e29c2

SHA256
4bae5c22b76f569bfcef33c5a682e7b087edb6ea9e657ee822b53ad0982a4d14

SHA512
e02c61c9a2277dae523696f07a03829a3b95a1e847cf1829a403960e7d82259eb6e3b8fa67a4ea0edf156516e01066365c88f1f55acf547ef1d1146c888278fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9aSt0P4zas.bat

Filesize
222B

MD5
d430ca9a506b1990ee142e656b418dcb

SHA1
41acd53f33f6eee59a61c16cf4efb6b405df2477

SHA256
d6447038055f70e889ab8a2715507ea3bd879addb7e237afe6e772dc1d3a9741

SHA512
3ab10328571218e13a5e8863bb1f8b963a27a3459fda55136be06848942d8f42302110fc2eecfca08c2bd415eb1098926b5d415092be4842aa2087f706e1a60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXE36D.tmp

Filesize
885KB

MD5
d1ec8c3742e4e01173d709df1353dc5d

SHA1
30c91b20f0ced765718860cbb2a9f39ca19cf20b

SHA256
e50d685dc91548b2786aaff53e3b0e3a0779a6e41304a59607c042a2ad12482d

SHA512
1ba0dc8ff62291ca5d6213a1b7b6e473ee34b3b5dd5e56d6e6880c9a954f4682144785bd43f5e0e357913e465f53b9e78424dc8bb4146b479303597ecd2e3b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccf37791-6349-4f5d-8d6f-d3699e10b333.vbs

Filesize
509B

MD5
c9596f2dcb353cfb49f27c391807f63d

SHA1
394177511925153daabfc22f613e2b59bcdb1c29

SHA256
61a09045139a85b34dba19496ca42649dbb323c59818c9aada879423f409a3d3

SHA512
1e4fa03c7a3aa30563f56241f5283a6d8a10408f59b949c728937f1bf108f5a5a1087767b8effb1616c03b6e3f171124ef4cdd211280a61567dc52b4f2ac2884

Download Submit
C:\Users\Admin\AppData\Local\Temp\edcfdcb1-ba32-47f6-967a-901545007c50.vbs

Filesize
733B

MD5
99f9daefec1c7cddf78c62731c5fbb30

SHA1
af97311fea9313c00d130a757930aca0c66e19e9

SHA256
cdf9cd08074b2609f08c6439295dabb657923e6b8a5051fba47859f53aa02111

SHA512
85c7de1608b2b8c04ab20387ee2382f2680b199d3ab6ceb1ea8c71107d670cfd72b861405106819a32dd9f0f82376385c3cf221f453c1cfc244ad7ada04ec055

Download Submit
C:\Users\Admin\AppData\Local\Temp\fabb1d66-0338-481f-bca1-60fe3501fd4f.vbs

Filesize
733B

MD5
261079a2622269fa930c413be7728585

SHA1
3fd61ff58c2fa21034850497248784186d226adb

SHA256
0562663c8d1ee9420b6de7a8109f38f15517bf39e4babbf7ac97ceb04ff06a2b

SHA512
bddf394323deddca6b2d9deff3bc8a1806f125348fe9ca3cb8ca5492de4313542b5be1eea1d9bfad6219db66f00f851e8591acbbaa5ea3933e7ab4de65bd254c

Download Submit
memory/860-76-0x0000000000960000-0x0000000000A44000-memory.dmp

Filesize
912KB

Download
memory/1136-111-0x0000000000F20000-0x0000000001004000-memory.dmp

Filesize
912KB

Download
memory/1600-87-0x00000000000E0000-0x00000000001C4000-memory.dmp

Filesize
912KB

Download
memory/1600-205-0x0000000000140000-0x0000000000224000-memory.dmp

Filesize
912KB

Download
memory/1828-170-0x00000000001E0000-0x00000000002C4000-memory.dmp

Filesize
912KB

Download
memory/2028-147-0x00000000010D0000-0x00000000011B4000-memory.dmp

Filesize
912KB

Download
memory/2256-8-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2256-4-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2256-1-0x00000000012C0000-0x00000000013A4000-memory.dmp

Filesize
912KB

Download
memory/2256-73-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2256-2-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2256-9-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2256-0-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

Filesize
4KB

Download
memory/2256-7-0x0000000000430000-0x000000000043E000-memory.dmp

Filesize
56KB

Download
memory/2256-6-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/2256-5-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/2256-3-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/2364-135-0x0000000000320000-0x0000000000404000-memory.dmp

Filesize
912KB

Download
memory/2408-99-0x0000000000A30000-0x0000000000B14000-memory.dmp

Filesize
912KB

Download
memory/2712-123-0x0000000001270000-0x0000000001354000-memory.dmp

Filesize
912KB

Download
memory/2808-182-0x0000000001130000-0x0000000001214000-memory.dmp

Filesize
912KB

Download