dcrat | ce63ae9069832ff3b0f2eb76b384c40cd8b70987280d4cc07559493a2b5c04ff

Analysis

max time kernel
155s
max time network
174s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cf97069999c57b9ff02fc34f4efbe8e.exe
Size

885KB
MD5

4cf97069999c57b9ff02fc34f4efbe8e
SHA1

c22915791d667d801d2931538432a27d61294bd2
SHA256

bf2520c5a62515ec02d2bb261460be7aa67d9983cdd5fa835c5124a215a900cb
SHA512

b3baa564a6a10d4f48e0b4c1154c4220978ead57c5d9dedb8095a8386abbc18ce06fef25cae94b1633f438144b102cb5a1ffcfa1f7a3ad20b132eaa1678e0ddb
SSDEEP

12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2840	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2840	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2840	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2840	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2840	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2840	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2840	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2840	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2840	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2840	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2840	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2840	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2840	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2840	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2840	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2840	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2840	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2840	schtasks.exe	29

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral19/memory/2160-1-0x0000000000C10000-0x0000000000CF4000-memory.dmp	dcrat
behavioral19/files/0x000500000001a49a-18.dat	dcrat
behavioral19/files/0x000500000001c6d4-68.dat	dcrat
behavioral19/files/0x000500000001c6ee-78.dat	dcrat
behavioral19/memory/2420-100-0x0000000001060000-0x0000000001144000-memory.dmp	dcrat
behavioral19/memory/2728-122-0x00000000012D0000-0x00000000013B4000-memory.dmp	dcrat
behavioral19/memory/2928-134-0x0000000000110000-0x00000000001F4000-memory.dmp	dcrat
behavioral19/memory/2504-146-0x0000000000C90000-0x0000000000D74000-memory.dmp	dcrat
behavioral19/memory/2644-158-0x0000000000E90000-0x0000000000F74000-memory.dmp	dcrat
behavioral19/memory/2880-169-0x0000000000020000-0x0000000000104000-memory.dmp	dcrat
behavioral19/memory/2692-181-0x0000000001100000-0x00000000011E4000-memory.dmp	dcrat

Executes dropped EXE 8 IoCs

pid	Process
2420	smss.exe
3008	smss.exe
2728	smss.exe
2928	smss.exe
2504	smss.exe
2644	smss.exe
2880	smss.exe
2692	smss.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\System.exe	4cf97069999c57b9ff02fc34f4efbe8e.exe
File created	C:\Program Files (x86)\Reference Assemblies\27d1bcfc3c54e0	4cf97069999c57b9ff02fc34f4efbe8e.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\taskhost.exe	4cf97069999c57b9ff02fc34f4efbe8e.exe
File created	C:\Program Files\Windows Portable Devices\smss.exe	4cf97069999c57b9ff02fc34f4efbe8e.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXF360.tmp	4cf97069999c57b9ff02fc34f4efbe8e.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXF371.tmp	4cf97069999c57b9ff02fc34f4efbe8e.exe
File created	C:\Program Files (x86)\Reference Assemblies\System.exe	4cf97069999c57b9ff02fc34f4efbe8e.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\b75386f1303e64	4cf97069999c57b9ff02fc34f4efbe8e.exe
File created	C:\Program Files\Windows Portable Devices\69ddcba757bf72	4cf97069999c57b9ff02fc34f4efbe8e.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCXF1B1.tmp	4cf97069999c57b9ff02fc34f4efbe8e.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCXF1B2.tmp	4cf97069999c57b9ff02fc34f4efbe8e.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCXF1F5.tmp	4cf97069999c57b9ff02fc34f4efbe8e.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCXF283.tmp	4cf97069999c57b9ff02fc34f4efbe8e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
672	schtasks.exe
2756	schtasks.exe
2568	schtasks.exe
1852	schtasks.exe
1884	schtasks.exe
2436	schtasks.exe
2748	schtasks.exe
2676	schtasks.exe
564	schtasks.exe
2616	schtasks.exe
2428	schtasks.exe
2768	schtasks.exe
2940	schtasks.exe
2736	schtasks.exe
336	schtasks.exe
2996	schtasks.exe
2936	schtasks.exe
1168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2160	4cf97069999c57b9ff02fc34f4efbe8e.exe
2420	smss.exe
3008	smss.exe
2728	smss.exe
2928	smss.exe
2504	smss.exe
2644	smss.exe
2880	smss.exe
2692	smss.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	4cf97069999c57b9ff02fc34f4efbe8e.exe
Token: SeDebugPrivilege	2420	smss.exe
Token: SeDebugPrivilege	3008	smss.exe
Token: SeDebugPrivilege	2728	smss.exe
Token: SeDebugPrivilege	2928	smss.exe
Token: SeDebugPrivilege	2504	smss.exe
Token: SeDebugPrivilege	2644	smss.exe
Token: SeDebugPrivilege	2880	smss.exe
Token: SeDebugPrivilege	2692	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1596	2160	4cf97069999c57b9ff02fc34f4efbe8e.exe	48
PID 2160 wrote to memory of 1596	2160	4cf97069999c57b9ff02fc34f4efbe8e.exe	48
PID 2160 wrote to memory of 1596	2160	4cf97069999c57b9ff02fc34f4efbe8e.exe	48
PID 1596 wrote to memory of 2564	1596	cmd.exe	50
PID 1596 wrote to memory of 2564	1596	cmd.exe	50
PID 1596 wrote to memory of 2564	1596	cmd.exe	50
PID 1596 wrote to memory of 2420	1596	cmd.exe	51
PID 1596 wrote to memory of 2420	1596	cmd.exe	51
PID 1596 wrote to memory of 2420	1596	cmd.exe	51
PID 2420 wrote to memory of 1956	2420	smss.exe	52
PID 2420 wrote to memory of 1956	2420	smss.exe	52
PID 2420 wrote to memory of 1956	2420	smss.exe	52
PID 2420 wrote to memory of 964	2420	smss.exe	53
PID 2420 wrote to memory of 964	2420	smss.exe	53
PID 2420 wrote to memory of 964	2420	smss.exe	53
PID 1956 wrote to memory of 3008	1956	WScript.exe	54
PID 1956 wrote to memory of 3008	1956	WScript.exe	54
PID 1956 wrote to memory of 3008	1956	WScript.exe	54
PID 3008 wrote to memory of 1492	3008	smss.exe	55
PID 3008 wrote to memory of 1492	3008	smss.exe	55
PID 3008 wrote to memory of 1492	3008	smss.exe	55
PID 3008 wrote to memory of 1248	3008	smss.exe	56
PID 3008 wrote to memory of 1248	3008	smss.exe	56
PID 3008 wrote to memory of 1248	3008	smss.exe	56
PID 1492 wrote to memory of 2728	1492	WScript.exe	57
PID 1492 wrote to memory of 2728	1492	WScript.exe	57
PID 1492 wrote to memory of 2728	1492	WScript.exe	57
PID 2728 wrote to memory of 336	2728	smss.exe	58
PID 2728 wrote to memory of 336	2728	smss.exe	58
PID 2728 wrote to memory of 336	2728	smss.exe	58
PID 2728 wrote to memory of 2920	2728	smss.exe	59
PID 2728 wrote to memory of 2920	2728	smss.exe	59
PID 2728 wrote to memory of 2920	2728	smss.exe	59
PID 336 wrote to memory of 2928	336	WScript.exe	60
PID 336 wrote to memory of 2928	336	WScript.exe	60
PID 336 wrote to memory of 2928	336	WScript.exe	60
PID 2928 wrote to memory of 2140	2928	smss.exe	61
PID 2928 wrote to memory of 2140	2928	smss.exe	61
PID 2928 wrote to memory of 2140	2928	smss.exe	61
PID 2928 wrote to memory of 2860	2928	smss.exe	62
PID 2928 wrote to memory of 2860	2928	smss.exe	62
PID 2928 wrote to memory of 2860	2928	smss.exe	62
PID 2140 wrote to memory of 2504	2140	WScript.exe	63
PID 2140 wrote to memory of 2504	2140	WScript.exe	63
PID 2140 wrote to memory of 2504	2140	WScript.exe	63
PID 2504 wrote to memory of 2424	2504	smss.exe	64
PID 2504 wrote to memory of 2424	2504	smss.exe	64
PID 2504 wrote to memory of 2424	2504	smss.exe	64
PID 2504 wrote to memory of 1720	2504	smss.exe	65
PID 2504 wrote to memory of 1720	2504	smss.exe	65
PID 2504 wrote to memory of 1720	2504	smss.exe	65
PID 2424 wrote to memory of 2644	2424	WScript.exe	66
PID 2424 wrote to memory of 2644	2424	WScript.exe	66
PID 2424 wrote to memory of 2644	2424	WScript.exe	66
PID 2644 wrote to memory of 2112	2644	smss.exe	67
PID 2644 wrote to memory of 2112	2644	smss.exe	67
PID 2644 wrote to memory of 2112	2644	smss.exe	67
PID 2644 wrote to memory of 2636	2644	smss.exe	68
PID 2644 wrote to memory of 2636	2644	smss.exe	68
PID 2644 wrote to memory of 2636	2644	smss.exe	68
PID 2880 wrote to memory of 2768	2880	smss.exe	70
PID 2880 wrote to memory of 2768	2880	smss.exe	70
PID 2880 wrote to memory of 2768	2880	smss.exe	70
PID 2880 wrote to memory of 1660	2880	smss.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4cf97069999c57b9ff02fc34f4efbe8e.exe
"C:\Users\Admin\AppData\Local\Temp\4cf97069999c57b9ff02fc34f4efbe8e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jtvgn0Xmse.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2564
- - C:\Program Files\Windows Portable Devices\smss.exe
    "C:\Program Files\Windows Portable Devices\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b6b0db3-e42b-4c4c-be29-3ad9f61ddfa6.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Program Files\Windows Portable Devices\smss.exe
        
        "C:\Program Files\Windows Portable Devices\smss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5527b42-24d7-42b7-a906-c75cebe016f7.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Program Files\Windows Portable Devices\smss.exe
        
        "C:\Program Files\Windows Portable Devices\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab0d4c42-5a69-43a4-baf2-33ae8a167a6a.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Program Files\Windows Portable Devices\smss.exe
        
        "C:\Program Files\Windows Portable Devices\smss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ce072fd-c499-4cfe-83d9-d31acc36fad5.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Program Files\Windows Portable Devices\smss.exe
        
        "C:\Program Files\Windows Portable Devices\smss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b0e75f3-5890-4ffb-803d-612f8f9e4659.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Program Files\Windows Portable Devices\smss.exe
        
        "C:\Program Files\Windows Portable Devices\smss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e979abd-eebd-4b6c-b67f-16f4b023e504.vbs"
        14⤵
        
        PID:2112
        
        C:\Program Files\Windows Portable Devices\smss.exe
        
        "C:\Program Files\Windows Portable Devices\smss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10bd89e9-291e-4ff3-9d13-c32d43e7aece.vbs"
        16⤵
        
        PID:2768
        
        C:\Program Files\Windows Portable Devices\smss.exe
        
        "C:\Program Files\Windows Portable Devices\smss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35e92ff3-bc47-47e6-9c5a-e95fab9afad9.vbs"
        18⤵
        
        PID:1852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3355436e-c8eb-41b9-b62c-e8cc73750e8c.vbs"
        18⤵
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96b51b6b-f8e1-42a7-b942-1880efc6c11c.vbs"
        16⤵
        
        PID:1660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\826c7da3-f52b-47eb-8bf4-4101b3dbbc98.vbs"
        14⤵
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68c73e87-dca4-4ae4-b607-48625163d03b.vbs"
        12⤵
        
        PID:1720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09db2132-e47a-42cf-87bc-7df9a7f30ccc.vbs"
        10⤵
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c4b3d91-db02-480b-86d8-0086b441f925.vbs"
        8⤵
        
        PID:2920
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66ced2f8-ea26-447e-9499-57df58eece70.vbs"
        6⤵
        
        PID:1248
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a54f61a-ffd7-4d37-9c32-4ceb06381795.vbs"
      4⤵
      PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4cf97069999c57b9ff02fc34f4efbe8e4" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\4cf97069999c57b9ff02fc34f4efbe8e.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4cf97069999c57b9ff02fc34f4efbe8e" /sc ONLOGON /tr "'C:\Users\Admin\4cf97069999c57b9ff02fc34f4efbe8e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4cf97069999c57b9ff02fc34f4efbe8e4" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\4cf97069999c57b9ff02fc34f4efbe8e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Documents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\Network Sharing\taskhost.exe

Filesize
885KB

MD5
e9982ac3105df752334f162391a3a44a

SHA1
07717964ae89f102708f3c7ab321ef1931658042

SHA256
eab9e121e341d77613ef34840df41060b02a17042142b5d3962cdc34a86f88e9

SHA512
9e94e03a454c03a92ed3f8023f68c16a8230cc28499678266088058dda38f0234e9caa8937e94a081e36c05fdfdbc93dadfafe304d2ff0a608b783a3628d2bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b6b0db3-e42b-4c4c-be29-3ad9f61ddfa6.vbs

Filesize
726B

MD5
3fef91707b79aac77817ea2d59b0643d

SHA1
daefb93881181541e5c33ceb45918a76f6e26307

SHA256
49aa39ee8020e1ae838e1123269a1991c54877c20e69a67befbbd5cd3b24538c

SHA512
50ce323db1fe991fd31f6a29d05f01f6128b630328e69b012adc6e33e8e9fa348620d4fa3fa036a495177cd6d7f17e7ec1cf373bdb433c8e1e4528fd561f12f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10bd89e9-291e-4ff3-9d13-c32d43e7aece.vbs

Filesize
726B

MD5
33aff63c0511a7edf238d0017fad74b3

SHA1
e9de72d76261e4d1b1a6b2914919bda49db2a85f

SHA256
34524e3f3ccf75dd4d439bf10564fc06588f132faaa4f71e258290171a239744

SHA512
9aa68608baaa9b187e35653dfab0a41997970e0c59946ad8f24e49b1764735832063d07dac98ed626b2ed92b4c08d823ee7673a219a70d8203f13a441c605a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\35e92ff3-bc47-47e6-9c5a-e95fab9afad9.vbs

Filesize
726B

MD5
770e4d5689f377ac0b2f59d7c44f19cc

SHA1
8b9552aab95dae51e4d3f6af55053bbb7b651244

SHA256
39fd91371a9872679d2eda669b1d06d938fcd75000584fe397995833cc9e55e2

SHA512
fc67ee6690fb250007780974cef5f4051447f40328a2a96eee781dea0e9b78496178faa9f8652b16f6221b6938113ae1e577ba300cfb036fe70ee40c202397d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b0e75f3-5890-4ffb-803d-612f8f9e4659.vbs

Filesize
726B

MD5
9f97a06582cfb2bc6710d91bdf81fa6f

SHA1
421b5bc539ded4897b4908efefacff24dd1c5dc5

SHA256
a08ed085eef3db6726a7bd66b3e720a13cb724e8e03c451ef889fcb6a15fdc38

SHA512
c90c01034c7d7e8feadde871d7524490b071bed992346e9435f429e84397a3340dd7b7767fba58ad125a91377383770ecc05c56dc0c4fe4bba8a299d6da5c7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a54f61a-ffd7-4d37-9c32-4ceb06381795.vbs

Filesize
502B

MD5
94f15bf762369b4cdea160c2ea9d840a

SHA1
d891957aefd6251e0fbc5f91935520013acab34a

SHA256
d298f4909ed78ef0f7addb7d057c936d0fe1e721038788dad0ea8562000a2722

SHA512
948c2107c9382634efb59484ad3a3461838dd21a8ac7b59df3c542bf111684f5f49ae7ee0dc4d48912dfafd5366601e7621c154f5d20ff04607f57521589c70e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ce072fd-c499-4cfe-83d9-d31acc36fad5.vbs

Filesize
726B

MD5
f7e33fd5f9a3ea398d1bc23b3dbb848f

SHA1
b8a73d8d135adfb3da014d7c8b886827226ec50d

SHA256
b757f8174be8656d6fe80c887e3b8d913438c37ffd1f28fe30c08c677a2ded47

SHA512
74a96a8da89912256424105cd0b0ff42892569efccad7c7a2063fcc47dae46461cd73f258ad694624804b6896a0a6544f8bcf4907283acec66ca1c8e2865aec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jtvgn0Xmse.bat

Filesize
215B

MD5
363c07757fb33995a451c031c224b101

SHA1
28d12e2277eebec2790c3108a34a80c029fa1cd5

SHA256
21baebb7b29299c37ca520f6af45b34ecc428e387bde1468f91d03926a3750ff

SHA512
a45915416ab74a06af128f6234410ca0b966d2b5579bef25ed8e394a484eab4b0977ff8b15ab6a6b7b78cd96146cf64a759ca132bb32bff6d8ab77326624366c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab0d4c42-5a69-43a4-baf2-33ae8a167a6a.vbs

Filesize
726B

MD5
044a47057b626e760f627ca1a4b9bcdb

SHA1
e2682b26fd7bfd939fd0e5a1f99e64289e527a61

SHA256
f3fcdc32d6470d0c295cd2486f5ee1674e632fd5ea7d412269a338af328ecadc

SHA512
24bb72c19bc60e79523d950da44c1eee97304eb00050a8021493270f1b86a1b5b2d3dcbe489efd7b308209fcda76bcb890ec2169082e37144531927cc8fba87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5527b42-24d7-42b7-a906-c75cebe016f7.vbs

Filesize
726B

MD5
e802bf7d0cbadd58e71c2a2dcfa0c487

SHA1
50c7182f2eea38e055c4e721ff79bbe1166abf04

SHA256
d1848134fee8b38fc5d357329b659bc3e5cdff56e0ed7d53e13015fdd03e7bc0

SHA512
7350d4c7921c954e0a1bd969dab0b9e9c1c66c122ded166aebe38187a60fe6d3e38d8eb2cc6c4f13df94add8a4558657d642a3ab7ef2740be0ea7ca7440fde5d

Download Submit
C:\Users\Public\Documents\System.exe

Filesize
885KB

MD5
4cf97069999c57b9ff02fc34f4efbe8e

SHA1
c22915791d667d801d2931538432a27d61294bd2

SHA256
bf2520c5a62515ec02d2bb261460be7aa67d9983cdd5fa835c5124a215a900cb

SHA512
b3baa564a6a10d4f48e0b4c1154c4220978ead57c5d9dedb8095a8386abbc18ce06fef25cae94b1633f438144b102cb5a1ffcfa1f7a3ad20b132eaa1678e0ddb

Download Submit
C:\Users\Public\Documents\System.exe

Filesize
885KB

MD5
736bab32480ae4ee3121e49ed4cc13f9

SHA1
adfbe9a71eeb8adfc36b5055780426a36470d449

SHA256
7a823227d65ad1ab856348414a19cf29d9b4428a7c04093c30e9a943237114ef

SHA512
efaacb96f059d9625c6ed7424c686ed6fe25f5bd4b071fb9e3933e3ec7da0cff5247fd5a70ba768207ffafc8905e4a59bec2d686b75afffb6ad3930be7ba09e4

Download Submit
memory/2160-97-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2160-5-0x0000000000A20000-0x0000000000A36000-memory.dmp

Filesize
88KB

Download
memory/2160-0-0x000007FEF6253000-0x000007FEF6254000-memory.dmp

Filesize
4KB

Download
memory/2160-9-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/2160-8-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/2160-6-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/2160-1-0x0000000000C10000-0x0000000000CF4000-memory.dmp

Filesize
912KB

Download
memory/2160-7-0x0000000000A50000-0x0000000000A5E000-memory.dmp

Filesize
56KB

Download
memory/2160-2-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2160-4-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/2160-3-0x00000000009F0000-0x0000000000A0C000-memory.dmp

Filesize
112KB

Download
memory/2420-100-0x0000000001060000-0x0000000001144000-memory.dmp

Filesize
912KB

Download
memory/2504-146-0x0000000000C90000-0x0000000000D74000-memory.dmp

Filesize
912KB

Download
memory/2644-158-0x0000000000E90000-0x0000000000F74000-memory.dmp

Filesize
912KB

Download
memory/2692-181-0x0000000001100000-0x00000000011E4000-memory.dmp

Filesize
912KB

Download
memory/2728-122-0x00000000012D0000-0x00000000013B4000-memory.dmp

Filesize
912KB

Download
memory/2880-169-0x0000000000020000-0x0000000000104000-memory.dmp

Filesize
912KB

Download
memory/2928-134-0x0000000000110000-0x00000000001F4000-memory.dmp

Filesize
912KB

Download