dcrat | 59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573

Analysis

max time kernel
117s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24/03/2025, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe
Size

1.3MB
MD5

c4c3dda932f1f288a7091eb1b6bfcc8f
SHA1

63216a8fc66477860834a280b812b170863af11a
SHA256

59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573
SHA512

cf6ed58e0942d09663627a79464bf77eccedfa79082fe12724a2fc022edd56c2107fae25be23bc14c070354583e06335dad635974a6a2f9d74c80ec6ea35b269
SSDEEP

24576:mM0FvyGsOBDr8gCy5viNtXY91McnOTlRLzrwlKfPGGPwOQVC8+zJ:F0FvJzgSiNR5VzrwMfuG4OQ3+zJ

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	1308	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	1308	schtasks.exe	36

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000b000000012263-6.dat	dcrat
behavioral1/files/0x0007000000017466-29.dat	dcrat
behavioral1/memory/2864-30-0x0000000000BA0000-0x0000000000C76000-memory.dmp	dcrat
behavioral1/memory/1552-64-0x0000000000250000-0x0000000000326000-memory.dmp	dcrat

Executes dropped EXE 4 IoCs

pid	Process
2824	Snace.exe
2920	Змейка by ДК and AS.exe
2864	WebRuntimeDll.exe
1552	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2728	cmd.exe
2728	cmd.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\taskhost.exe	WebRuntimeDll.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\b75386f1303e64	WebRuntimeDll.exe
File created	C:\Program Files\Internet Explorer\it-IT\lsass.exe	WebRuntimeDll.exe
File created	C:\Program Files\Internet Explorer\it-IT\6203df4a6bafc7	WebRuntimeDll.exe
File created	C:\Program Files\Windows NT\System.exe	WebRuntimeDll.exe
File created	C:\Program Files\Windows NT\27d1bcfc3c54e0	WebRuntimeDll.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\WmiPrvSE.exe	WebRuntimeDll.exe
File created	C:\Windows\L2Schemas\24dbde2999530e	WebRuntimeDll.exe
File created	C:\Windows\L2Schemas\lsm.exe	WebRuntimeDll.exe
File opened for modification	C:\Windows\L2Schemas\lsm.exe	WebRuntimeDll.exe
File created	C:\Windows\L2Schemas\101b941d020240	WebRuntimeDll.exe
File created	C:\Windows\AppPatch\Idle.exe	WebRuntimeDll.exe
File created	C:\Windows\AppPatch\6ccacd8608530f	WebRuntimeDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Змейка by ДК and AS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Snace.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2972	schtasks.exe
3052	schtasks.exe
2028	schtasks.exe
1468	schtasks.exe
1720	schtasks.exe
1704	schtasks.exe
1656	schtasks.exe
1108	schtasks.exe
2484	schtasks.exe
1584	schtasks.exe
396	schtasks.exe
1680	schtasks.exe
2988	schtasks.exe
1568	schtasks.exe
2284	schtasks.exe
2188	schtasks.exe
2636	schtasks.exe
1940	schtasks.exe
2500	schtasks.exe
1596	schtasks.exe
2168	schtasks.exe
1532	schtasks.exe
832	schtasks.exe
1860	schtasks.exe
1956	schtasks.exe
2416	schtasks.exe
2672	schtasks.exe
1884	schtasks.exe
2620	schtasks.exe
588	schtasks.exe
1172	schtasks.exe
844	schtasks.exe
1644	schtasks.exe
2756	schtasks.exe
3012	schtasks.exe
688	schtasks.exe
784	schtasks.exe
2668	schtasks.exe
2368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2864	WebRuntimeDll.exe
2864	WebRuntimeDll.exe
2864	WebRuntimeDll.exe
2864	WebRuntimeDll.exe
2864	WebRuntimeDll.exe
1552	taskhost.exe
1552	taskhost.exe
1552	taskhost.exe
1552	taskhost.exe
1552	taskhost.exe
1552	taskhost.exe
1552	taskhost.exe
1552	taskhost.exe
1552	taskhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	WebRuntimeDll.exe
Token: SeDebugPrivilege	1552	taskhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2920	Змейка by ДК and AS.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2824	2568	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	30
PID 2568 wrote to memory of 2824	2568	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	30
PID 2568 wrote to memory of 2824	2568	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	30
PID 2568 wrote to memory of 2824	2568	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	30
PID 2568 wrote to memory of 2920	2568	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	31
PID 2568 wrote to memory of 2920	2568	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	31
PID 2568 wrote to memory of 2920	2568	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	31
PID 2568 wrote to memory of 2920	2568	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	31
PID 2824 wrote to memory of 2192	2824	Snace.exe	32
PID 2824 wrote to memory of 2192	2824	Snace.exe	32
PID 2824 wrote to memory of 2192	2824	Snace.exe	32
PID 2824 wrote to memory of 2192	2824	Snace.exe	32
PID 2192 wrote to memory of 2728	2192	WScript.exe	33
PID 2192 wrote to memory of 2728	2192	WScript.exe	33
PID 2192 wrote to memory of 2728	2192	WScript.exe	33
PID 2192 wrote to memory of 2728	2192	WScript.exe	33
PID 2728 wrote to memory of 2864	2728	cmd.exe	35
PID 2728 wrote to memory of 2864	2728	cmd.exe	35
PID 2728 wrote to memory of 2864	2728	cmd.exe	35
PID 2728 wrote to memory of 2864	2728	cmd.exe	35
PID 2864 wrote to memory of 1756	2864	WebRuntimeDll.exe	76
PID 2864 wrote to memory of 1756	2864	WebRuntimeDll.exe	76
PID 2864 wrote to memory of 1756	2864	WebRuntimeDll.exe	76
PID 1756 wrote to memory of 1624	1756	cmd.exe	78
PID 1756 wrote to memory of 1624	1756	cmd.exe	78
PID 1756 wrote to memory of 1624	1756	cmd.exe	78
PID 1756 wrote to memory of 1552	1756	cmd.exe	79
PID 1756 wrote to memory of 1552	1756	cmd.exe	79
PID 1756 wrote to memory of 1552	1756	cmd.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe
"C:\Users\Admin\AppData\Local\Temp\59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Roaming\Snace.exe
  "C:\Users\Admin\AppData\Roaming\Snace.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\reviewWinrefperfsvc\NHaFmwJEQMsxRcKOggYq.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\reviewWinrefperfsvc\JyFFgHmHFgHO7gB8l.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\reviewWinrefperfsvc\WebRuntimeDll.exe
        
        "C:\reviewWinrefperfsvc\WebRuntimeDll.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QBOcYBAr9Y.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1624
        
        C:\Program Files (x86)\Windows Photo Viewer\en-US\taskhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\en-US\taskhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
- C:\Users\Admin\AppData\Roaming\Змейка by ДК and AS.exe
  "C:\Users\Admin\AppData\Roaming\Змейка by ДК and AS.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\reviewWinrefperfsvc\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\reviewWinrefperfsvc\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\reviewWinrefperfsvc\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Змейка by ДК and ASЗ" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Змейка by ДК and AS.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Змейка by ДК and AS" /sc ONLOGON /tr "'C:\Users\Default User\Змейка by ДК and AS.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Змейка by ДК and ASЗ" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Змейка by ДК and AS.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\AppPatch\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\AppPatch\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QBOcYBAr9Y.bat

Filesize
227B

MD5
010d895f14d97e179eb392afa7e8a763

SHA1
972d9a14026d9a1283a90e8767595f2ed76033bd

SHA256
b8381d74d78aec447444d6d3de2b8d9cd2036621fc1e898f2d32af941655bbf4

SHA512
03a2ce17402904d13b19a8eeabc5001265ed23c6323a3289c21dc42a05f998b7f58d679e070c1fb2f7496a6c43fd43e8d7219d134d5808ee122bfae3af369485

Download Submit
C:\Users\Admin\AppData\Roaming\Snace.exe

Filesize
1.1MB

MD5
886ec8f57236b11553cbb8de98cf1b69

SHA1
f72c049fcd8baa73e74d70c79d3f3b3045b8cd90

SHA256
958a4807d4c38b89256f1094b72703e7bdec8ca424443e9db71cc271ec75200e

SHA512
6284b75c1f9f8b30926e5e1c6a2a0925ef2aeb5202ac706b9565a226199de6b249e5f01a523df96d79f943986a642d420ecf077590d8f03ceba060eb2fa36114

Download Submit
C:\Users\Admin\AppData\Roaming\Змейка by ДК and AS.exe

Filesize
204KB

MD5
89a940000e5a7562ca32fe47e62d9ab3

SHA1
5afb63a26e2ac622e265e1279323a349c71e0b2d

SHA256
819bca0c3d379cb4375fd72199957791edab39e76eeec2f3be403275009787e8

SHA512
2a3f1818ef815a9a5ce944621775c33774f748877fd7baf858d1224a1beba2aac707354356d717b2143e6ef2877ce63fd7e41a5d083fb3d93b9887452f466553

Download Submit
C:\reviewWinrefperfsvc\JyFFgHmHFgHO7gB8l.bat

Filesize
42B

MD5
3f6e29bbbf283829bb2dc00aeb600bfb

SHA1
064b543066405b411d9713fdc3d042bcebc6a984

SHA256
775dc60b73fa023ba0a7d4b394a4d911c74af2951e0f6379d337ee566a81cd2b

SHA512
9d8a79cbebd80bb4d7b37f8106b1556a06be25cb89d70593f1b4a1b2111a3088bc08b6115bef9db2df408d22f5dc06644abf6e4a5edcaff385c9f033a17e7865

Download Submit
C:\reviewWinrefperfsvc\NHaFmwJEQMsxRcKOggYq.vbe

Filesize
213B

MD5
60bb10e1b4c6be7987af6cdb164a2ea7

SHA1
452bd2a19a71b7b0138cebc399013e7fd5faf992

SHA256
139fcb96f7b9fce0dde74056a75940d5cd131571a1ce3005476efec24824df39

SHA512
09cc5f1de91462474618ce6bc9bf6fbc3f8e9961cc27548428d146f274570a7d8f5a6562d3f66f7fe874cdbd2ecc720f933b3122bb41b25415201e3a7275ec96

Download Submit
C:\reviewWinrefperfsvc\WebRuntimeDll.exe

Filesize
827KB

MD5
6307ea5399fdc7482c17c3ac5e287d13

SHA1
9861a738275262a084500d39743674a274c8a396

SHA256
8e1afc545da625009596890cb867865d1073ca7ac96efae987663305f53c3e3b

SHA512
369e88b1de6b0824e52253a25aed270bceb607265c7040e3324d8b323b719af6cbbc273f408ce9271005e424fa24be9d6db4a32b72a754b5bb2747a09ad97d42

Download Submit
memory/1552-64-0x0000000000250000-0x0000000000326000-memory.dmp

Filesize
856KB

Download
memory/2568-0-0x000007FEF6173000-0x000007FEF6174000-memory.dmp

Filesize
4KB

Download
memory/2568-1-0x0000000000DB0000-0x0000000000F0C000-memory.dmp

Filesize
1.4MB

Download
memory/2864-30-0x0000000000BA0000-0x0000000000C76000-memory.dmp

Filesize
856KB

Download